Virus Profile: Linux/Exploit-Lotoor

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 7/28/2011
Date Added: 7/28/2011
Origin: N/A
Length: N/A
Type: Trojan
Subtype: Exploit
DAT Required: 6421
Removal Instructions


Linux/Exploit-Lotoor is an rooting exploit that targets Android devices upto 2.3 OS version to gain root privileges on the compromised device.

Indication of Infection

Presence of the above mentioned behaviour.

Methods of Infection

This malware requires that the user intentionally install it upon the device. As always, users should never install unknown or un-trusted software. This is especially true for illegal software, such as cracked applications - they are a favorite vector for malware infection.


Virus Characteristics

Upon installing, the malicious repackaged application will exploit the compromised user device and it elevate the device to the root privilege.

The malicious applications has four files bundled along with the legit application which can be found in the asset folder of the apk package. The file names are:

  • gbfm.png
  • install.png
  • installsoft.png
  • runme.png

The malicious applications then renames the .png extension to .sh extension and executes the exploit as shell script.

When the device is successfully rooted, it will run the "" script which will set the appropriate file permissions [chmod 4775] to the system partition and then it copies the shell from the bin folder "/system/bin/sh" to the folder created by the malicious application "/system/xbin/appmaster" so that, the shell can be accessed whenever it wishes and the system partition is remounted.

The exploit will work only when the device have an SD card mounted on it. If not, it simply refuses to run.

PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!