Rootnik Trojan Can Gain Deeper Access to Android Devices

It is no secret that the security world as well as the technology world as a whole is moving toward mobile. It is the epidemic that is taking off on leaps and bounds with every day that passes. The days of desktop computers or laptops are a thing of the past; we now have the power of those devices and then some sitting right in our pocket. However, with great power comes great responsibility, which is a calling that mobile devices need to heed too. It is a great luxury to have these powerful machines at our disposal, but they also remain vulnerable to an attack scale that mirrors computers if not a greater scale.

Over the course of the past few years we have seen a significant increase in mobile breaches and malware. A new form of malware surfaced named Rootnik and it targets Android devices. Studies show that the malware has breached a few different places, which include the United States, Lebanon, Taiwan, Malaysia and Thailand. Rootnik has spread itself by injecting itself in the following legitimate Android application: Wi-Fi Analyzer, Open Camera, Infinite Loop, HD Camera, Windows.

Solitaire, ZUI Locker, and Free Internet Austria. Over 600 examples of this malware has been observed and only works on Android devices which are version 4.3 or older. Once an Android device has successfully been compromised the malware has a separate script that runs, which gives it, root privileges. How does it obtain root access? Researchers have said the behavior used to perform this is once within the system, the malware downloads encrypted payloads from a remote server that can then assist it in getting root access. It has been discovered that Rootnik connects to a few different remote servers which they have the domain names too and said have been active since February 2015.

The malware also writes four different APK files before rebooting the device, which are AndroidSettings.apk (Responsible for promotion on Android applications)BluetoothProviders.apk (Provides for remote control to install and uninstall applications) WifiProviders.apk (Provides for remote control to install and uninstall applications) VirusSecurityHunter.apk (Harvesting component) The VirusSecurityHunter.apk static file runs and collects a bunch of sensitive information. Among Wi-Fi information such as passwords, keys, and SSID and BSSID identifiers, other sensitive information is obtained including location, phone MAC address and device ID. The AndroidSettings.apk present promotions for different applications and adds across the infected Androids home screen without the user requesting any. The other two static APK files are more self explanatory, they provide remote control access of the apps on the infected Android device.

In conclusion, this malware has recently arisen and caused a decent amount of havoc within its time of existence. It has only affected those few countries and seems as if it will stay within those countries. Remediation for this vulnerability starts with ensuring that your Android device is running the latest version OS. This will ensure that all of the proper patches are in place to mitigate this vulnerability and combat against it. Another fix would be something that not a lot of people do, which is have a anti virus scanner running on your device. You can set these programs to run periodic scans daily, weekly or monthly just to ensure your device is secure. Lastly, users should not install any applications from unknown resources. Ensure that the environments you are downloading your applications from are trusted and secure. Overall, this vulnerability was an interesting one and I foresee other potential attacks that may use this as a blueprint, so the quicker we patch these exploits, the better.