What is rooting?
In order to better understand how root detection can be done, you first need to understand what rooting actually is. In this post, you will learn about of the different root methods and about the existing rooting tools available.
Attackers can ‘root’ a device in order to bypass the Android application sandbox. This can allow access to data that is stored on the device which would otherwise have access restricted. Similarly, malware can exploit known weaknesses in Android to gain elevated permissions on a device while running.
On Android, Google does not allow users to run code with root permissions. This means that users cannot fully control what their phone is doing. Rooting is the process of enabling root access to an Android device. This is usually being done in one of two ways:
- The first way, sometimes referred to as soft rooting, relies on a privilege escalation vulnerability in the Linux kernel or an application running as root. Once the tool performing the rooting has obtained root permissions, it has unlimited access to the filesystem. This is usually performed by One Click rooting tools. One Click rooting tools are apps that are installed on the device and trigger the vulnerability upon launch.
- The second way is hard rooting. Hard rooting relies on the ability to flash the firmware of the device. This effectively also allows full access to the filesystem. A hard root requires a device that has a bootloader that can be unlocked or a vulnerability in the bootloader.
Different ways to obtain persistent root access:
- One way that was previously used to persist root access via adb (Android Debug Bridge) only, was to modify the system property ro.secure, which had the effect that adb is being run as root.
- Before SELinux was ported to Android, the most common way to persist root access was to drop a suid binary into the filesystem, which allowed everyone running it do things as root. In order for this not to become a security problem, usually, an app is used.
The app asks the user for permissions to run commands as root via SU (also referred to as Superuser app).
- With the introduction of SELinux, things became more complicated. Because even though a process might run a suid binary, it would still be in a restricted context. In order to solve this problem, an SU daemon would be running as root and being started via init that would be in an unrestricted context. Apps wanting to run commands as root in an unrestricted context would then send the commands to the daemon. The daemon would then run it. The daemon would first check with the user via the Superuser app if access should be granted.
- Installing a custom ROM that provides root access by default is also a way to achieve root access.
Android is improving the security, but…
With later versions of Android, having a daemon running as root in a restricted context became impossible just by modifying the filesystem. Because of that, a new rooting method called systemless root was developed. Systemless root uses a modified boot image and does not touch the system partition at all and makes root detection much harder.
With root access, it is also possible to modify apps while they are running, for example, to change their look and add or modify functionality. For this, hooking frameworks are often used, that allow creation of tweaks that hook the application’s code during runtime.
With more and more apps adding root detection, root hiders trying to hide the fact that devices are rooted became more and more popular.
Existing rooting tools
|SuperSU||2.3 – 8.1||Superuser App, Systemless Root|
|Magisk||5.0 – 8.1||Superuser App, Systemless Root|
|KingRoot||Device dependent||One Click|
|KingoRoot||Device dependent||One Click|
|One Click Root||One Click|
|PingPong Root||One Click|
|Root Master||One Click|
|CyanogenMod||1.5 – 7.1||Custom ROM|
|LineageOS||6.0.1 – 7.1.2||Custom ROM|
|OmniROM||4.1 – 8.1||Custom ROM|
|MagiskHide||5.0 – 8.1||Root Hider|
|suhide||6.0 – 8.1||Root Hider|
|RootCloak||4.0.3 – 8.1||Root Hider|
|RootCloak Plus||2.3 – 4.3||Root Hider|
|Xposed||4.0.3 – 8.1||Hooking framework|
|Cydia Substrate||2.3 – 4.3||Hooking framework|
|Android DDI||Hooking framework|
|Frida||4.2 – 8.1||Hooking framework|
Promon SHIELD™ root detection
Since a rooted device is much more at risk of being compromised, it is important to know about it. Detecting whether the device is rooted or not is essential for further security measures.
Promon SHIELD™ implements several layers and levels of root detection to handle well-known approaches to more heuristics type indicators.