The malware, named ‘AbstractEmu’, can gain access to
smartphones, take complete control of infected smartphones and silently modify
device settings while simultaneously taking steps to evade detection.
This discovery was announced recently by the Nigerian Computer
Emergency Response Team (ngCERT), the national agency established by the
Federal Government to manage the risks of cyber threats in the Nigeria, which
also coordinates incident response and mitigation strategies to proactively
prevent cyber-attacks against Nigeria
AbstractEmu has been found to be distributed via Google Play
Store and third-party stores such as the Amazon Appstore and the Samsung Galaxy
Store, as well as other lesser-known marketplaces like Aptoide and APKPure.
The advisory stated that a total of 19 Android applications
that posed as utility apps and system tools like password managers, money
managers, app launchers, and data saving apps have been reported to contain the
rooting functionality of the malware.
The apps are said to have been prominently distributed via
third-party stores such as the Amazon Appstore and the Samsung Galaxy Store, as
well as other lesser-known marketplaces like Aptoide and APKPure. The apps
include All Passwords, Anti-ads Browser, Data Saver, Lite Launcher, My Phone,
Night Light and Phone Plus, among others.
According to the report, rooting malware although rare, is
very dangerous. By using the rooting process to gain privileged access to the
Android operating system, the threat actor can silently grant itself dangerous
permissions or install additional malware – steps that would normally require
user interaction. Elevated privileges also give the malware access to other
apps’ sensitive data, something not possible under normal circumstances.
The ngCERT advisory also
captured the consequences of making their devices susceptible to
AbstractEmu attack. Once installed, the attack chain is designed to leverage
one of five exploits for older Android security flaws that would allow it to
gain root permissions. It also takes over the device, installs additional
malware, extracts sensitive data, and
transmits to a remote attack-controlled server.
Additionally, the malware can modify the phone settings to
give app ability to reset the device password, or lock the device, through
device admin; draw over other windows; install other packages; access
accessibility services; ignore battery optimisation; monitor notifications;
capture screenshots; record device screen; disable Google Play Protect; as well
as modify permissions that grant access to contacts, call logs, Short Messaging
Service (SMS), Geographic Positioning System (GPS), camera, and microphone.
The ngCERT also asserts in the advisory that, while the
malicious apps were removed from Google Play Store, the other app stores are
likely distributing them. Consequently, the NCC wishes to reiterate a two-fold
ngCERT advisory in order to mitigate the risks. The two-fold advisory include:
1.Users should be wary of installing unknown or unusual
apps, and look out for different behaviours as they use their phones.
2. Reset your phone to factory settings when there is
suspicion of unusual behaviours in your phone.
The NCC, in exercise of its mandate and obligation to the
consumers, will continue to sensitise and educate telecoms consumers on any
cyber threat capable of inflicting low or high-impact harms on their devices,
whether discovered through the ngCERT or the telecom sector’s Centre for
Computer Security Incident Response managed by the Commission.
It will be recalled that the NCC, in October 2021, alerted
telecom consumers of the existence of new, high-risk and extremely-damaging,
Android device-targeting Malware called Flubot and outlined steps to prevent
the eir devices from being attacked by the virus.