Large app stores such as Google Play actually want to use various security measures to prevent the entry of apps with malicious code. But obviously that doesn’t always work reliably. Lookout security researchers have found dangerous Trojan apps in official app stores that can root Android devices. If this works, attackers usually have full control over devices.
The security researchers explain in one articlethat they came across 19 Trojanized apps in Amazon’s App Store, Google Play and Samsung’s Galaxy Store. Seven of them are said to have rooting functions. The apps are supposed to masquerade as utilities like app launcher and password manager. The researchers state that Google has now removed the apps in question. The status of the other app stores is currently unknown.
Among other things, the app “Lite Launcher” from Google Play should work as promised. However, malicious functions run in the background. Before being kicked out of the App Store, she is said to have had 10,000 downloads.
Take full control
Root users have access to all elements of the Android operating system. In this case, apps with malicious intent can bend all settings and activate permissions. The AbstractEmu Trojan should then have access to the microphone and the camera and be able to take screenshots.
Attackers could use the latter to gain access to passwords. In addition, it should be able to intercept SMS messages with codes from two-factor authentication (2FA). Equipped with this, attackers could, for example, gain access to accounts that are actually secured with 2FA.
What exactly the criminals want to achieve with the Trojan apps is currently unclear. The security researchers assume that it is primarily about money. The campaign will be active in 17 countries around the world.
Starting points for rooting
According to the researchers, the apps address various security vulnerabilities to root Android devices. Including some older vulnerabilities from 2015. However, they also bring exploit code for more recent vulnerabilities (CVE-2020-0041, CVE-2020-0069). Both gaps are with the threat level “highIn both cases, memory errors occur after execution and attackers can thereby obtain higher user rights. From this position they should be able to initiate the rooting process in a way that is not described in detail.
If that works, the attackers can basically do anything with the device. The perfidious thing about it is that many malicious functions of victims can run unnoticed in the background. To prevent such attacks, you should always keep Android devices up to date and install security updates. But that’s still a big problem, as even many devices that are not too old don’t get any updates at all. If you can’t rely on the security checks of the big app stores, you’re pretty helpless.