AbstractEmu
AbstractEmu is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. AbstractEmu was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1626 | .001 | Abuse Elevation Control Mechanism: Device Administrator Permissions |
AbstractEmu can modify system settings to give itself device administrator privileges.[1] |
| Mobile | T1517 | Access Notifications |
AbstractEmu can monitor notifications.[1] |
|
| Mobile | T1437 | .001 | Application Layer Protocol: Web Protocols |
AbstractEmu can use HTTP to communicate with the C2 server.[1] |
| Mobile | T1429 | Audio Capture |
AbstractEmu can grant itself microphone permissions.[1] |
|
| Mobile | T1623 | .001 | Command and Scripting Interpreter: Unix Shell |
AbstractEmu has included encoded shell scripts to potentially aid in the rooting process.[1] |
| Mobile | T1533 | Data from Local System |
AbstractEmu can collect files from or inspect the device’s filesystem.[1] |
|
| Mobile | T1407 | Download New Code at Runtime |
AbstractEmu can download and install additional malware after initial infection.[1] |
|
| Mobile | T1646 | Exfiltration Over C2 Channel |
AbstractEmu can send large amounts of device data over its C2 channel, including the device’s manufacturer, model, version and serial number, telephone number, and IP address.[1] |
|
| Mobile | T1404 | Exploitation for Privilege Escalation |
AbstractEmu can use rooting exploits to silently give itself permissions or install additional malware.[1] |
|
| Mobile | T1629 | .003 | Impair Defenses: Disable or Modify Tools |
AbstractEmu can disable Play Protect.[1] |
| Mobile | T1544 | Ingress Tool Transfer |
AbstractEmu can receive files from the C2 at runtime.[1] |
|
| Mobile | T1430 | Location Tracking |
AbstractEmu can access a device's location.[1] |
|
| Mobile | T1406 | Obfuscated Files or Information |
AbstractEmu has encoded files, such as exploit binaries, to potentially use during and after the rooting process.[1] |
|
| Mobile | T1636 | .002 | Protected User Data: Call Log |
AbstractEmu can access device call logs.[1] |
| .003 | Protected User Data: Contact List |
AbstractEmu can grant itself contact list access.[1] |
||
| .004 | Protected User Data: SMS Messages |
AbstractEmu can intercept SMS messages containing two factor authentication codes.[1] |
||
| Mobile | T1418 | Software Discovery |
AbstractEmu can obtain a list of installed applications.[1] |
|
| Mobile | T1426 | System Information Discovery |
AbstractEmu can collect device information such as manufacturer, model, version, serial number, and telephone number.[1] |
|
| Mobile | T1422 | System Network Configuration Discovery |
AbstractEmu can collect device IP address and SIM information.[1] |
|
| .001 | Internet Connection Discovery |
AbstractEmu can collect device IP address and SIM information.[1] |
||
| Mobile | T1512 | Video Capture |
AbstractEmu can grant itself camera permissions.[1] |
|
| Mobile | T1633 | Virtualization/Sandbox Evasion |
AbstractEmu has used code abstraction and anti-emulation checks to potentially avoid running while under analysis.[1] |
|
| .001 | System Checks |
AbstractEmu can check device system properties to potentially avoid running while under analysis.[1] |
||