In recent years the practice of Android rooting, that is the process of allowing an Android phone or tablet to bypass restrictions set by carriers, operating systems or hardware manufacturers, has become increasingly popular.
Many rooting methods essentially operate by launching an exploit (or malicious code) against a vulnerability in the Android system. Due to the fact that Android systems are so diverse and fragmented and that Android systems have a notoriously long update cycle (typically due to the hold time at mobile carriers), the window of vulnerabilities is typically very large.
This creates the opportunity for business of offering root as a service by many companies, but at the same also creates opportunities for attackers to compromise the system using the same exploits.
Rooting comes with plenty of advantages. With full control of the device, users can do everything from remove unwanted pre-installed software, enjoy additional functionalities offered by specialized apps and run paid apps for free.
But, it also comes with potential significant disadvantages, an assistant professor of computer science and engineering at the University of California, Riverside Bourns College of Engineering has found.
In a first-of-its-kind study of the Android root ecosystem, Zhiyun Qian and two student researchers set out to (1) uncover how many types and variations of Android root exploits exist publically and how they differ from ones offered by commercial root providers and (2) find out how difficult it is to abuse the exploits.
They found that few of the exploits could be detected by mobile antivirus software and that are systematic weaknesses and flaws in the security protection measures offered by commercial root providers that make them susceptible to being stolen and easily repackaged in malware.
“This is a highly unregulated area that we found is ripe for abuse by malware authors looking to gain access to all kinds of personal information,” Qian said. “And, unfortunately, there is not much users can do except hope that a security update gets pushed out quickly by Google, vendors and carriers, which they usually aren’t.”
Qian has outlined the findings in a paper, “Android Root and its Providers: A Double-Edged Sword,” which he will present at the 22nd ACM Conference on Computer and Communications Security in Denver from Oct. 12 to 16. The paper is co-authored by two graduate students working with Qian: Hang Zhang and Dongdong She.
Rooting is a response to that fact that users or mobile phones and tablets are not given full control over their devices. In the Apple and iOS ecosystem, rooting is known as jailbreaking. In this paper, Qian focuses on Android because the system is more open and has more developers and models, making it a better area for research.
Development of root exploits generally fall into two categories. Individual developers or hackers often identify vulnerabilities, develop and make public exploit tools. In addition, there are commercial companies that develop exploits. These take the form of apps, which are typically free, that users voluntarily download and then click on to activate the exploits.
“This is a really a phenomena in computer history, in which users are essentially voluntarily launching attacks against their own devices to gain control,” Qian said.
Unfortunately, he added, as his findings show, attackers can acquire such exploits by impersonating a regular user. To make matters worse, large commercial root providers have a large repository of root exploits, which gives attackers a strong incentive to target such providers.
In his research, Qian and the student engineers focused on seven large commercial root providers, one of which they studied more in depth. They found that one company had more than 160 exploits, which they subcategorized into 59 families. That 59 figure is almost double the number of exploits (39) they found publically available from individual developers.
“If we were able to do this,” Qian said, “hackers can definitely do it too.”