Android Rooting: An Arms Race between Evasion and Detection

Abstract

We present an arms race between rooting detection and rooting evasion. We investigate different methods to detect rooted device at both Java and native level and evaluate the counterattack from major hooking tools. To this end, an extensive study of Android rooting has been conducted, which includes the techniques to root the device and make it invisible to the detection of mobile antimalware product. We then analyze the evasion loopholes and in turn enhance our rooting detection tool. We also apply evasion techniques on rooted device and compare our work with 92 popular root checking applications and 18 banking and finance applications. Results show that most of them do not suffice and can be evaded through API hooking or static file renaming. Furthermore, over 28000 Android applications have been analyzed and evaluated in order to diagnose the characteristics of rooting in recent years. Our study shows that rooting has become more and more prevalent as an inevitable trend, and it raises big security concerns regarding detection and evasion. As a proof of concept, we have published our rooting detection application to Google Play Store to demonstrate the work presented in this paper.