To stymie researchers, a new version of Rootnik malware employs anti-debugging and anti-hooking mechanisms, and also hides its malicious .dex payload inside of an APK file.
To stymie researchers, a new version of Rootnik malware employs anti-debugging and anti-hooking mechanisms, and also hides its malicious .dex payload inside of an APK file.

A newly identified version of the Android malware "Rootnik" features anti-debugging and anti-hooking capabilities designed to hinder analysts' efforts to reverse engineer it, according to IT security company Fortinet, which provided SC Media with an exclusive first look at its research.

Discovered in late 2015, the Rootnik trojan relies on open-sourced root exploit tools to gain unauthorized root access to users' devices, enabling a bevy of undesired behaviors. According to a Fortinet blog post today, this latest variant installs a hidden remote control service application capable of promoting apps and ads, silently installing apps, pushing notifications and pornography, creating shortcuts for unwanted programs or content on the home screen, and downloading additional files that can also feature malicious functionality.

The malware can also collect a device's information, including its IMEI (International Mobile Equipment Identity), ISO country code, Android build version and model type. Due to the specific exploits that Rootnik uses, older Android devices with MediaTek (MTK) chipsets or Exynos systems on chips from Samsung are especially prone, Fortinet told SC Media.

Users are infected with Rootnik upon downloading a malicious program that is disguised as a legitimate "file helper" app that purportedly manages files and other resources found on one's device. "Generally this kind of Android malware can be dispersed by some third-party Android app markets that don't have strict censorship, or by some malicious websites," said Kai Lu, an analyst at Fortinet, in an email interview with SC Media.

But it is Rootnik's use of anti-debugging and anti-hooking techniques in the native layer code that truly makes this iteration stand out from its predecessors.

For starters, the malware is designed to detect certain popular hook frameworks that white-hat analysts might use in the course of their research. Hooking involves a number of techniques designed to change a software's behavior, often for debugging purposes, and hook frameworks are commonly used for studying a malware's behavior. Upon detection of these frameworks, including Xposed, substrate, adbi, ddi and dexposed, Rootnik kills the process.

Rootnik also leverages a complex multi-process ptrace to implement anti-debugging functionality. And finally, it uses inotify, a Linux kernel subsystem designed to observe and report changes to applications, to monitor the memory and page heap of the main process. If inotify catches a user trying to dynamically debug the program, it quashes that attempt by triggering an incomplete memory dump. 

To further confuse meddling researchers, Rootnik conceals its malicious, encrypted secondary .dex payload (.dex is a Dalvik Executable file for Android programs) inside of an APK file, to prevent the white hats from understanding the workflow of the malware. "The main logic of the malware app is hidden [in] the secondary .dex file. The first .dex file is only a wrapper," said Lu.