AbstractEmu is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. AbstractEmu was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.[1]

ID: S1061
Platforms: Android
Version: 1.0
Created: 06 February 2023
Last Modified: 13 April 2023

Techniques Used

Domain ID Name Use
Mobile T1626 .001 Abuse Elevation Control Mechanism: Device Administrator Permissions

AbstractEmu can modify system settings to give itself device administrator privileges.[1]

Mobile T1517 Access Notifications

AbstractEmu can monitor notifications.[1]

Mobile T1437 .001 Application Layer Protocol: Web Protocols

AbstractEmu can use HTTP to communicate with the C2 server.[1]

Mobile T1429 Audio Capture

AbstractEmu can grant itself microphone permissions.[1]

Mobile T1623 .001 Command and Scripting Interpreter: Unix Shell

AbstractEmu has included encoded shell scripts to potentially aid in the rooting process.[1]

Mobile T1533 Data from Local System

AbstractEmu can collect files from or inspect the device’s filesystem.[1]

Mobile T1407 Download New Code at Runtime

AbstractEmu can download and install additional malware after initial infection.[1]

Mobile T1646 Exfiltration Over C2 Channel

AbstractEmu can send large amounts of device data over its C2 channel, including the device’s manufacturer, model, version and serial number, telephone number, and IP address.[1]

Mobile T1404 Exploitation for Privilege Escalation

AbstractEmu can use rooting exploits to silently give itself permissions or install additional malware.[1]

Mobile T1629 .003 Impair Defenses: Disable or Modify Tools

AbstractEmu can disable Play Protect.[1]

Mobile T1544 Ingress Tool Transfer

AbstractEmu can receive files from the C2 at runtime.[1]

Mobile T1430 Location Tracking

AbstractEmu can access a device's location.[1]

Mobile T1406 Obfuscated Files or Information

AbstractEmu has encoded files, such as exploit binaries, to potentially use during and after the rooting process.[1]

Mobile T1636 .002 Protected User Data: Call Log

AbstractEmu can access device call logs.[1]

.003 Protected User Data: Contact List

AbstractEmu can grant itself contact list access.[1]

.004 Protected User Data: SMS Messages

AbstractEmu can intercept SMS messages containing two factor authentication codes.[1]

Mobile T1418 Software Discovery

AbstractEmu can obtain a list of installed applications.[1]

Mobile T1426 System Information Discovery

AbstractEmu can collect device information such as manufacturer, model, version, serial number, and telephone number.[1]

Mobile T1422 System Network Configuration Discovery

AbstractEmu can collect device IP address and SIM information.[1]

Mobile T1512 Video Capture

AbstractEmu can grant itself camera permissions.[1]

Mobile T1633 Virtualization/Sandbox Evasion

AbstractEmu has used code abstraction and anti-emulation checks to potentially avoid running while under analysis.[1]

.001 System Checks

AbstractEmu can check device system properties to potentially avoid running while under analysis.[1]