S1061: AbstractEmu
AbstractEmu is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. AbstractEmu was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.[1]
Analyst context for executives and security teams
AbstractEmu matters because it shows how Android malware can move beyond a simple bad app into device-level compromise: the ATT&CK record ties it to known exploit abuse for root permissions, runtime code download, discovery, collection from local data sources, sensor capture, notification access, and C2-based exfiltration. For leaders, the practical issue is whether mobile devices used for work are governed, patched, monitored, and removable from trusted access when they become high-risk.
Executive priority
Treat this as a mobile resilience and identity-risk scenario, not only a malware signature problem. The business questions are: which Android devices can access corporate data, how quickly known Android vulnerabilities are remediated, whether third-party app installation is controlled, whether rooted or device-admin-abusing devices are blocked from sensitive access, and whether incident response can collect enough mobile evidence to support containment and audit decisions.
Technical view
SOC, mobile security, and IR teams should validate coverage around Android app provenance, root/exploit indicators, device administrator permission abuse, runtime code loading, obfuscated payloads, sandbox-evasion checks, local data access, notification access, microphone/camera/location permissions, and web-protocol C2. The relationship set maps AbstractEmu to privilege escalation, discovery, collection, execution via Unix shell, ingress tool transfer, defense evasion, and exfiltration over C2, but the ATT&CK object provides no official detection logic, so local telemetry and mobile management controls determine practical visibility.
Likely telemetry
- Android application inventory and install source, including Google Play and third-party store provenance where available
- Mobile device management or enterprise mobility management state: OS version, patch level, root/jailbreak status, device administrator grants, and compliance posture
- Application permission grants for microphone, camera, location, notifications, contacts, SMS, call logs, and local storage
- Mobile threat defense or endpoint logs for exploit/rooting behavior, Unix shell execution, tool transfer, obfuscated files, and runtime code download
- Network telemetry for Android devices using HTTP/HTTPS or other web-protocol communications to external services
Detection direction
- Because official ATT&CK detection guidance is not provided, start by confirming whether mobile telemetry exists at all for Android devices that access business systems.
- Tune detections around combinations of risky behaviors rather than single permissions: for example, newly installed app plus device administrator grant, root indicators, runtime code download, discovery activity, and outbound web traffic.
- Prioritize visibility for rooted or exploit-compromised devices because several related techniques note that elevated privileges can expand access to protected data and security-control modification.
- Review false positives carefully for legitimate apps that use camera, microphone, location, contacts, notifications, or web protocols; the suspicious pattern is sensitive access combined with abnormal provenance, privilege escalation, obfuscation, or C2-like behavior.
- Account for evasion: the relationship context includes obfuscation and virtualization/sandbox system checks, so static app review or sandbox-only analysis may miss behavior that appears after installation or in non-analysis environments.
Mitigation priorities
- Maintain Android patch currency and vulnerability remediation processes, since the object notes abuse of known Android exploits to obtain root permissions.
- Restrict third-party app installation and enforce app provenance controls for devices that access corporate resources.
- Use mobile device management or equivalent controls to block rooted devices, unauthorized device administrator permissions, and non-compliant Android versions from sensitive identity and cloud access.
- Apply least-privilege mobile app permission practices and review apps requesting access to notifications, SMS, contacts, call logs, location, microphone, camera, or local storage.
- Prepare mobile incident response procedures for containment, device isolation, evidence collection, credential/session revocation, and user notification when business-accessing devices are suspected of compromise.
Analyst notes and limits
The strongest decision value in this object comes from the relationships: AbstractEmu is associated with Android privilege escalation, runtime code loading, discovery, collection, C2 over web protocols, and exfiltration over C2. That combination makes mobile access governance, patching, and telemetry validation more important than a narrow IOC-only approach.
ATT&CK provides no official detection text, no aliases, no explicit tactics in the supplied object, and only one external research reference. This take does not assess current activity, attribution, prevalence, or customer exposure. Teams need local mobile inventory, MDM/MTD logs, network data, and access-policy evidence to determine actual risk and coverage.
AbstractEmu
AbstractEmu is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. AbstractEmu was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1517 | Access Notifications | AbstractEmu can monitor notifications.Citationlookout_abstractemu_1021 |
| Mobile | T1633.001 | System Checks Sub-technique | AbstractEmu can check device system properties to potentially avoid running while under analysis.Citationlookout_abstractemu_1021 |
| Mobile | T1623.001 | Unix Shell Sub-technique | AbstractEmu has included encoded shell scripts to potentially aid in the rooting process.Citationlookout_abstractemu_1021 |
| Mobile | T1406 | Obfuscated Files or Information | AbstractEmu has encoded files, such as exploit binaries, to potentially use during and after the rooting process.Citationlookout_abstractemu_1021 |
| Mobile | T1422.001 | Internet Connection Discovery Sub-technique | AbstractEmu can collect device IP address and SIM information.Citationlookout_abstractemu_1021 |
| Mobile | T1422 | System Network Configuration Discovery | AbstractEmu can collect device IP address and SIM information.Citationlookout_abstractemu_1021 |
| Mobile | T1633 | Virtualization/Sandbox Evasion | AbstractEmu has used code abstraction and anti-emulation checks to potentially avoid running while under analysis.Citationlookout_abstractemu_1021 |
| Mobile | T1404 | Exploitation for Privilege Escalation | AbstractEmu can use rooting exploits to silently give itself permissions or install additional malware.Citationlookout_abstractemu_1021 |
| Mobile | T1437.001 | Web Protocols Sub-technique | AbstractEmu can use HTTP to communicate with the C2 server.Citationlookout_abstractemu_1021 |
| Mobile | T1636.004 | SMS Messages Sub-technique | AbstractEmu can intercept SMS messages containing two factor authentication codes.Citationlookout_abstractemu_1021 |
| Mobile | T1429 | Audio Capture | AbstractEmu can grant itself microphone permissions.Citationlookout_abstractemu_1021 |
| Mobile | T1646 | Exfiltration Over C2 Channel | AbstractEmu can send large amounts of device data over its C2 channel, including the device’s manufacturer, model, version and serial number, telephone number, and IP address.Citationlookout_abstractemu_1021 |
| Mobile | T1629.003 | Disable or Modify Tools Sub-technique | AbstractEmu can disable Play Protect.Citationlookout_abstractemu_1021 |
| Mobile | T1418 | Software Discovery | AbstractEmu can obtain a list of installed applications.Citationlookout_abstractemu_1021 |
| Mobile | T1426 | System Information Discovery | AbstractEmu can collect device information such as manufacturer, model, version, serial number, and telephone number.Citationlookout_abstractemu_1021 |
| Mobile | T1533 | Data from Local System | AbstractEmu can collect files from or inspect the device’s filesystem.Citationlookout_abstractemu_1021 |
| Mobile | T1512 | Video Capture | AbstractEmu can grant itself camera permissions.Citationlookout_abstractemu_1021 |
| Mobile | T1636.002 | Call Log Sub-technique | AbstractEmu can access device call logs.Citationlookout_abstractemu_1021 |
| Mobile | T1430 | Location Tracking | AbstractEmu can access a device's location.Citationlookout_abstractemu_1021 |
| Mobile | T1626.001 | Device Administrator Permissions Sub-technique | AbstractEmu can modify system settings to give itself device administrator privileges.Citationlookout_abstractemu_1021 |
| Mobile | T1544 | Ingress Tool Transfer | AbstractEmu can receive files from the C2 at runtime.Citationlookout_abstractemu_1021 |
| Mobile | T1407 | Download New Code at Runtime | AbstractEmu can download and install additional malware after initial infection.Citationlookout_abstractemu_1021 |
| Mobile | T1636.003 | Contact List Sub-technique | AbstractEmu can grant itself contact list access.Citationlookout_abstractemu_1021 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 874bd5026736… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
lookout_abstractemu_1021
P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.
Open source URL -
[2]
mitre-attack S1061Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.