Many advanced users often tweak their devices by gaining access to the highest privilege, also known as root or super user, and are able to manipulate the OS to any custom build of their choices.
Įven though Android devices come with many customizations, they are still limited within some sets of APIs and custom builds from OEMs. This fragmentation nature of Android makes this operating system a fruitful land for attackers. The whole process can take months to eventually fix the vulnerability.
The process of a security update for a specific Android device can be summarized as follows: (1) security flaw found in an OS, (2) Google release the patch, and (3) OEMs (Original Equipment Manufacturers) adopting the patch and including it in their custom built devices.
That makes the exploit universally impossible but also makes the job of auditing difficult as reviewing every device and their software is a huge amount of work. Openness is inarguably the main reason why Android OS gains its popularity quickly.Īndroid is considered as a very complex ecosystem each device is a composition of different software (open source and closed source), different hardware (screen sizes, manufacturers), and different distributors.
While Google code change will not be made available to public immediately, new version release still includes most of what community needs: factory images, source code, OTA distribution channels, and APIs. According to IDC report in August, 2016, Android has led the smart phone market share over the last 4 quarters with the highest share of 87.6% in Q2. IntroductionĪndroid has been dominating in the mobile market for 7 years consecutively and this OS will continue doing so. As a proof of concept, we have published our rooting detection application to Google Play Store to demonstrate the work presented in this paper. Our study shows that rooting has become more and more prevalent as an inevitable trend, and it raises big security concerns regarding detection and evasion. Furthermore, over 28000 Android applications have been analyzed and evaluated in order to diagnose the characteristics of rooting in recent years. Results show that most of them do not suffice and can be evaded through API hooking or static file renaming.
We also apply evasion techniques on rooted device and compare our work with 92 popular root checking applications and 18 banking and finance applications. We then analyze the evasion loopholes and in turn enhance our rooting detection tool. To this end, an extensive study of Android rooting has been conducted, which includes the techniques to root the device and make it invisible to the detection of mobile antimalware product. We investigate different methods to detect rooted device at both Java and native level and evaluate the counterattack from major hooking tools. We present an arms race between rooting detection and rooting evasion.