skip to main content
10.1145/2810103.2813714acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Android Root and its Providers: A Double-Edged Sword

Published: 12 October 2015 Publication History

Abstract

Android root is the voluntary and legitimate process of gaining the highest privilege and full control over a user's Android device. To facilitate the popular demand, a unique Android root ecosystem has formed where a variety of root providers begin to offer root as a service. Even though legitimate, many convenient one-click root methods operate by exploiting vulnerabilities in the Android system. If not carefully controlled, such exploits can be abused by malware author to gain unauthorized root privilege. To understand such risks, we undertake a study on a number of popular yet mysterious Android root providers focusing on 1) if their exploits are adequately protected. 2) the relationship between their proprietary exploits and publicly available ones. We find that even though protections are usually employed, the effort is substantially undermined by a few systematic and sometimes obvious weaknesses we discover. From one large provider, we are able to extract more than 160 exploit binaries that are well-engineered and up-to date, corresponding to more than 50 families, exceeding the number of exploits we can find publicly. We are able to identify at least 10 device driver exploits that are never reported in the public. Besides, for a popular kernel vulnerability (futex bug), the provider has engineered 89 variants to cover devices with different Android versions and configurations. Even worse, we find few of the exploit binaries can be detected by mobile antivirus software.

References

[1]
Android Vulnerabilities -- All vulnerabilities. http://androidvulnerabilities.org/all.html.
[2]
Beating up on Android. http://titanium.immunityinc.com/infiltrate/archives/Android_Attacks.pdf.
[3]
Contagio minidump. http://contagiominidump.blogspot.com.
[4]
CVE-2014--3153 aka towelroot. https://github.com/timwr/CVE-2014--3153.
[5]
Don't Root Robots: Breaks in Google's Android Platform. https://jon.oberheide.org/files/bsides11-dontrootrobots.pdf.
[6]
Exploit DB database. https://exploit-db.com/.
[7]
How To Root An AT&T HTC One X. http://rootzwiki.com/topic/26320-how-to-root-an-att-htc-one-x-this-exploit-supports-185/.
[8]
iRoot, Retrieved on May 10, 2015. http://www.mgyun.com/m/en.
[9]
It's Bugs All the Way Down. http://vulnfactory.org/.
[10]
One Click Root for Android, Retrieved on May 10, 2015. http://www.oneclickroot.com/.
[11]
Rage Against the Cage. http://stealth.openwall.net/xSports/RageAgainstTheCage.tgz.
[12]
Razr Blade Root. http://vulnfactory.org/public/razr_blade.zip.
[13]
Root Genius, Retrieved on May 10, 2015. http://www.shuame.com/en/root/.
[14]
Root the Droid 3. http://vulnfactory.org/blog/2011/08/25/rooting-the-droid-3/.
[15]
{Root} ZTE z990g Merit (An avail variant). http://forum.xda-developers.com/showthread.php?t=1714299.
[16]
{Root/Write Protection Bypass} MotoX (no unlock needed). http://forum.xda-developers.com/moto-x/orig-development/root-write-protection-bypass-motox-t2444957.
[17]
Samsung Knox. https://www.samsungknox.com/.
[18]
TacoRoot. https://github.com/CunningLogic/TacoRoot.
[19]
Virus Profile: Exploit/MempoDroid.B. http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1003986.
[20]
VirusTotal. https://www.virustotal.com/.
[21]
Xoom FE: Stupid Bugs, and More Plagiarism. http://vulnfactory.org/blog/2012/02/18/xoom-fe-stupid-bugs-and-more-plagiarism/.
[22]
D. Arp, M. Spreitzenbarth, M. Hubner, H. Gascon, and K. Rieck. DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. In NDSS, 2014.
[23]
A. Averbuch, M. Kiperberg, and N. Zaidenberg. Truly-Protect: An Efficient VM-Based Software Protection. Systems Journal, IEEE, 2013.
[24]
C. Collberg, C. Thomborson, and D. Low. A Taxonomy of Obfuscating Transformations. Technical report, The University of Auckland, 1997.
[25]
C. S. Collberg and C. Thomborson. Watermarking, Tamper-proffing, and Obfuscation: Tools for Software Protection. IEEE Trans. Softw. Eng., 2002.
[26]
J. J. Drake, Z. Lanier, C. Mulliner, P. O. Fora, S. A. Ridley, and G. Wicherski. Android Hacker's Handbook. Wiley, 2014.
[27]
N. Falliere, L. O. Murchu, and E. Chien. W32.Stuxnet Dossier. Technical report, Symanetic, 2011.
[28]
D. Guido and M. Arpaia. The Mobile Exploit Intelligence Project. Blackhat EU, 2012.
[29]
Y. J. Ham, W.-B. Choi, and H.-W. Lee. Mobile Root Exploit Detection based on System Events Extracted from Android Platform. In SAM, 2013.
[30]
X. Hei, X. Du, and S. Lin. Two Vulnerabilities in Android OS Kernel. In ICC, 2013.
[31]
C. Kruegel, W. Robertson, F. Valeur, and G. Vigna. Static Disassembly of Obfuscated Binaries. In Proc. of USENIX Security Symposium, 2004.
[32]
M. Lindorfer, M. Neugschwandtner, L. Weichselbaum, Y. Fratantonio, V. van der Veen, and C. Platzer. Andrubis - 1,000,000 Apps Later: A View on Current Android Malware Behaviors. In BADGERS, 2014.
[33]
C. Linn and S. Debray. Obfuscation of Executable Code to Improve Resistance to Static Disassembly. In ACM CCS, 2003.
[34]
OpenSignal. Android Fragmentation Visualized. http://opensignal.com/reports/2015/08/android-fragmentation/, 2015.
[35]
Y. Park, C. Lee, C. Lee, J. Lim, S. Han, M. Park, and S.-J. Cho. RGBDroid: A Novel Response-Based Approach to Android Privilege Escalation Attacks. In LEET, 2012.
[36]
R. Rolles. Unpacking Virtualization Obfuscators. In WOOT, 2009.
[37]
S. Smalley and R. Craig. Security Enhanced (SE) Android: Bringing Flexible MAC to Android. In NDSS, 2013.
[38]
J. I. Torrey. HARES: Hardened Anti-Reverse Engineering System. Technical report, Assured Information Security, Inc., 2015.
[39]
T. Wang, Y. Jang, Y. Chen, S. Chung, B. Lau, and W. Lee. On the Feasibility of Large-Scale Infections of iOS Devices. In Proc. of USENIX Security Symposium, 2014.
[40]
W. Xu. Ah! Universal Android Rooting is Back. Blackhat, 2015.
[41]
J. Zeng, Y. Fu, K. A. Miller, Z. Lin, X. Zhang, and D. Xu. Obfuscation Resilient Binary Code Reuse Through Trace-oriented Programming. In ACM CCS, 2013.
[42]
X. Zhou, Y. Lee, N. Zhang, M. Naveed, and X. Wang. The Peril of Fragmentation: Security Hazards in Android Device Driver Customizations. In IEEE Security and Privacy, 2014.
[43]
Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In IEEE Security and Privacy, 2012.
[44]
Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In NDSS, 2012.

Cited By

View all
  • (2024)InvesTEE: A TEE-supported Framework for Lawful Remote Forensic InvestigationsDigital Threats: Research and Practice10.1145/36802945:3(1-20)Online publication date: 22-Jul-2024
  • (2024)An Empirical Study on Oculus Virtual Reality Applications: Security and Privacy PerspectivesProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639082(1-13)Online publication date: 20-May-2024
  • (2024)SyncEmu: Enabling Dynamic Analysis of Stateful Trusted Applications2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00024(177-185)Online publication date: 8-Jul-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
October 2015
1750 pages
ISBN:9781450338325
DOI:10.1145/2810103
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. android root exploit
  2. root provider

Qualifiers

  • Research-article

Funding Sources

  • Army Research Lab

Conference

CCS'15
Sponsor:

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)97
  • Downloads (Last 6 weeks)5
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)InvesTEE: A TEE-supported Framework for Lawful Remote Forensic InvestigationsDigital Threats: Research and Practice10.1145/36802945:3(1-20)Online publication date: 22-Jul-2024
  • (2024)An Empirical Study on Oculus Virtual Reality Applications: Security and Privacy PerspectivesProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639082(1-13)Online publication date: 20-May-2024
  • (2024)SyncEmu: Enabling Dynamic Analysis of Stateful Trusted Applications2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00024(177-185)Online publication date: 8-Jul-2024
  • (2023)Minimizing a Smartphone's TCB for Security-Critical Programs with Exclusively-Used, Physically-Isolated, Statically-Partitioned HardwareProceedings of the 21st Annual International Conference on Mobile Systems, Applications and Services10.1145/3581791.3596864(233-246)Online publication date: 18-Jun-2023
  • (2023)Evaluating the Security Posture of Real-World FIDO2 DeploymentsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623063(2381-2395)Online publication date: 15-Nov-2023
  • (2023)By Your Command: Extracting the User Actions that Create Network Flows in Android2023 14th International Conference on Network of the Future (NoF)10.1109/NoF58724.2023.10302820(118-122)Online publication date: 4-Oct-2023
  • (2023)Rooted Android Devices Risk Assessment using Analytic Hierarchy Process2023 Intelligent Methods, Systems, and Applications (IMSA)10.1109/IMSA58542.2023.10217716(105-111)Online publication date: 15-Jul-2023
  • (2022)Eavesdropping user credentials via GPU side channels on smartphonesProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507757(285-299)Online publication date: 28-Feb-2022
  • (2022)SchrodinText: Strong Protection of Sensitive Textual Content of Mobile ApplicationsIEEE Transactions on Mobile Computing10.1109/TMC.2020.302511921:4(1402-1419)Online publication date: 1-Apr-2022
  • (2022)ROOTECTOR: Robust Android Rooting Detection Framework Using Machine Learning AlgorithmsArabian Journal for Science and Engineering10.1007/s13369-022-06949-548:2(1771-1791)Online publication date: 26-Jun-2022
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media