All your Root Checks are Belong to Us: The Sad State of Root Detection

Abstract

In our research, most of our analysis was based on statically reverse engineering the applications. However we wanted to combine this with dynamic analysis to make sure our findings were correct and observable at runtime. For this, we initially created "AndroPoser". AndroPoser is a library we inject into Android processes leveraging a feature of the dynamic linker that allows us to transparently modify the runtime behavior of selected functions using LD_PRELOAD. This dynamic library interposition allowed us to hook functions and modify the data they manipulate and/or their return code. We realized that this could be used not only as a support tool for our analysis, but also to subdue any native code that checks for evidence of root access.