Connect with us

Hi, what are you looking for?


Malware & Threats

Rootnik Trojan Modifies Legitimate Root Tool to Hack Android Devices

A new Trojan is stealing information from Android devices after gaining root access on them by using a commercial root tool and is affecting users around the world, researchers at Palo Alto Networks warn.

A new Trojan is stealing information from Android devices after gaining root access on them by using a commercial root tool and is affecting users around the world, researchers at Palo Alto Networks warn.

Dubbed Rootnik, the malware uses the Root Assistant utility to gain root access on Android devices, and is estimated to have successfully infected devices in the United States, Malaysia, Thailand, Lebanon and Taiwan. The Trojan has managed to steal at least five exploits used in Root Assistant, a tool developed by a Chinese company to provide users with the ability to gain root on their devices.

The security researchers revealed that Rootnik has been spreading by being embedded in copies of legitimate applications such as WiFi Analyzer, Open Camera, Infinite Loop, HD Camera, Windows Solitaire, ZUI Locker, and Free Internet Austria. Moreover, they revealed that over 600 samples of Rootnik have been observed thus far and that all Android 4.3 and older devices are vulnerable.

By abusing a customized version of Root Assistant, the Trojan exploits Android vulnerabilities such as CVE-2012-4221, CVE-2013-2596, CVE-2013-2597, and CVE-2013-6282, and can install and uninstall both system and non-system apps without users’ awareness. The malware also installs a series of APK files on the system partition of the infected devices to maintain persistence after gaining root access.

The researchers say Rootnik is also capable of downloading executable files from remote servers for local execution, as well as to aggressively promote other applications by displaying ads even on the home screen, in full screen mode. The malware also steals Wi-Fi information such as passwords, keys, and SSID and BSSID identifiers, and harvests victims’ private information, including location, phone MAC address and device ID.

Palo Alto Networks researchers also determined that Rootnik connects to remote servers using the applight[.]mobi, jaxfire[.]mobi, superflashlight[.]mobi, and shenmeapp[.]info domain names. While the earliest creation date of domains goes back to February 2015, all these servers are said to be currently active.

Rootnik distributes itself by injecting malicious code into legitimate apps and, after successfully compromising an Android device, it launches a new thread to gain root privileges. It also starts the app promotion procedure, while downloading encrypted payloads from a remote server to attempt gaining root access. If successful, it writes four APK files to the system partition and reboots the device, the researchers said.

Advertisement. Scroll to continue reading.

These four APK files serve as system apps after rebooting and feature static file names: AndroidSettings.apk (responsible for promoting apps), BluetoothProviders.apk and WifiProviders.apk (both acting as remote control components for installing other applications and downloading code), and VirusSecurityHunter.apk (aimed exclusively at harvesting private data).

According to the security firm, Rootnik attempts to gain root privileges only on devices located in certain countries, and won’t attempt a root compromise if a device’s location is detrmined to be in China. 

After rooting a device and rebooting it, the Trojan begins its malicious activities, including the aggressive promotion or other applications, which is meant to increase the revenue for its developers, the researchers said. 

To stay protected, Android users should ensure they have the latest security updates for their devices installed, and should avoid downloading and installing applications from unknown sources.

Related: Majority of Top Android Apps Easily Reverse Engineered: Report

Related: Android Malware Possibly Infects 1 Million Devices via Google Play

Related: Android Adware Abuses Accessibility Service to Install Apps

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.