Android Root and its Providers: A Double-Edged Sword

Android root is the voluntary and legitimate process of gaining the highest privilege and full control over a user's Android device. To facilitate the popular demand, a unique Android root ecosystem has formed where a variety of root providers begin to offer root as a service. Even though legitimate, many convenient one-click root methods operate by exploiting vulnerabilities in the Android system. If not carefully controlled, such exploits can be abused by malware author to gain unauthorized root privilege. To understand such risks, we undertake a study on a number of popular yet mysterious Android root providers focusing on 1) if their exploits are adequately protected. 2) the relationship between their proprietary exploits and publicly available ones. We find that even though protections are usually employed, the effort is substantially undermined by a few systematic and sometimes obvious weaknesses we discover. From one large provider, we are able to extract more than 160 exploit binaries that are well-engineered and up-to date, corresponding to more than 50 families, exceeding the number of exploits we can find publicly. We are able to identify at least 10 device driver exploits that are never reported in the public. Besides, for a popular kernel vulnerability (futex bug), the provider has engineered 89 variants to cover devices with different Android versions and configurations. Even worse, we find few of the exploit binaries can be detected by mobile antivirus software.

[1]  Nan Zhang,et al.  The Peril of Fragmentation: Security Hazards in Android Device Driver Customizations , 2014, 2014 IEEE Symposium on Security and Privacy.

[2]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[3]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[4]  Yizheng Chen,et al.  On the Feasibility of Large-Scale Infections of iOS Devices , 2014, USENIX Security Symposium.

[5]  Yanick Fratantonio,et al.  ANDRUBIS -- 1,000,000 Apps Later: A View on Current Android Malware Behaviors , 2014, 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS).

[6]  Christopher Krügel,et al.  Static Disassembly of Obfuscated Binaries , 2004, USENIX Security Symposium.

[7]  Seong-je Cho,et al.  RGBDroid: A Novel Response-Based Approach to Android Privilege Escalation Attacks , 2012, LEET.

[8]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[9]  Collin Mulliner,et al.  Android Hacker's Handbook , 2014 .

[10]  Jacob I. Torrey HARES: Hardened Anti-Reverse Engineering System , 2015 .

[11]  Stephen Smalley,et al.  Security Enhanced (SE) Android: Bringing Flexible MAC to Android , 2013, NDSS.

[12]  Christian S. Collberg,et al.  A Taxonomy of Obfuscating Transformations , 1997 .

[13]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[14]  Xiangyu Zhang,et al.  Obfuscation resilient binary code reuse through trace-oriented programming , 2013, CCS.

[15]  Christian S. Collberg,et al.  Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection , 2002, IEEE Trans. Software Eng..

[16]  Xiaojiang Du,et al.  Two vulnerabilities in Android OS kernel , 2013, 2013 IEEE International Conference on Communications (ICC).

[17]  Hyung-Woo Lee,et al.  Mobile Root Exploit Detection based on System Events Extracted from Android Platform , 2013 .

[18]  Rolf Rolles,et al.  Unpacking Virtualization Obfuscators , 2009, WOOT.

[19]  Nezer Zaidenberg,et al.  Truly-Protect: An Efficient VM-Based Software Protection , 2013, IEEE Systems Journal.