A handful of app distributors are putting hundreds of millions of Android users at risk by bundling powerful root exploits with their wares, computer scientists have found. The researchers presented a paper on Thursday that shows how the exploits—which legitimate developers openly use to give Android phones added functionality—can be easily reverse-engineered and surreptitiously incorporated into malicious apps that bypass crucial Android security measures.

Development outfits with names including Root Genius, 360 Root, IRoot, and King Root provide apps that "root" Android phones so they can overcome limitations imposed by carriers or manufacturers. To do this, the root providers collectively package hundreds of exploits that target specific hardware devices running specific versions of Android. Their code often includes state-of-the-art implementations of already known exploits such as TowelRoot (also known as futex), PingPong root, and Gingerbreak. Usually, such exploits are blocked by Android antivirus apps. But thanks to improvements made by the root providers, the professionally developed exploits are rarely detected. Even worse, many of the off-the-shelf exploits target undocumented Android security flaws.

It took just one month of part-time work for the computer scientists to reverse engineer 167 exploits from a single provider so they could be reused by any app of their choosing. Ultimately, the researchers concluded that the providers, by providing a wide array of highly customized exploits that are easy to reverse engineer and hard to detect, are putting the entire Android user base at increased risk.

Double-edged sword

"We find they not only make significant efforts to incorporate and adapt existing exploits to cover more devices, but also craft new ones to stay competitive," the researchers, from the University of California at Riverside, wrote in a paper titled Android Root and its Providers: A Double-Edged Sword. "However, these well-engineered exploits are not well protected, it is extremely dangerous if they fall in the wrong hands."

The researchers took the same 167 exploits and bundled them one at a time into a self-developed app to see if they would be detected by Android AV apps. Each exploit was then exposed the the AV apps in three different forms—as the original exploit as it was downloaded from the root provider's website, as an unpacked exploit with the actual logic directly exposed to the AV engine, and as an exploit packed in the type of digital cloak that malicious apps often use. Of the four AV products tested, only the one from Trend Micro detected any of the exploits, and in that case it was only 13 of the 167 exploits and then only those in the naked, unpacked form.

"It is disappointing to see that no packed exploit is detected by any antivirus software," the researchers wrote. "It is likely due to the custom obfuscation implemented by the provider that is not recognized. However, even for the unpacked ones, only Trend Micro can recognize 13 out of 167 exploit files as malicious. It is worth mentioning that the highly dangerous futex exploits as well as the PingPong root exploit are not caught by any antivirus software."

The remaining AV apps tested were from Lookout, AVG, and Symantec. In fairness to all four AV providers, the paper was written in May, and it's possible that since then the products have been updated with signatures that detect all, or at least more, of the exploits.

Even assuming that's true, the paper highlights the very real threat the makers of legitimate Android rooting apps pose when they distribute easy-to-extract exploits. While most of them fully disclose the use of the exploit to users and use the exploits only for legitimate purposes, the research makes clear that the same exploits can easily be reused by much more nefarious actors to develop malicious apps that aren't easy to detect. The paper was presented at the 22nd ACM Conference on Computer and Communications Security.

"Root providers present a unique position in computer history that they legitimately collect and distribute a large number of fresh root exploits," the researchers concluded. "In theory, all commercial root providers should provide adequate protections on the exploits. In practice, unfortunately, as long as one of the providers fails to achieve that, malware authors can successfully 'steal' the well engineered, adapted, and tested exploits against a diverse set of Android devices."