Android With An Open Padlock Illustrating Rooting

What rooting is and how root detection on Android can be done

What is rooting?

In order to better understand how root detection can be done, you first need to understand what rooting actually is. In this post, you will learn about of the different root methods and about the existing rooting tools available.

Attackers can ‘root’ a device in order to bypass the Android application sandbox. This can allow access to data that is stored on the device which would otherwise have access restricted. Similarly, malware can exploit known weaknesses in Android to gain elevated permissions on a device while running.

On Android, Google does not allow users to run code with root permissions. This means that users cannot fully control what their phone is doing. Rooting is the process of enabling root access to an Android device. This is usually being done in one of two ways:

Soft Root

  • The first way, sometimes referred to as soft rooting, relies on a privilege escalation vulnerability in the Linux kernel or an application running as root. Once the tool performing the rooting has obtained root permissions, it has unlimited access to the filesystem. This is usually performed by One Click rooting tools. One Click rooting tools are apps that are installed on the device and trigger the vulnerability upon launch.

Hard Root

  • The second way is hard rooting. Hard rooting relies on the ability to flash the firmware of the device. This effectively also allows full access to the filesystem. A hard root requires a device that has a bootloader that can be unlocked or a vulnerability in the bootloader.

Different ways to obtain persistent root access:

  • One way that was previously used to persist root access via adb (Android Debug Bridge) only, was to modify the system property ro.secure, which had the effect that adb is being run as root.
  • Before SELinux was ported to Android, the most common way to persist root access was to drop a suid binary into the filesystem, which allowed everyone running it do things as root. In order for this not to become a security problem, usually, an app is used.
    Android mascot with deep roots illustrating root access

    Persistent root access

    The app asks the user for permissions to run commands as root via SU (also referred to as Superuser app).

  • With the introduction of SELinux, things became more complicated. Because even though a process might run a suid binary, it would still be in a restricted context. In order to solve this problem, an SU daemon would be running as root and being started via init that would be in an unrestricted context. Apps wanting to run commands as root in an unrestricted context would then send the commands to the daemon. The daemon would then run it. The daemon would first check with the user via the Superuser app if access should be granted.
  • Installing a custom ROM that provides root access by default is also a way to achieve root access.

Android is improving the security, but…

With later versions of Android, having a daemon running as root in a restricted context became impossible just by modifying the filesystem. Because of that, a new rooting method called systemless root was developed. Systemless root uses a modified boot image and does not touch the system partition at all and makes root detection much harder.

With root access, it is also possible to modify apps while they are running, for example, to change their look and add or modify functionality. For this, hooking frameworks are often used, that allow creation of tweaks that hook the application’s code during runtime.

With more and more apps adding root detection, root hiders trying to hide the fact that devices are rooted became more and more popular.

Existing rooting tools

Name OS Versions Type
SuperSU 2.3 – 8.1 Superuser App, Systemless Root
Magisk 5.0 – 8.1 Superuser App, Systemless Root
Superuser Superuser App
KingRoot Device dependent One Click
KingoRoot Device dependent One Click
iRoot One Click
Towelroot One Click
One Click Root One Click
VRoot One Click
Framaroot One Click
PingPong Root One Click
Root Master One Click
CyanogenMod 1.5 – 7.1 Custom ROM
LineageOS 6.0.1 – 7.1.2 Custom ROM
OmniROM 4.1 – 8.1 Custom ROM
MagiskHide 5.0 – 8.1 Root Hider
suhide 6.0 – 8.1 Root Hider
RootCloak 4.0.3 – 8.1 Root Hider
RootCloak Plus 2.3 – 4.3 Root Hider
Xposed 4.0.3 – 8.1 Hooking framework
Cydia Substrate 2.3 – 4.3 Hooking framework
Android DDI Hooking framework
Frida 4.2 – 8.1 Hooking framework

Promon SHIELD™ root detection

Since a rooted device is much more at risk of being compromised, it is important to know about it. Detecting whether the device is rooted or not is essential for further security measures.

Promon SHIELD™ implements several layers and levels of root detection to handle well-known approaches to more heuristics type indicators.