Rootnik.B is an Android malware toolkit posing as adult content apps available on various sites, forums, torrent sites, and popular social media networks primarily targeting Chinese-speaking users. The malicious payload hides in a fake .tiff image in the resources of the application. The payload subsequently downloads other malicious components and sets immutable flags to protect the files from being deleted by a user or antivirus application. It also attempts to replace debuggerd, a service that enables the malware to survive cleaning attempts by antivirus, or even a factory reset. All devices with Android API level 8 (2.2) or greater are affected.
The toolkit has the following capabilities:
- Rooting Android devices.
- Injecting malicious code into legitimate apps.
- Subscribing to premium services and sending premium messages.
- Silently downloading/installing potentially malicious apps.
Symantec provides technical analysis of Rootnik.B here.