Wontok SafeCentral Malware Bulletin
3 March 2017
Malware Family: Android.Rootnik
Android Rootnik is a customized version of a root tool known as ‘Root Assistant’. This re-packaged version of this application is able to gain root access to Android devices, which are running Android 4.3 or earlier. So far there are over 500 detected versions of this malware in the wild.
Wontok Lab Results
We observed that Wontok SafeCentral Mobile Security’s On-access and On-demand engines properly detect Android.Rootnik.GT and remediated the malware, which prevents this unwanted application installing and delivering its payload.
Android.Rootnik was observed to collect local device information, such as IMEI (International Mobile Equipment Identity), ISO country code, Android build version and model type.
Android devices were infected when they installed a malicious program that is disguised as a legitimate “file helper” application. Once installed this application can run a ‘remote control service’ application capable of promoting applications and advertisements, silently installing other malicious applications, pushing notifications and creating shortcuts for unwanted programs or content on the home screen.
Older versions of this malware have also been known to:
- Install additional APK files within the local system partition, so that the compromised device can be maintained and be persistent after gaining root access.
- Install and uninstall applications without user knowledge.
- Download executable files from remote servers for local execution.
- Steal WiFi information including passwords and keys as well as SSID and BSSID identifiers.
- Collect victims’ private information and upload to Command and Concur servers (C&C).
- Send SMS to premium subscription services.
About Wontok Lab
Wontok Lab is Wontok’s product test facility that consists of a team of security researchers in a controlled analysis and testing environment. Wontok Lab conducts rigorous tests specifically designed and tailored for each of Wontok’s security products.
About Wontok SafeCentral Security Solutions
Founded in 2005 and headquartered in Sydney, Wontok has operations in Australia, Asia and the United States, Wontok brings proven remote access and endpoint security solutions to market. Wontok designed the SafeCentral solutions to be effective against advanced malware threats on the desktop and mobile devices. SafeCentral Security Solutions includes SafeDesktop, Mobile Security, and Security Suite, all of which can be delivered via partner owned platforms or via the Wontok ONE Cloud-based VAS service delivery platform.