Rootnik Trojan Modifies Legitimate Root Tool to Hack Android Devices

A new Trojan is stealing information from Android devices after gaining root access on them by using a commercial root tool and is affecting users around the world, researchers at Palo Alto Networks warn.

Dubbed Rootnik, the malware uses the Root Assistant utility to gain root access on Android devices, and is estimated to have successfully infected devices in the United States, Malaysia, Thailand, Lebanon and Taiwan. The Trojan has managed to steal at least five exploits used in Root Assistant, a tool developed by a Chinese company to provide users with the ability to gain root on their devices.

The security researchers revealed that Rootnik has been spreading by being embedded in copies of legitimate applications such as WiFi Analyzer, Open Camera, Infinite Loop, HD Camera, Windows Solitaire, ZUI Locker, and Free Internet Austria. Moreover, they revealed that over 600 samples of Rootnik have been observed thus far and that all Android 4.3 and older devices are vulnerable.

By abusing a customized version of Root Assistant, the Trojan exploits Android vulnerabilities such as CVE-2012-4221, CVE-2013-2596, CVE-2013-2597, and CVE-2013-6282, and can install and uninstall both system and non-system apps without users’ awareness. The malware also installs a series of APK files on the system partition of the infected devices to maintain persistence after gaining root access.

The researchers say Rootnik is also capable of downloading executable files from remote servers for local execution, as well as to aggressively promote other applications by displaying ads even on the home screen, in full screen mode. The malware also steals Wi-Fi information such as passwords, keys, and SSID and BSSID identifiers, and harvests victims’ private information, including location, phone MAC address and device ID.

Palo Alto Networks researchers also determined that Rootnik connects to remote servers using the applight[.]mobi, jaxfire[.]mobi, superflashlight[.]mobi, and shenmeapp[.]info domain names. While the earliest creation date of domains goes back to February 2015, all these servers are said to be currently active.

Rootnik distributes itself by injecting malicious code into legitimate apps and, after successfully compromising an Android device, it launches a new thread to gain root privileges. It also starts the app promotion procedure, while downloading encrypted payloads from a remote server to attempt gaining root access. If successful, it writes four APK files to the system partition and reboots the device, the researchers said.

These four APK files serve as system apps after rebooting and feature static file names: AndroidSettings.apk (responsible for promoting apps), BluetoothProviders.apk and WifiProviders.apk (both acting as remote control components for installing other applications and downloading code), and VirusSecurityHunter.apk (aimed exclusively at harvesting private data).

According to the security firm, Rootnik attempts to gain root privileges only on devices located in certain countries, and won’t attempt a root compromise if a device’s location is detrmined to be in China. 

After rooting a device and rebooting it, the Trojan begins its malicious activities, including the aggressive promotion or other applications, which is meant to increase the revenue for its developers, the researchers said. 

To stay protected, Android users should ensure they have the latest security updates for their devices installed, and should avoid downloading and installing applications from unknown sources.

Related: Majority of Top Android Apps Easily Reverse Engineered: Report

Related: Android Malware Possibly Infects 1 Million Devices via Google Play

Related: Android Adware Abuses Accessibility Service to Install Apps