Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

SC Media Exclusive: Rootnik Android malware variant designed to frustrate researchers

A newly identified version of the Android malware "Rootnik" features anti-debugging and anti-hooking capabilities designed to hinder analysts' efforts to reverse engineer it, according to IT security company Fortinet, which provided SC Media with an exclusive first look at its research.

Discovered in late 2015, the Rootnik trojan relies on open-sourced root exploit tools to gain unauthorized root access to users' devices, enabling a bevy of undesired behaviors. According to a Fortinet blog post today, this latest variant installs a hidden remote control service application capable of promoting apps and ads, silently installing apps, pushing notifications and pornography, creating shortcuts for unwanted programs or content on the home screen, and downloading additional files that can also feature malicious functionality.

The malware can also collect a device's information, including its IMEI (International Mobile Equipment Identity), ISO country code, Android build version and model type. Due to the specific exploits that Rootnik uses, older Android devices with MediaTek (MTK) chipsets or Exynos systems on chips from Samsung are especially prone, Fortinet told SC Media.

Users are infected with Rootnik upon downloading a malicious program that is disguised as a legitimate "file helper" app that purportedly manages files and other resources found on one's device. "Generally this kind of Android malware can be dispersed by some third-party Android app markets that don't have strict censorship, or by some malicious websites," said Kai Lu, an analyst at Fortinet, in an email interview with SC Media.

But it is Rootnik's use of anti-debugging and anti-hooking techniques in the native layer code that truly makes this iteration stand out from its predecessors.

For starters, the malware is designed to detect certain popular hook frameworks that white-hat analysts might use in the course of their research. Hooking involves a number of techniques designed to change a software's behavior, often for debugging purposes, and hook frameworks are commonly used for studying a malware's behavior. Upon detection of these frameworks, including Xposed, substrate, adbi, ddi and dexposed, Rootnik kills the process.

Rootnik also leverages a complex multi-process ptrace to implement anti-debugging functionality. And finally, it uses inotify, a Linux kernel subsystem designed to observe and report changes to applications, to monitor the memory and page heap of the main process. If inotify catches a user trying to dynamically debug the program, it quashes that attempt by triggering an incomplete memory dump. 

To further confuse meddling researchers, Rootnik conceals its malicious, encrypted secondary .dex payload (.dex is a Dalvik Executable file for Android programs) inside of an APK file, to prevent the white hats from understanding the workflow of the malware. "The main logic of the malware app is hidden [in] the secondary .dex file. The first .dex file is only a wrapper," said Lu.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.