Android Rootnik Malware

Rootnik is an android malware toolkit which distributes itself by injecting malicious code into legitimate apps and, after successfully compromising Android device, it launches a fresh thread to gain root privileges. It also begins the process of promoting other apps while downloading encrypted payloads from a remote server to try to gain root access. If successful, it writes four APK files to the system partition and reboots the device.

These four APK files serve as system apps after rebooting and feature static file names: AndroidSettings.apk (responsible for promoting apps), BluetoothProviders.apk and WifiProviders.apk (both acting as remote control components for installing other applications and downloading code), and VirusSecurityHunter.apk (exclusively intended to harvest private data).

This malicious app is capable of performing the following actions:

• Abuse a customized version of “Root Assistant” to exploit Android vulnerabilities including CVE-2012-4221, CVE-2012-6422, CVE-2013-2596, CVE-2013-2597, and CVE-2013-6282.
• Rooting Android devices
• Install several APK files on the system partition of the compromised machine to maintain persistence after successful gaining root access.
• Injecting malicious code into legitimate apps
• Subscribing to premium services and sending premium messages
• Harvest victims’ private information, including their location, phone MAC address, and device ID.
• Steal WiFi information, including passwords and keys as well as SSID and BSSID identifiers.

Permissions

• Open network connections
• Start once the device has finished booting
• Access location information, such as Cell-ID or Wi-Fi
• Access external storage devices
• Write to external storage devices
• Access information about networks
• Allow access to low-level system logs
• Check the phone's current state

Indicators of Infection:

List of Hashes of Malware Binaries

• c1775e5fe89a0c8b1254e4d8a95686c56554b47f13e36d4f5cb551cb340f7021
• 0d612eb6d3ca2bbbc2aa33493065d8b4c3237f3cb262d48602181887ccea1afb
• 17a00e9e8a50a4e2ae0a2a5c88be0769a16c3fc90903dd1cf4f5b0b9b0aa1139
• f6b7b22bbe572c1ac1d7ac7135e076da87491eb78a37f17654a4aa92d88ded24
• cee6584cd2e01fab5f075f94af2a0ce024ed5e4f2d52e3dc39f7655c736a7232
• e2bdcfe5796cd377d41f3da3838865ab062ea7af9e1e4424b1e34eb084abec4a
• e5e22b357893bc15a50dc35b702dd5fcdfeafc6ffec7daa0d313c724d72ec854

File system Changes: Files written to system partition by Rootnik.

• 3bab02ec7ab2480c65b824350b387b00fc7fd9359ebca34fb42dda340ccbf5b6
• dc76856ff79cfdda7b227635f204ff3341e01ea537022497f5c6a70dc46b0cea
• ae4be03204419fd96c4e5085b6e3ddd542f39c53f9c9d0fed4eecaf823a1b26e

Network Communications:

Rootnik may attempt to make connections to following C2 domains

• grs.gowdsy[.]com
• grs.rogsob[.]com
• gt.rogsob[.]com
• gt.yepodjr[.]com
• qj.hoyebs[.]com
• qj.hoyow[.]com
• applight[.]mobi
• jaxfire[.]mobi
• superflashlight[.]mobi
• shenmeapp[.]info

Countermeasures:

• Do not download and install applications from untrusted sources [offered via unknown websites/ links on unscrupulous messages]. Install applications downloaded from reputed application market only.
• Install and maintain updated antivirus solution on android devices. Scan the suspected device with antivirus solutions to detect and clean infections.
• Prior to downloading / installing apps on android devices (even from Google Play Store), Always review the app details, number of downloads, user reviews, comments and "ADDITIONAL INFORMATION" section.
• Verify app permissions and grant only those permissions which have relevant context for the app's purpose.
• In settings, do not enable installation of apps from "Untrusted Sources".
• Exercise caution while visiting trusted/untrusted sites for clicking links.
• Install Android updates and patches as and when available from Android device vendors.
• Users are advised to use device encryption or encrypting external SD card feature available with most of the android OS.
• Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
• Avoid using unsecured, unknown Wi-Fi networks. There may be rogue Wi-Fi access points at public places used for distributing malicious applications.
• Confirm that the banking app you’re using is the official, verified version.
• If anything looks awry or suddenly unfamiliar, check in with your bank’s customer service team.
• Use two-factor authentication if it’s available.
• Make sure you have a strong AI-powered mobile antivirus installed to detect and block this kind of tricky malware if it ever makes its way onto your system.
• Refer to security best practices for mobile Phone users:
  http://www.cyberswachhtakendra.gov.in/documents/Mobile_phone_Security.pdf

References:

• https://www.symantec.com/security-center/writeup/2016-062710-0328-99
• https://prescientsecurity.com/news/ootnik-trojan-can-gain-deeper-access-to-android-devices
• https://www.fortinet.com/blog/threat-research/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-i-debugging-in-the-scope-of-native-layer.html
• https://www.scmagazine.com/home/security-news/cybercrime/sc-media-exclusive-rootnik-android-malware-variant-designed-to-frustrate-researchers/
• https://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/
• https://nvd.nist.gov/vuln/detail/CVE-2012-4221
• https://nvd.nist.gov/vuln/detail/CVE-2012-6422
• https://nvd.nist.gov/vuln/detail/CVE-2013-2596
• https://nvd.nist.gov/vuln/detail/CVE-2013-2597
• https://nvd.nist.gov/vuln/detail/CVE-2013-6282