Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Rootnik Trojan Modifies Legitimate Root Tool to Hack Android Devices

A new Trojan is stealing information from Android devices after gaining root access on them by using a commercial root tool and is affecting users around the world, researchers at Palo Alto Networks warn.

A new Trojan is stealing information from Android devices after gaining root access on them by using a commercial root tool and is affecting users around the world, researchers at Palo Alto Networks warn.

Dubbed Rootnik, the malware uses the Root Assistant utility to gain root access on Android devices, and is estimated to have successfully infected devices in the United States, Malaysia, Thailand, Lebanon and Taiwan. The Trojan has managed to steal at least five exploits used in Root Assistant, a tool developed by a Chinese company to provide users with the ability to gain root on their devices.

The security researchers revealed that Rootnik has been spreading by being embedded in copies of legitimate applications such as WiFi Analyzer, Open Camera, Infinite Loop, HD Camera, Windows Solitaire, ZUI Locker, and Free Internet Austria. Moreover, they revealed that over 600 samples of Rootnik have been observed thus far and that all Android 4.3 and older devices are vulnerable.

By abusing a customized version of Root Assistant, the Trojan exploits Android vulnerabilities such as CVE-2012-4221, CVE-2013-2596, CVE-2013-2597, and CVE-2013-6282, and can install and uninstall both system and non-system apps without users’ awareness. The malware also installs a series of APK files on the system partition of the infected devices to maintain persistence after gaining root access.

The researchers say Rootnik is also capable of downloading executable files from remote servers for local execution, as well as to aggressively promote other applications by displaying ads even on the home screen, in full screen mode. The malware also steals Wi-Fi information such as passwords, keys, and SSID and BSSID identifiers, and harvests victims’ private information, including location, phone MAC address and device ID.

Palo Alto Networks researchers also determined that Rootnik connects to remote servers using the applight[.]mobi, jaxfire[.]mobi, superflashlight[.]mobi, and shenmeapp[.]info domain names. While the earliest creation date of domains goes back to February 2015, all these servers are said to be currently active.

Rootnik distributes itself by injecting malicious code into legitimate apps and, after successfully compromising an Android device, it launches a new thread to gain root privileges. It also starts the app promotion procedure, while downloading encrypted payloads from a remote server to attempt gaining root access. If successful, it writes four APK files to the system partition and reboots the device, the researchers said.

These four APK files serve as system apps after rebooting and feature static file names: AndroidSettings.apk (responsible for promoting apps), BluetoothProviders.apk and WifiProviders.apk (both acting as remote control components for installing other applications and downloading code), and VirusSecurityHunter.apk (aimed exclusively at harvesting private data).

Advertisement. Scroll to continue reading.

According to the security firm, Rootnik attempts to gain root privileges only on devices located in certain countries, and won’t attempt a root compromise if a device’s location is detrmined to be in China. 

After rooting a device and rebooting it, the Trojan begins its malicious activities, including the aggressive promotion or other applications, which is meant to increase the revenue for its developers, the researchers said. 

To stay protected, Android users should ensure they have the latest security updates for their devices installed, and should avoid downloading and installing applications from unknown sources.

Related: Majority of Top Android Apps Easily Reverse Engineered: Report

Related: Android Malware Possibly Infects 1 Million Devices via Google Play

Related: Android Adware Abuses Accessibility Service to Install Apps

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.