The malware, dubbed ‘AbstractEmu,’ can obtain access to cellphones, take entire control of affected handsets, and surreptitiously adjust device settings while attempting to avoid detection, according to the Commission.

This discovery was recently announced by the Nigerian Computer Emergency Response Team (ngCERT), the national agency established by the Federal Government to manage the risks of cyber threats in Nigeria, which also coordinates incident response and mitigation strategies to proactively prevent cyber-attacks against Nigeria, according to a statement made available to newsmen by Ikechukwu Adinde, the NCC Spokesman.

According to the NCC, AbstractEmu is available on the Google Play Store, as well as third-party stores including Amazon Appstore and Samsung Galaxy Store, as well as lesser-known marketplaces like Aptoide and APKPure.

The malware’s rooting functionality has been found in 19 Android apps that posed as utility apps and system tools such as password managers, money managers, app launchers, and data saving apps, according to the advisory.

Third-party storefronts like Amazon Appstore and Samsung Galaxy Store, as well as lesser-known marketplaces like Aptoide and APKPure, are claimed to have been heavily used to distribute the programs. All Passwords, Anti-ads Browser, Data Saver, Lite Launcher, My Phone, Night Light, and Phone Plus are just a few of the apps available.

According to the report, rooting malware although rare, is very dangerous. By using the rooting process to gain privileged access to the Android operating system, the threat actor can silently grant itself dangerous permissions or install additional malware – steps that would normally require user interaction. Elevated privileges also give the malware access to other apps’ sensitive data, something not possible under normal circumstances.

The ngCERT advisory also captured the consequences of making their devices susceptible to AbstractEmu attacks. Once installed, the attack chain is designed to leverage one of five exploits for older Android security flaws that would allow it to gain root permissions. It also takes over the device, installs additional malware, extracts sensitive data, and transmits to a remote attack-controlled server.

Additionally, the malware can modify the phone settings to give the app the ability to reset the device password, or lock the device, through device admin; draw over other windows; install other packages; access accessibility services; ignore battery optimization; monitor notifications; capture screenshots; record device screen; disable Google Play Protect; as well as modify permissions that grant access to contacts, call logs, Short Messaging Service (SMS), Geographic Positioning System (GPS), camera, and microphone.

The ngCERT also asserts in the advisory that, while the malicious apps were removed from Google Play Store, the other app stores are likely distributing them. Consequently, the NCC wishes to reiterate a two-fold ngCERT advisory to mitigate the risks. The two-fold advisory include:

1. Users should be wary of installing unknown or unusual apps, and look out for different behaviors as they use their phones.

2. Reset your phone to factory settings when there is suspicion of unusual behaviors in your phone.

The NCC, in the exercise of its mandate and obligation to the consumers, will continue to sensitize and educate telecoms consumers on any cyber threat capable of inflicting low or high-impact harms on their devices, whether discovered through the ngCERT or the telecom sector’s Centre for Computer Security Incident Response managed by the Commission.