Researchers have discovered a new widespread rooting malware campaign. The malware is named AbstractEmu and it garnered attention due to the use of some clever evasion techniques.

What has happened?

AbstractEmu was spotted on Google Play and other app stores, including Amazon Appstore and the Samsung Galaxy Store, by Lookout Threat Lab. Google was notified of the issue, after which the apps were removed.
  • The attackers are using legitimate-looking apps, such as utility apps, password managers, app launchers, or data savers, where users are lured into downloading malicious apps laden with malware.
  • Around 19 apps were discovered, out of which seven apps had rooting functionalities. 
  • One app on Google Play was found to be downloaded more than 10,000 times. 

Attack tactics

The malware is activated whenever a user opens the trojanized app just after downloading it.
  • This campaign exploited vulnerabilities from 2019 and 2020, including CVE-2020-0041 and CVE-2020-0069
  • The report suggests that there are millions of devices exposed to these vulnerabilities.
  • Upon infection, the malware tries to obtain root access on the Android device.

The rooting process

By rooting the device, AbstractEmu obtains permissions to silently modify the device without the need for any user interaction and access data of other apps on the device.
  • To ensure a seamless process, the apps are embedded with hidden and encoded files (exploit binaries targeting different vulnerabilities), which are used during and after the rooting process.
  • In addition to these binaries, the apps come with three encoded shell scripts, along with two encoded binaries copied from the Magisk tool, that are employed during and after the rooting process.
  • Two shell scripts execute the exploit binary, gain root, and use elevated privileges for installing Magisk components for further root access.
  • The newly installed Magisk components execute a final shell script that extracts an APK in a binary to the device. Then, the package manager installs a new app and allows it various intrusive permissions.


Being infected with a mobile malware like AbstractEmu can lead to the loss of sensitive data. To stay secure, experts suggest keeping the operating system updated and downloading mobile apps from official stores. 

Cyware Publisher