Skip to content

S1061 AbstractEmu

AbstractEmu is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. AbstractEmu was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.1

Item Value
ID S1061
Associated Names
Type MALWARE
Version 1.0
Created 06 February 2023
Last Modified 13 April 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1626 Abuse Elevation Control Mechanism -
mobile T1626.001 Device Administrator Permissions AbstractEmu can modify system settings to give itself device administrator privileges.1
mobile T1517 Access Notifications AbstractEmu can monitor notifications.1
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols AbstractEmu can use HTTP to communicate with the C2 server.1
mobile T1429 Audio Capture AbstractEmu can grant itself microphone permissions.1
mobile T1623 Command and Scripting Interpreter -
mobile T1623.001 Unix Shell AbstractEmu has included encoded shell scripts to potentially aid in the rooting process.1
mobile T1533 Data from Local System AbstractEmu can collect files from or inspect the device’s filesystem.1
mobile T1407 Download New Code at Runtime AbstractEmu can download and install additional malware after initial infection.1
mobile T1646 Exfiltration Over C2 Channel AbstractEmu can send large amounts of device data over its C2 channel, including the device’s manufacturer, model, version and serial number, telephone number, and IP address.1
mobile T1404 Exploitation for Privilege Escalation AbstractEmu can use rooting exploits to silently give itself permissions or install additional malware.1
mobile T1629 Impair Defenses -
mobile T1629.003 Disable or Modify Tools AbstractEmu can disable Play Protect.1
mobile T1544 Ingress Tool Transfer AbstractEmu can receive files from the C2 at runtime.1
mobile T1430 Location Tracking AbstractEmu can access a device’s location.1
mobile T1406 Obfuscated Files or Information AbstractEmu has encoded files, such as exploit binaries, to potentially use during and after the rooting process.1
mobile T1636 Protected User Data -
mobile T1636.002 Call Log AbstractEmu can access device call logs.1
mobile T1636.003 Contact List AbstractEmu can grant itself contact list access.1
mobile T1636.004 SMS Messages AbstractEmu can intercept SMS messages containing two factor authentication codes.1
mobile T1418 Software Discovery AbstractEmu can obtain a list of installed applications.1
mobile T1426 System Information Discovery AbstractEmu can collect device information such as manufacturer, model, version, serial number, and telephone number.1
mobile T1422 System Network Configuration Discovery AbstractEmu can collect device IP address and SIM information.1
mobile T1512 Video Capture AbstractEmu can grant itself camera permissions.1
mobile T1633 Virtualization/Sandbox Evasion AbstractEmu has used code abstraction and anti-emulation checks to potentially avoid running while under analysis.1
mobile T1633.001 System Checks AbstractEmu can check device system properties to potentially avoid running while under analysis.1

References

  1. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.