A handful of app distributors are putting hundreds of millions of Android users at risk by bundling powerful root exploits with their wares, computer scientists have found. The researchers presented a paper on Thursday that shows how the exploits—which legitimate developers openly use to give Android phones added functionality—can be easily reverse-engineered and surreptitiously incorporated into malicious apps that bypass crucial Android security measures.
Development outfits with names including Root Genius, 360 Root, IRoot, and King Root provide apps that “root” Android phones so they can overcome limitations imposed by carriers or manufacturers. To do this, the root providers collectively package hundreds of exploits that target specific hardware devices running specific versions of Android. Their code often includes state-of-the-art implementations of already known exploits such as TowelRoot, PingPong root, futex, and Gingerbreak. Usually, such exploits are blocked by Android antivirus apps. But thanks to improvements made by the root providers, the professionally developed exploits are rarely detected. Even worse, many of the off-the-shelf exploits target undocumented Android security flaws.
It took just one month of part-time work for the computer scientists to reverse engineer 167 exploits from a single provider so they could be reused by any app of their choosing. Ultimately, the researchers concluded that the providers, by providing a wide array of highly customized exploits that are easy to reverse engineer and hard to detect, are putting the entire Android user base at increased risk.