'AbstractEmu' Android malware seizes total control of your phone — what to do

Android malware botnet attack
(Image credit: Shutterstock)

Update: Google has killed six fake antivirus Android apps caught spreading Sharkbot malware.

Newly discovered Android malware uses five different known security flaws to gain "root" permission on smartphones, giving itself greater system abilities than even you would have on a normal phone.

The malware, dubbed AbstractEmu by its finders at information-security firm Lookout, comes hidden in utility, security and privacy apps found in the Amazon App Store, the Samsung Galaxy Store, plus Aptoide, APKPure and other "off-road" Android app markets.

One app, called Lite Launcher, was downloaded more than 10,000 times from the official Google Play store before Google ejected it after being notified by Lookout. Even though these Trojanized apps contain malware, they are well designed and function as advertised, and you'd probably never notice anything wrong.

"This is a significant discovery because widely-distributed malware with root capabilities have become rare over the past five years," wrote Lookout's Kristina Balaam and Paul Shunk in a blog post yesterday (Oct. 28).

More power than it may need

Installing one of these poisoned apps triggers a three-stage infection process that ends up with the installation of spyware disguised as a storage manager called "Setting Storage" that has "access to contacts, call logs, SMS messages, location, camera and microphone."

Because it has root permissions, the spyware can reset the device password, lock you out of your own device, draw over other windows, install more apps, capture screenshots, view notifications, record screen activity and disable Google Play Protect.

The malware campaign's ultimate aim is not known, as its command-and-control server went offline before Lookout researchers were able to capture the final payload. 

But the malware's capabilities are far beyond what's needed to steal passwords, credit-card numbers or other sensitive information from Android phones, or to sign up Android users for premium-SMS scams, as much malware does these days.

How to protect yourself from this new Android malware

Of the 19 known apps being distributed in this malware campaign, seven have rooting capabilities. They are:

  • All Passwords, com.mobilesoft.security.password
  • Anti-ads Browser, com.zooitlab.antiadsbrowser
  • Data Saver, com.smarttool.backup.smscontacts
  • Lite Launcher, com.st.launcher.lite
  • My Phone, com.dentonix.myphone
  • Night Light, com.nightlight.app
  • Phone Plus, com.phoneplusapp

If you have any apps matching these names, you'll want to check whether they're truly the same ones. Many apps share names, but the package names, the text strings that begin with "com" above, are unique. 

Use a desktop browser to go to the app store where you got the app and search for it. If the app is no longer in the app store, then delete it from your device. 

If the app you downloaded is still there, then check if the icon on its listing page matches what's on your phone. If so, then check the URL, aka web address, of the listing page — the Android package name should be in the URL somewhere. If that matches the package name above, delete the app.

This last step doesn't work for the Amazon App Store, which doesn't seem to list an app's Android package name anywhere. You'll have to use your own judgment there.

You'll also want to keep your Android phone as updated as possible. All the flaws used by this malware have been patched as of the March 2020 official Android security update. If your Android phone hasn't received a security update since then, it might be time to look into getting a new phone.

As always, you'll want to install one of the best Android antivirus apps to keep one step ahead of the crooks, and never install apps from off-road stores.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.