Gonna’ Break It On Down Gonna’ Kick It Root Down

August 11, 2011, by | Start Discussion

What is ‘Rooting’?

‘Rooting’ is the process in which you get root and unrestricted access to your android phone and software. ‘Rooting’ is essentially “hacking” your Android device.
 

Why is it called ‘Rooting’?

The term “root” comes from Unix/Linux world to describe the Superuser, or root, as a special user account used for system administration.
 

Some implications of rooting your device:-

  • The potential risk of “bricking” your device – ‘bricking’ means that your phone cannot function properly and is pretty much as useless as a brick.
  • The potential risk of voiding the warranty by the manufacturer of your device – After ‘rooting’ your device some shops will refuse to fix it or you won’t get service.
  • Rooted devices are currently unsupported by Google due to requirements related to copyright protection – for example, rooted Android phones are barred from Market Movie.
 

Security implications of rooting your device:-

Once rooted, the phone owner will get more control over many settings and features of their phone and the famous quote “With great power comes great responsibility” is true in this case too.
From Wikipedia: “Separation of administrative privileges from normal user privileges can make an operating system more resistant to viruses and other malware.”
With these elevated user privileges, the phone owner provided with rights, which allows to gain access to read only files which he was not allowed to edit without been rooted.
This is done to prevent the “non-techie” user from causing permanent damage to the operating system.
Many malware writers try to abuse rooted device or to gain root over device using well known exploits.
With a rooted device there are no security restrictions put in place by the Android OS which can be abused by the malware authors.
Examples of these malware are DroidKungFu, Basebridge, Droid Dream and others.
This mainly affects Android phones with version smaller than 2.2.1 (patch released).
Users of Android version 2.2.1 and above are not vulnerable to these known Malware applications, and should always update to the latest version available for their device, through a known carrier, or an OTA update.
 

Examples from malware samples:-

DroidKungFu – This malware encrypts two well-known exploits named 'exploid' (udev exploit) and 'rage against the cage' exploit. When the malware runs, it decrypts these two exploits, and tries to gain root access on the device. These exploits give the malware capability to root the Android device (Android 2.2 and below versions).
In the following code snip we can see the malware trying to get permissions using various methods:-
 
Figure 1
 
For example, using ‘exploid’ exploit:-
Figure 2
 
Figure 3
 
Figure 4
 

The message the victim sees in this case looks like the following:-
 
 The malware author is so polite… if he could not get root why not ask the user to give him that? 
For example, using ‘Rage against the cage’ exploit:-
Figure 5
The exploit requires USB debugging (adb) in order to get this exploit run successfully. 
As you can see from the code above if USB is not enabled then it must enable it in order to work. 
This can be achieved with the victim approval.

Figure 6
 
Again, instead of "breaking into the house", why not ask and receive the key?
If the exploits were successful we got root permission on the device. 
After successful exploitation the malware is able to access files on the device, install or remove packages and more.
 
BaseBridge – This malware uses a well-known exploit named 'Rage Against The Cage' to get root permissions and to install the inner package that came with the application
Figure 7
 
 
 
Got root?

References:-

 
Anti-Virus Free (Android market)


Elad Shapira works for AVG Mobilation as a mobile security researcher. He specializes in Reverse Engineering and Penetration Testing.

Leave a Reply