Rootnik.B is an Android malware toolkit posing as adult content apps available on various sites, forums, torrent sites, and popular social media networks primarily targeting Chinese-speaking users. The malicious payload hides in a fake .tiff image in the resources of the application. The payload subsequently downloads other malicious components and sets immutable flags to protect the files from being deleted by a user or antivirus application. It also attempts to replace debuggerd, a service that enables the malware to survive cleaning attempts by antivirus, or even a factory reset. All devices with Android API level 8 (2.2) or greater are affected.

The toolkit has the following capabilities:

  • Rooting Android devices.
  • Injecting malicious code into legitimate apps.
  • Subscribing to premium services and sending premium messages.
  • Silently downloading/installing potentially malicious apps.

Technical Details

Symantec provides technical analysis of Rootnik.B here.