Hang Zhang
ABSTRACT
Android root is the voluntary and legitimate process of gaining the highest privilege and full control over a user's Android device. To facilitate the popular demand, a unique Android root ecosystem has formed where a variety of root providers begin to offer root as a service. Even though legitimate, many convenient one-click root methods operate by exploiting vulnerabilities in the Android system. If not carefully controlled, such exploits can be abused by malware author to gain unauthorized root privilege. To understand such risks, we undertake a study on a number of popular yet mysterious Android root providers focusing on 1) if their exploits are adequately protected. 2) the relationship between their proprietary exploits and publicly available ones. We find that even though protections are usually employed, the effort is substantially undermined by a few systematic and sometimes obvious weaknesses we discover. From one large provider, we are able to extract more than 160 exploit binaries that are well-engineered and up-to date, corresponding to more than 50 families, exceeding the number of exploits we can find publicly. We are able to identify at least 10 device driver exploits that are never reported in the public. Besides, for a popular kernel vulnerability (futex bug), the provider has engineered 89 variants to cover devices with different Android versions and configurations. Even worse, we find few of the exploit binaries can be detected by mobile antivirus software.
- Android Vulnerabilities -- All vulnerabilities. http://androidvulnerabilities.org/all.html.Google Scholar
- Beating up on Android. http://titanium.immunityinc.com/infiltrate/archives/Android_Attacks.pdf.Google Scholar
- Contagio minidump. http://contagiominidump.blogspot.com.Google Scholar
- CVE-2014--3153 aka towelroot. https://github.com/timwr/CVE-2014--3153.Google Scholar
- Don't Root Robots: Breaks in Google's Android Platform. https://jon.oberheide.org/files/bsides11-dontrootrobots.pdf.Google Scholar
- Exploit DB database. https://exploit-db.com/.Google Scholar
- How To Root An AT&T HTC One X. http://rootzwiki.com/topic/26320-how-to-root-an-att-htc-one-x-this-exploit-supports-185/.Google Scholar
- iRoot, Retrieved on May 10, 2015. http://www.mgyun.com/m/en.Google Scholar
- It's Bugs All the Way Down. http://vulnfactory.org/.Google Scholar
- One Click Root for Android, Retrieved on May 10, 2015. http://www.oneclickroot.com/.Google Scholar
- Rage Against the Cage. http://stealth.openwall.net/xSports/RageAgainstTheCage.tgz.Google Scholar
- Razr Blade Root. http://vulnfactory.org/public/razr_blade.zip.Google Scholar
- Root Genius, Retrieved on May 10, 2015. http://www.shuame.com/en/root/.Google Scholar
- Root the Droid 3. http://vulnfactory.org/blog/2011/08/25/rooting-the-droid-3/.Google Scholar
- {Root} ZTE z990g Merit (An avail variant). http://forum.xda-developers.com/showthread.php?t=1714299.Google Scholar
- {Root/Write Protection Bypass} MotoX (no unlock needed). http://forum.xda-developers.com/moto-x/orig-development/root-write-protection-bypass-motox-t2444957.Google Scholar
- Samsung Knox. https://www.samsungknox.com/.Google Scholar
- TacoRoot. https://github.com/CunningLogic/TacoRoot.Google Scholar
- Virus Profile: Exploit/MempoDroid.B. http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1003986.Google Scholar
- VirusTotal. https://www.virustotal.com/.Google Scholar
- Xoom FE: Stupid Bugs, and More Plagiarism. http://vulnfactory.org/blog/2012/02/18/xoom-fe-stupid-bugs-and-more-plagiarism/.Google Scholar
- D. Arp, M. Spreitzenbarth, M. Hubner, H. Gascon, and K. Rieck. DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. In NDSS, 2014.Google ScholarCross Ref
- A. Averbuch, M. Kiperberg, and N. Zaidenberg. Truly-Protect: An Efficient VM-Based Software Protection. Systems Journal, IEEE, 2013.Google Scholar
- C. Collberg, C. Thomborson, and D. Low. A Taxonomy of Obfuscating Transformations. Technical report, The University of Auckland, 1997.Google Scholar
- C. S. Collberg and C. Thomborson. Watermarking, Tamper-proffing, and Obfuscation: Tools for Software Protection. IEEE Trans. Softw. Eng., 2002. Google ScholarDigital Library
- J. J. Drake, Z. Lanier, C. Mulliner, P. O. Fora, S. A. Ridley, and G. Wicherski. Android Hacker's Handbook. Wiley, 2014. Google ScholarDigital Library
- N. Falliere, L. O. Murchu, and E. Chien. W32.Stuxnet Dossier. Technical report, Symanetic, 2011.Google Scholar
- D. Guido and M. Arpaia. The Mobile Exploit Intelligence Project. Blackhat EU, 2012.Google Scholar
- Y. J. Ham, W.-B. Choi, and H.-W. Lee. Mobile Root Exploit Detection based on System Events Extracted from Android Platform. In SAM, 2013.Google Scholar
- X. Hei, X. Du, and S. Lin. Two Vulnerabilities in Android OS Kernel. In ICC, 2013.Google ScholarCross Ref
- C. Kruegel, W. Robertson, F. Valeur, and G. Vigna. Static Disassembly of Obfuscated Binaries. In Proc. of USENIX Security Symposium, 2004. Google ScholarDigital Library
- M. Lindorfer, M. Neugschwandtner, L. Weichselbaum, Y. Fratantonio, V. van der Veen, and C. Platzer. Andrubis - 1,000,000 Apps Later: A View on Current Android Malware Behaviors. In BADGERS, 2014.Google Scholar
- C. Linn and S. Debray. Obfuscation of Executable Code to Improve Resistance to Static Disassembly. In ACM CCS, 2003. Google ScholarDigital Library
- OpenSignal. Android Fragmentation Visualized. http://opensignal.com/reports/2015/08/android-fragmentation/, 2015.Google Scholar
- Y. Park, C. Lee, C. Lee, J. Lim, S. Han, M. Park, and S.-J. Cho. RGBDroid: A Novel Response-Based Approach to Android Privilege Escalation Attacks. In LEET, 2012. Google ScholarDigital Library
- R. Rolles. Unpacking Virtualization Obfuscators. In WOOT, 2009. Google ScholarDigital Library
- S. Smalley and R. Craig. Security Enhanced (SE) Android: Bringing Flexible MAC to Android. In NDSS, 2013.Google Scholar
- J. I. Torrey. HARES: Hardened Anti-Reverse Engineering System. Technical report, Assured Information Security, Inc., 2015.Google Scholar
- T. Wang, Y. Jang, Y. Chen, S. Chung, B. Lau, and W. Lee. On the Feasibility of Large-Scale Infections of iOS Devices. In Proc. of USENIX Security Symposium, 2014. Google ScholarDigital Library
- W. Xu. Ah! Universal Android Rooting is Back. Blackhat, 2015.Google Scholar
- J. Zeng, Y. Fu, K. A. Miller, Z. Lin, X. Zhang, and D. Xu. Obfuscation Resilient Binary Code Reuse Through Trace-oriented Programming. In ACM CCS, 2013. Google ScholarDigital Library
- X. Zhou, Y. Lee, N. Zhang, M. Naveed, and X. Wang. The Peril of Fragmentation: Security Hazards in Android Device Driver Customizations. In IEEE Security and Privacy, 2014. Google ScholarDigital Library
- Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In IEEE Security and Privacy, 2012. Google ScholarDigital Library
- Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In NDSS, 2012.Google Scholar
Index Terms
- Android Root and its Providers: A Double-Edged Sword
Recommendations
Android: Changing the Mobile Landscape
The mobile phone landscape changed last year with the introduction of smart phones running Android, a platform marketed by Google. Android phones are the first credible threat to the iPhone market. Not only did Google target the same consumers as iPhone,...
Detecting android root exploits by learning from root providers
SEC'17: Proceedings of the 26th USENIX Conference on Security SymposiumMalware that are capable of rooting Android phones are arguably, the most dangerous ones. Unfortunately, detecting the presence of root exploits in malware is a very challenging problem. This is because such malware typically target specific Android ...
Comments