Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
Essential information
- Published
- 24/05/2026 01:59
- Modified
- 25/05/2026 10:51
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- android app promotion information theft rooting rootnik wifi credentials
- Tags
- 2026-05-23 android app promotion information theft rooting rootnik wifi credentials
- Related entities
- 4 vulnerabilities (cve), 18 indicators, 18 observables, 1 malware, 15 others
Description
Rootnik is an Android trojan that exploits vulnerabilities in Android 4.3 and earlier by weaponizing a Chinese commercial rooting tool called Root Assistant. The malicious operation spreads through repackaged legitimate applications distributed globally, affecting users primarily in the United States, Malaysia, Thailand, Lebanon and Taiwan. After installation, Rootnik gains root access using stolen exploits, installs four persistent APK files to the system partition, and performs aggressive app promotion campaigns. The trojan silently installs and uninstalls applications, downloads and executes code remotely, and harvests sensitive data including WiFi passwords, location information, device identifiers, and MAC addresses. The malware maintains command and control infrastructure through multiple domains and generates revenue through aggressive advertising that interrupts user activity regardless of the current application.