Trojan Gains Root Access, Hacks Androids

Thursday, December 10, 2015 @ 06:12 PM gHale

A Trojan can rip off information from Android devices after it gains root access on them, researchers said.

Rootnik uses the Root Assistant utility to gain root access on Android devices and it has successfully infected devices in the United States, Malaysia, Thailand, Lebanon and Taiwan, said researchers at Palo Alto Networks.

New Tools for Espionage Group
Down, but not Out: Blackhole Returns
Trojan Targets XP Users
Microsoft Patches Zero Day Holes

The Trojan stole at least five exploits used in Root Assistant, a tool developed by a Chinese company to provide users with the ability to gain root on their devices.

Rootnik spreads by embedding in copies of legitimate applications such as WiFi Analyzer, Open Camera, Infinite Loop, HD Camera, Windows Solitaire, ZUI Locker, and Free Internet Austria, said Palo Alto Networks researchers in a blog post. Researchers observed over 600 samples of Rootnik thus far and all Android 4.3 and older devices are vulnerable.

By abusing a customized version of Root Assistant, the Trojan exploits Android vulnerabilities and can install and uninstall system and non-system apps without users’ awareness. The malware also installs a series of APK files on the system partition of the infected devices to maintain persistence after gaining root access.

The researchers said Rootnik can also download executable files from remote servers for local execution, as well as to aggressively promote other applications by displaying ads even on the home screen, in full screen mode. The malware also steals Wi-Fi information such as passwords, keys, and SSID and BSSID identifiers, and harvests victims’ private information, including location, phone MAC address and device ID.

Palo Alto Networks researchers also determined that Rootnik connects to remote servers using the applight[.]mobi, jaxfire[.]mobi, superflashlight[.]mobi, and shenmeapp[.]info domain names. While the earliest creation date of domains goes back to February 2015, all these servers are currently active.

Rootnik distributes itself by injecting malicious code into legitimate apps and, after successfully compromising an Android device, it launches a new thread to gain root privileges. It also starts the app promotion procedure, while downloading encrypted payloads from a remote server to attempt gaining root access. If successful, it writes four APK files to the system partition and reboots the device, the researchers said.

These four APK files serve as system apps after rebooting and feature static file names: AndroidSettings.apk (responsible for promoting apps), BluetoothProviders.apk and WifiProviders.apk (both acting as remote control components for installing other applications and downloading code), and VirusSecurityHunter.apk (aimed exclusively at harvesting private data).

Rootnik attempts to gain root privileges only on devices located in certain countries, and won’t attempt a root compromise if a device’s location is in China.