Tag Archive for: evades

New AbstractEmu malware roots Android devices, evades detection

/in


New AbstractEmu malware roots Android devices, evades detection

Image: Jon Hunter

New Android malware can root infected devices to take complete control and silently tweak system settings, as well as evade detection using code abstraction and anti-emulation checks.

The malware, dubbed AbstractEmu by security researchers at the Lookout Threat Labs who found it, was bundled with 19 utility apps distributed via Google Play and third-party app stores (including the Amazon Appstore, the Samsung Galaxy Store, Aptoide, and APKPure).

Apps bundling the malware included password managers and tools like data savers and app launchers, all of them providing the functionality they promised to avoid raising suspicions.

The malicious apps were removed from the Google Play Store after Lookout reported their discovery. However, the other app stores are likely still distributing them.

Lite Launcher, an app launcher and one of the apps used to deliver the AbstractEmu malware on unsuspecting Android users’ devices, had over 10,000 downloads when taken down from Google Play.

“AbstractEmu does not have any sophisticated zero-click remote exploit functionality used in advanced APT-style threats, it is activated simply by the user having opened the app,” the Lookout researchers said.

“As the malware is disguised as functional apps, most users will likely interact with them shortly after downloading.”

Once installed, AbstractEmu will begin harvesting and sending system information to its command-and-control (C2) server while the malware waits for further commands.

AbstractEmu collected system info
System info collected by AbstractEmu (Lookout)

Exploits upgraded to target more Android devices

To root Android devices it infects, AbstractEmu has multiple tools at its disposal in the form of exploits targeting several vulnerabilities, including CVE-2020-0041, a bug never exploited in the wild by Android apps before this.

The malware also uses a CVE-2020-0069 exploit to abuse a vulnerability found in MediaTek chips used by dozens of smartphone manufacturers that have collectively sold millions of devices.

The threat actors behind AbstractEmu also have enough skills and tech know-how to add support for more targets to publicly available code for CVE-2019-2215 and CVE-2020-0041…

Source…

Alien Mobile Malware Evades Detection, Increases Targets

/in


Alien Mobile Malware Evades Detection, Increases Targets

PhishLabs is monitoring the increasing number of mobile applications targeted by the relatively new Alien Mobile Banking Trojan. Alien, a fork of Cerberus, continues to evade Google’s malware detection and is targeting a broad spectrum of both financial and non-financial apps. So far, Alien has been connected with 87 new brands previously not targeted by Cerberus. 

 

Cerberus versus Alien Brands Targeted

 

Prior to its decline, Cerberus operators dominated the mobile malware landscape both in functionality and attacks. Cerberus was a malware-as-a-service (MaaS) and targeted 139 known brands during its life.

 

>> Learn More About Mobile Malware Threats <<

 

Since January 2020, Alien has been observed targeting 226 different brands. Alien’s high volume of targets may be attributed to its adoption by a growing number of threat actors eager to take advantage of desirable enhancements that increase the success of executing fraud. It also uses a MaaS approach with built-in features that can achieve a wide range of objectives.

 

Specifically, Alien has capabilities not previously seen with Cerberus, such as the ability to install and navigate Android’s TeamViewer. Using TeamViewer gives the operator full remote control access to the infected device, as well as the ability to change device settings, interact with applications, and monitor user behavior. 

 

Alien authors have also incorporated a notification sniffer that allows access to all new updates on infected devices. This includes the ability to steal tokens from Google’s Authenticator application, enabling actors to bypass two-factor authentication security measures. 

 

Alien does possess the features originally associated with Cerberus, including keylogging, SMS harvesting, and dynamic overlays.

Financial Institutions versus Non-Financials Targeted by Alien

 

Notably, we continue to observe Alien being used to target an increasing number of non-financial institutions compared to other mobile and desktop malware. This approach boosts the effectiveness of Alien distribution by taking advantage of how individuals may be less vigilant when interacting with non-financial applications not…

Source…

Triada Android spyware evades anti-virus detection by using DroidPlugin sandbox

/in
Android spyware evades anti-virus detection by using DroidPlugin sandbox

The Triada family of Android spyware is using the DroidPlugin open-source sandbox to evade detection by anti-virus software installed on infected devices.

David Bisson reports.

Graham Cluley