'Legitimate' rooting apps paving way for malware

Companies that create tools for "rooting" Android phones may be within the law, but they may be inadvertently paving the way for malware developers

Companies that create tools for "rooting" Android phones may be within the law, but they may be inadvertently paving the way for malware developers.

According to a paper presented this week by University of California professor Zhiyun Qian, the developers of commercial root apps work hard to break the security of Android devices -- and then malware developers either piggyback on those exploits or figure out how they work and incorporate them into their own apps.

Somewhere between 27 and 47 percent of all Android smartphones are rooted, said Qian. This allows users to get rid of pre-installed apps that are otherwise impossible to remove, to personalize their phones beyond what is allowed by the official limits, to get better backups, or better power management tools.

"In the U.S., jailbreaking is legal," he said. "It's actually a legitimate business to distribute these exploits. It can be used to do good things."

In practice, however, it means that users are, in effect, hacking into their own phones.

"I'm launching an attack against my own device," Qian said.

And what users can do, hackers can do as well.

Google banks the rooting applications from its Google Play store, though it continues to allow the distribution of app that rely on a device already being rooted. There are many other channels through which Android users can find apps.

"If you are interested in rooting software, it is easy to find it," Qian said.

The way that rooting apps typically work is that that users runs the tool, and it sends a message back to its server with all the relevant device details -- manufacturer, Android version, and so on. The server then looks up the appropriate exploit for that particular device and configuration and sends it back.

Few of these exploits can be detected by mobile anti-virus, Qian added.

Criminals can hijack this process in two ways, he said.

Once the bad guys get the user to install their malware by, say, disguising it as a game or screensaver, they can contact the rooting software's server and request the appropriate exploit. They will then use it to root the device, take control of the smartphone, and start collecting financial information or doing whatever else the criminals want to do.

Criminals can also reverse-engineer or unpack and deobfuscate the exploit code itself, so that they can use it in their own applications.

Some of the legitimate root providers have security in place so that, in theory, only their own apps can request the exploits and use them.

In practice, however, the commercial root providers have systematic weaknesses and flaws in their security protection measures, Qian said.

"We found a few security flaws that allowed us to unpack and de-obfuscate the exploits much easier than expected," Qian said.

The large commercial root providers also have a comprehensive collections of root exploits, which gives attackers a strong incentive to target such providers, since the same mechanism used to protect one exploit is typically used to protect all the exploits in a collection.

One company studied, for example, had more than 160 exploits,

"It's hard for an attacker themselves to build this many high-quality, well-engineered exploits," Qian said.

Some of those exploits were unique, original creations, he added.

"The legitimate rooting software actually has a lot of secret weapons otherwise unknown to the community," he said.

Smartphone manufacturers and Google itself can do more to make rooting less attractive by getting rid of the baked-in bloatware and offering more legitimate alternatives to the customization options and tools that users get by rooting.

But the biggest problem, Qian said, is the Android upgrade process.

Once Apple spots a problem it can push out a patch almost immediately,

The Android ecosystem, however, is composed of many different carriers and manufacturers. That add significant time to the updates.

"The process can be delayed for a few months, or even a year," Qian said. "And some devices are basically abandoned."

Shorting this update process is the best solutions, he said.

"Vulnerabilities are always going to be discovered," he said. "We aren't yet a the place where we can create perfect software."

Join the CSO newsletter!

Error: Please check your email address.

More about AppleGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts