Rootnik Android Trojan Uses a Root Tool to Steal Sensitive Information
Using a root tool to gain system access, a new trojan is stealing information from Android devices, affecting users in the United States, Taiwan, Malaysia, Thailand, and Lebanon.
Android 4.3 and older devices are vulnerable to Rootnik trojan:
Rootnik is a new Android trojan that has stolen at least five exploits used in the Root Assistant utility to gain root access of the Android devices, researchers have revealed. Root Assistant is a commercial customized utility developed by a Chinese company helping users to root their Android devices. Researchers have reported having observed over 600 samples of Rootnik in the wild. The malware was able to spread by being embedded in copies of legitimate applications, including:
- WiFi Analyzer
- Open Camera
- Infinite Loop
- HD Camera
- Windows Solitaire
- ZUI Locker
- Free Internet Austria
How Rootnik trojan works…
“Rootnik distributes itself by repackaging and injecting malicious code into legitimate Android apps,” explain Palo Alto Networks researchers. After being installed on an Android device, the trojan gains root access on the device using the exploits stolen from the Root Assistant. After achieving root access, Rootnik then writes four APK files to the system partition and reboots the compromised Android device.
These files are named as AndroidSettings.apk, BluetoothProviders.apk, WifiProviders.apk, and VirusSecurityHunter.apk. AndroidSettings helps the trojan promote other apps (increasing revenues) while the BluetoothProviders and WiFiProviders act as remote control components, installing and uninstalling apps along with downloading and executing new code from remote servers. The VirusSecurityHunter is reported to be stealing WiFi information and device owner’s location along with other similar sensitive data.
According to researchers, Rootnik only attempts to gain root privileges on devices located in certain countries and doesn’t attempt to gain root access if the location of the device is determined to be in China. All the Android 4.3 and older devices are vulnerable to this exploit, except of course those in China. To keep your devices safe from these attacks, make sure you keep them updated to the latest security firmware updates and avoid installing applications from unknown sources.