AbstractEmu, an Android malware variant that takes dangerous control of infected smartphones, has hit Nigeria, the telecoms regulator has warned on Monday.
AbstractEmu does not only gain access to smartphones, but the malware also takes complete control of infected smartphones and silently modifies device settings while simultaneously taking steps to evade detection, Dr. Ikechukwu Adinde, Nigerian Communications Commission (NCC) Public Affairs Director, says in a cyber threat alert issued by the telecoms industry watchdog.
The Nigerian Computer Emergency Response Team (ngCERT), a Federal Government agency that manages the risks of cyber threats in the country, made the discovery of AbstractEmu that opens the local Android smartphone user community to cyberattack, NCC says.
What is AbstractEmu Malware?
The Nigerian internet cyber police, ngCERT, in its advisory, says that “while the malicious apps were removed from Google Play Store, the other app stores are likely distributing them.”
To mitigate AbstractEmu risks, NCC advises Android smartphone users to adopt the two-fold ngCERT advisory as follows:
- Users should be wary of installing unknown or unusual apps, and look out for different behaviours as they use their phones.
- Reset your phone to factory settings when there is suspicion of unusual behaviours in your phone.
Adinde says that ngCERT, which also coordinates incident response and mitigation strategies to proactively prevent cyber-attacks against Nigeria warns in its advisory the extent of cyber threat that AbstractEmu poses to Android smartphone users.
According to ngCERT, 19 Android applications that posed as utility apps and system tools like password managers, money managers, app launchers, and data saving apps have been reported to contain the rooting functionality of the AbstractEmu malware.
AbstractEmu, NCC’s Adinde says, “has been found to be distributed via Google Play Store and third-party stores such as the Amazon Appstore and the Samsung Galaxy Store, as well as other lesser-known marketplaces like Aptoide and APKPure.”
Additionally, “the apps are said to have been prominently distributed via third-party stores such as the Amazon Appstore and the Samsung Galaxy Store, as well as other lesser-known marketplaces like Aptoide and APKPure. The apps include All Passwords, Anti-ads Browser, Data Saver, Lite Launcher, My Phone, Night Light, and Phone Plus, among others.”
ngCERT says that while rooting malware is rare, its infection “is very dangerous.”
According to its advisory, “by using the rooting process to gain privileged access to the Android operating system, the threat actor can silently grant itself dangerous permissions or install additional malware – steps that would normally require user interaction. Elevated privileges also give the malware access to other apps’ sensitive data, something not possible under normal circumstances.”
According to Adinde, “the ngCERT advisory also captured the consequences of making their devices susceptible to AbstractEmu attack. Once installed, the attack chain is designed to leverage one of five exploits for older Android security flaws that would allow it to gain root permissions. It also takes over the device, installs additional malware, extracts sensitive data, and transmits to a remote attack-controlled server.”
AbstractEmu “can modify the phone settings to give app ability to reset the device password, or lock the device, through device admin; draw over other windows; install other packages; access accessibility services; ignore battery optimization; monitor notifications; capture screenshots; record device screen; disable Google Play Protect; as well as modify permissions that grant access to contacts, call logs, Short Messaging Service (SMS), Geographic Positioning System (GPS), camera, and microphone.”
The NCC, Adinde says, “in exercise of its mandate and obligation to the consumers, will continue to sensitise and educate telecoms consumers on any cyber threat capable of inflicting low or high-impact harms on their devices, whether discovered through the ngCERT or the telecoms sector’s Centre for Computer Security Incident Response managed by the Commission.”
NCC had in October 2021, “alerted telecoms consumers of the existence of new, high-risk and extremely-damaging, Android device-targeting Malware called Flubot and outlined steps to prevent the eir devices from being attacked by the virus”, he says.