'Legitimate' rooting apps paving way for malware

Companies that create tools for "rooting" Android phones may be within the law, but they may be inadvertently paving the way for malware developers

 According to a paper presented this week by University of California professor Zhiyun Qian, the developers of commercial root apps work hard to break the security of Android devices -- and then malware developers either piggyback on those exploits or figure out how they work and incorporate them into their own apps.

Somewhere between 27 and 47 percent of all Android smartphones are rooted, said Qian. This allows users to get rid of pre-installed apps that are otherwise impossible to remove, to personalize their phones beyond what is allowed by the official limits, to get better backups, or better power management tools."In the U.S., jailbreaking is legal," he said. "It's actually a legitimate business to distribute these exploits. It can be used to do good things."

In practice, however, it means that users are, in effect, hacking into their own phones.

"I'm launching an attack against my own device," Qian said.

And what users can do, hackers can do as well.

Google banks the rooting applications from its Google Play store, though it continues to allow the distribution of app that rely on a device already being rooted. There are many other channels through which Android users can find apps.

"If you are interested in rooting software, it is easy to find it," Qian said.

The way that rooting apps typically work is that that users runs the tool, and it sends a message back to its server with all the relevant device details -- manufacturer, Android version, and so on. The server then looks up the appropriate exploit for that particular device and configuration and sends it back.

Few of these exploits can be detected by mobile anti-virus, Qian added.

Criminals can hijack this process in two ways, he said.

Once the bad guys get the user to install their malware by, say, disguising it as a game or screensaver, they can contact the rooting software's server and request the appropriate exploit. They will then use it to root the device, take control of the smartphone, and start collecting financial information or doing whatever else the criminals want to do.

Criminals can also reverse-engineer or unpack and deobfuscate the exploit code itself, so that they can use it in their own applications.

Some of the legitimate root providers have security in place so that, in theory, only their own apps can request the exploits and use them.

In practice, however, the commercial root providers have systematic weaknesses and flaws in their security protection measures, Qian said.

"We found a few security flaws that allowed us to unpack and de-obfuscate the exploits much easier than expected," Qian said.

The large commercial root providers also have a comprehensive collections of root exploits, which gives attackers a strong incentive to target such providers, since the same mechanism used to protect one exploit is typically used to protect all the exploits in a collection.

One company studied, for example, had more than 160 exploits,

"It's hard for an attacker themselves to build this many high-quality, well-engineered exploits," Qian said.

Some of those exploits were unique, original creations, he added.

"The legitimate rooting software actually has a lot of secret weapons otherwise unknown to the community," he said.

Smartphone manufacturers and Google itself can do more to make rooting less attractive by getting rid of the baked-in bloatware and offering more legitimate alternatives to the customization options and tools that users get by rooting.

But the biggest problem, Qian said, is the Android upgrade process.

Once Apple spots a problem it can push out a patch almost immediately,

The Android ecosystem, however, is composed of many different carriers and manufacturers. That add significant time to the updates.

"The process can be delayed for a few months, or even a year," Qian said. "And some devices are basically abandoned."

Shorting this update process is the best solutions, he said.

"Vulnerabilities are always going to be discovered," he said. "We aren't yet a the place where we can create perfect software."