Why people root their Android devices

Obtaining superuser access rights, popularly known as rooting, lets owners take full control of their devices. It is possible to do virtually anything with superuser access rights, and quite a few apps (including some in the Google Play store) require root permissions to function properly.

Superuser access privileges are typically sought to expand regular Android capabilities. For example, you can limit network activity for some or all apps, delete annoying preinstalled apps, speed up the CPU, and more.

We used Kaspersky Security Network to compile a list of the most popular reasons that users root their Android devices.

• Install apps that hack games. These apps gain access to the memory where games are stored and modify parameters to allow free gameplay.
• Access the file system. Unrestricted access to the file system may be useful for recovering erased files, moving apps to an SD card, or using root explorers, which are applications with advanced file-system functions.
• Tweak, overclock, or clean the device. Overclocking means increasing the CPU clock frequency of a device so that it works faster.
• Change the Android version. Some users flash third-party firmware ROMs (install different versions of the operating system) created by enthusiasts.

How people gain root privileges

According to our data, people use applications such as Kingroot, 360 Root, Framaroot, Baidu Easy Root, Towelroot, One Click Root, and Mgyun to gain superuser access rights. Unfortunately, many of these applications either show advertisements or install adware on a device. Their behavior is not necessarily malicious, but nothing good comes of it.

We do not recommend using any of those applications for rooting. Well, we don’t recommend rooting at all. Here’s why.

The dangers of rooting

As we said, superuser access rights grant full control over a device. Although that access has some potential advantages (mentioned above), it comes with disadvantages as well.

It is important to understand that having a device with superuser system permissions violates Android’s basic security principles. Rooting is, in effect, do-it-yourself hacking of the operating system of your tablet or smartphone.

Normally, Android apps work in isolated environments (in so-called sandboxes) and cannot gain access to other apps or the system. However, an app with superuser access rights can venture out of its isolated environment and take full control over the device.

With superuser access rights, apps can do whatever they like — for example, view, modify, or delete files, including those that are required for device operation.

Also, note that rooting voids the device’s warranty. Sometimes, the process of rooting can even brick a device, and in that case, you’re simply out of luck; there’s no way you’ll get a refund for it.

Malicious applications and rooted Androids

After gaining superuser access rights, malicious applications enjoy full freedom. In fact, the first thing many Trojans for Android do is attempt to gain root access. Users rooting their own devices offer quite a gift to malware developers.

With superuser access, mobile Trojans can:

• Steal passwords from a browser (as the Tordow banking Trojan did);
• Purchase applications surreptitiously in Google Play (the Guerrilla and Ztorg Trojans did that);
• Substitute URLs in a browser (as the Triada Trojan did);
• Install applications stealthily, including onto system partitions;
• Modify firmware so that Trojans remain on a device even after it is reset to factory settings.

Some ransomware Trojans use superuser access rights to improve their chances of staying in the system.

In most cases, malware is capable of gaining superuser access rights on its own by exploiting vulnerabilities in the system. But some malware applications use existing permissions. Furthermore, according to our data, approximately 5% of malware applications — for example, the Obad mobile Trojan — check devices for root permissions.

The geography of rooting

Our statistics show that rooting is most popular in Venezuela, with 26% of users having rooted smartphones. Algeria takes the lead among African countries, with 19% of smartphones operating with superuser access rights. In Asia, rooting Android is most popular in Bangladesh, with 13% of devices rooted. In Europe, Moldova, at 15%, has the lead.

As for Russia, 6.6% of owners of Android devices use rooted smartphones, which is close to the world average percentage (7.6%). Neither North America nor Western Europe includes any top-rooting countries.

Our statistics show that the top 10 countries where Android devices are rooted most frequently and the top 10 countries where mobile devices are successfully attacked overlaps by 60%. And 9 of the 10 countries with the largest number of rooted devices are in the top 25 countries where devices are attacked most often.

Does antivirus work on a rooted Android device?

Regrettably, although criminals can exploit the advantages of gaining superuser rights and use them to bypass security mechanisms, the good guys still have to play by the rules. In short, antivirus works on rooted devices, but superuser access doesn’t increase its effectiveness.

Of course, how well malware can take advantage of the capabilities of a rooted system varies. But the risk of a security solution letting a threat through on a rooted device is higher than on a device without superuser access rights.

So, should you root your Android device?

Using a system with superuser access rights is similar to driving a heavy truck. If you are really capable of handling that, then why not? But if you aren’t, then get the necessary knowledge and skills first. So if you’re not into IT and don’t consider yourself a pro-user, then we do not recommend rooting Android.

A few more pieces of advice:

• Install applications from official stores only — but even so, don’t trust them blindly. Although the Google Play store is far more trustworthy than random Internet sites, Trojans sometimes get in.
• Limit yourself to known apps from known developers and only those apps that are really needed.

• Scan installed apps with a reliable antivirus — for example, our free Kaspersky Internet Security for Android.

In the face of malware, Android has a very good defense mechanism — the app permissions system. This system defines a set of actions an app is allowed (or not allowed) to perform. By default, all Android apps work in a sandbox — an isolated environment. If they want to access, edit, or delete data outside the sandbox, they need the system’s permission to do so.

Permissions are divided into several categories, but we are going to discuss only two of them: normal and dangerous. Normal permissions cover such actions as accessing the Internet, icon creation, Bluetooth connection, and so forth. These permissions are granted by default and do not require a user’s approval.

If an app needs one of the “dangerous” permissions, user confirmation is required. So, why are some permissions deemed dangerous? Are they inherently, actually dangerous? And in which cases should you grant them?

Dangerous permissions

The “dangerous” category includes nine permission groups where apps are somehow connected with the user’s privacy or security. In turn, each group contains several permissions an app can request.

If a user approves one of the permissions, the app gets all of the permissions from the same group automatically, without additional confirmation. For example, if an app gets permission to read SMS messages, then it will be also able to send SMS messages, read MMS messages, and perform other operations from this group.

Calendar

What it permits:

• Read events stored in the calendar (READ_CALENDAR).
• Edit old events and create new ones (WRITE_CALENDAR).

Why it’s dangerous: If you actively use your digital day planner, the app will know everything about your daily routine and might share it with criminals. In addition, a buggy app could accidentally wipe important meetings from the calendar.

Camera

What it permits:

• Camera access (CAMERA) lets the app use your phone to take photos and record videos.

Why it’s dangerous: An app can secretly record video or take photos at any moment.

Contacts

What it permits:

• Read contacts (READ_CONTACTS).
• Edit contacts or add new ones (WRITE_CONTACTS).
• Access account list (GET_ACCOUNTS).

Why it’s dangerous: An app can snag your whole address book. This data is very attractive to spammers and fraudsters. This permission also grants access to the list of all of the accounts you use in the apps on this device — Google, Facebook, Instagram, and others like them.

Location

What it permits:

• Access to your approximate location (ACCESS_COARSE_LOCATION), provided based on data from cellular base stations and Wi-Fi hotspots.
• Access to your exact location (ACCESS_FINE_LOCATION), provided based on GPS data.

Why it’s dangerous: The app knows where you are at all times. It might, for example, let burglars know when you are far away from home.

Microphone

What it permits:

• Record audio from the microphone (RECORD_AUDIO).

Why it’s dangerous: The app can record everything that’s going on near your phone. All of your conversations. Not only when you’re speaking on the phone, but all day long.

Phone

What it permits:

• Reading phone state (READ_PHONE_STATE) lets the app know your phone number, current cellular network information, the status of any ongoing calls and so on.
• Make calls (CALL_PHONE).
• Read the list of calls (READ_CALL_LOG).
• Change the call list (WRITE_CALL_LOG).
• Add voicemail (ADD_VOICEMAIL).
• Use VoIP (USE_SIP).
• Process outgoing calls permission (PROCESS_OUTGOING_CALLS) lets the app see who’s calling, hang up the phone, or redirect it to another number.

Why it’s dangerous: When you grant phone permissions, you allow the app to take almost any action associated with voice communications. The app will know when and whom you call — and it can call anywhere, including paid numbers, at your charge.

Body Sensors

What it permits:

• (BODY_SENSORS) — this permission provides access to your health data from certain sensors, such as a heart-rate monitor.

Why it’s dangerous: If you use accessories with body sensors (not the phone’s built-in movement sensors), the app receives data about what is going on with your body.

SMS

What it permits:

• Send SMS messages (SEND_SMS).
• Read saved SMS messages (READ_SMS).
• Receive SMS messages (RECEIVE_SMS).
• Receive WAP push messages (RECEIVE_WAP_PUSH).
• Receive incoming MMS messages (RECEIVE_MMS).

Why it’s dangerous: It lets the app receive and read your incoming SMS messages as well as send them (charged to you, of course). For example, criminals can use this permission to subscribe victims to unwanted paid services.

Storage

What it permits:

• Read SD card or other storage (READ_EXTERNAL_STORAGE).
• Save records to storage or SD card (WRITE_EXTERNAL_STORAGE).

Why it’s dangerous: The app can read, change, or remove any files stored on your phone.

10 tips for maximum #Android #security – https://t.co/bIqSGMj05q pic.twitter.com/j0quFlYNnw

— Kaspersky (@kaspersky) November 7, 2014

How to set up app permissions

You should carefully consider each permission you grant. For example, if a game or photo-editing tool wants access to your current location, that’s strange. At the same time, maps and navigators really need GPS data — but not access to contact lists or SMS messages.

In Android 6 and later, apps ask users for approval any time they need one of the dangerous permissions. If you don’t want to grant them, you can always decline the request. Of course, if the app really needs those permissions, it will show error messages and won’t work properly.

An app requests permission to make and manage phone calls

You can also check the permission list and change any app’s permissions. Start by choosing Settings → Apps (these and following menu items may have slightly different names in your version of Android).

Now you can go one of two ways. First, you can check all permissions assigned to a certain app. To do that, click on the app’s name and choose Permissions.

Second, you can look through the full list of apps that have already requested or can request one of the dangerous permissions. For example, it’s a good idea to check which apps want access to your contact list and prohibit suspicious ones from getting it. For this choose Configure Apps (the gear icon in the upper right corner) and then click App Permissions.

Special access rights

Apart from dangerous permissions, an app can also request special access rights. When that happens, you should be wary: Trojans often request such rights.

Accessibility

This permission simplifies work with apps and devices for people with sight or hearing difficulties. Malware can abuse these features.

Having obtained such access rights, Trojans can intercept data from apps (including input text — passwords are the main goal here). In addition, malware gets the ability to purchase apps in the Google Play Store.

Default messaging app

Banking Trojans aim to become the default SMS app; that lets them read SMS messages and hide them — even in later versions of Android. For example, Trojans can use this feature to intercept banking passwords from SMS messages and confirm malicious transactions without a user’s knowledge (remember, they can hide SMS messages).

Don’t trust the reviews and ratings on #GooglePlay https://t.co/3RHVVSkxOj #mobile #apps pic.twitter.com/z2pg7hqg2P

— Kaspersky (@kaspersky) September 1, 2016

Always on top

The permission to overlay windows of other apps lets Trojans show phishing windows on top of legitimate applications (mobile banks or social network apps mostly). Victims think they’re entering their passwords into the forms of real applications, but in fact everything happens in the fake window displayed by the Trojan, and sensitive data goes to criminals.

Device administrator privileges

These rights let the user change the password, lock the camera or wipe all data from the device. Malicious apps often try to get such permissions; apps with administrator privileges are hard to uninstall.



Root privileges

These are the most dangerous permissions. By default, Android never grants these rights to apps, but some Trojans can exploit system vulnerabilities to get them. Once that happens, all other defenses become useless — the malware can use root privileges to do whatever it wants no matter which permissions the victim assigns or denies.

It’s noteworthy that even the new permission system (released in Android 6) does not fully protect from malware. For example, the Gugi Trojan repeatedly bugs victims with window overlay permission requests until the permission is granted. After that, the malware overlays all other apps until it receives other permissions it wants.

Conclusions

Apps should not be allowed to do whatever they want on your phone — especially if they want dangerous permissions for no reason.

Some apps really do need a lot of rights, however. For example, antivirus programs need a lot of permissions to scan a system and proactively protect it from threats.

The conclusion here is simple: Before granting certain rights, think about if the app really needs them. If you’re not sure, do some investigating online.

400 Trojans on #Google #Play https://t.co/cNi1uBuZHo #mobile #malware pic.twitter.com/nDB5sYLCAE

— Kaspersky (@kaspersky) October 11, 2016

Last but not least: Even the most vigilant users are not safe from malware exploiting system vulnerabilities. That’s why it’s important to manage your apps’ permissions properly, which helps you protect your privacy from apps spying on you, and to install a reliable security solution that will defend your device against even more dangerous Trojans and viruses.

Updated October 9, 2018: Google has changed app permission settings in Android Oreo, adding a new group called “Special app access.” More details are available in “App permissions in Android 8: The complete guide.”

Learn how to analyze mobile malware at home #security

Tweet

I will start with a serious question: how do antiviruses fix up an already-infected device? Even a trial version of our product detects and removes a majority of Trojans without any problems.

The Cure

Once a user taps the Delete button, he is automatically sent to the administrative settings menu, where he can revoke the Trojan’s “Device Admin” privileges. Then he is sent to the malware removal menu.

As you can see, the process isn’t completely automated as it is in Windows. Our solution consequentially displays the appropriate menus for the Trojan removal and does all the behind-the-scenes work, but you’ll still have to tap a couple of buttons. Would this task be feasible for an inexperienced user? Well, that’s even more a reason for an inexperienced user to install additional protection means. Had he or she installed the antivirus before, there would be no infection at all.

What is this Trojan and why don’t all vendors detect it at once?

Actually the sms-Trojan family AndroidOS.Opfake is one of the oldest in our collection: the first of them had been detected three years ago, in August 2011. We have intercepted over 8000 variants since then. All of them have the same goal: steal money from the user’s account sending paid SMS texts to a number, and concealing this activities from the user. There are some potential differences. This specific variant Opfake.a first connects to a C&C server and then performs a task it receives. This can be sending spam to the contact list, sending a SMS to premium numbers, or stealing the list of contacts altogether. Other than that the Trojan can intercept incoming SMS texts or even install some other malware.

Interestingly, a modification of the infection displays a picture of a kitten (left). Other ones don’t do this, performing only the hidden malicious operations and showing nothing at all.

Now, let’s talk about why this Trojan hasn’t been detected by everyone at once. Here’s the graph based on data from our product:

That’s the number of Trojans being detected between August, 29^th through September, 1^st, in a two-hour interval. As you see, the primary spike was on Aug. 31^st, when we detected 1800 attacks overall in Russia, Ukraine, Belarus, Kazakhstan and Uzbekistan. But this modification emerged earlier – on Friday evening of Aug. 29^th. Compared to previous versions of the Trojan, the new one was modified in order to circumvent detection methods used in antimalware solutions. But in our case the detection is performed not by signatures, but heuristically – in a nutshell, by the malware behavior. This way we can locate modifications of the same malware, and this method is far more resistant to subtle code modification.

This #opfake variant at least showed that picture of a kitten #security

Tweet

In a situation like this, everything depends on how quickly an antivirus company can react to a new attack. First, the new sample should be caught somehow, then analyzed (by hand or automatically), then “spread the word” across the clients by a product update. An aggravating factor was the time of the initial distribution of the Trojan: apparently the criminals specifically chose the time, keeping in mind our work schedule. Butstillwedelivered :)
Examination

OK, let’s go back to where we have started. We analyze malware by all means possible, and choose the appropriate one (code analysis, emulation, running on a real device) according to the circumstances – and according to our rich experience. What can we recommend to those who would like to analyze such a Trojan at home? First: don’t try it unless you’re absolutely sure you have to do it. Leave it to professionals. In most cases it’s OK to launch the malware on a “fresh” device with no personal data on it: SIM-card is in, but no funds are on the account.

But first I’d suggest using more secure methods:

• Launch a standard Android emulator. This is the safest way to learn more about the Trojan’s functionality. Some malware, however, detect VMs and refuse to work.
• Run this on a real device, but without any personal data and without a SIM card; disable the Web access too. In the case of this specific Trojan this would not do. There are rare types of mobile threats that refuse to work on a device without a SIM, concealing their real purpose.
• Run this on a real device with a SIM card. The lack of funds on your account won’t be a 100% guarantee, so I’d suggest blocking SMS texts to short numbers with your cellular operator.

As I said before, paid SMS sending isn’t the only function of the Opfake, so I wouldn’t recommend using the third method at home. Youhavebeenwarned!

Prevention

We have said before that mobile cybercrime is quite new, but it evolves rapidly, much faster than PC threats. Over the last 2-3 years Android threats went through the same stages of evolution from simple viruses to malware as complex as PC-targeted programs – where it took two decades, not two years. An “advanced” user can easily protect himself from such a Trojan – just don’t open suspicious messages, don’t tap on dubious links and, certainly, don’t install shady apps.

What should less experienced users who more and more often prefer smartphones to the “usual” mobile phones do? Well, if you at least restrict installation of apps from “non-official” sources, Opfake.a already cannot be installed. But this isn’t a 100% security guarantee, which is shown by the dozens of openly malicious apps discovered in Google Play. So it’s necessary to have security software on your mobile devices.

It is worth mentioning that the specific sample we discovered targets Russian users, however, Russia often serves as a testing ground for cybercriminals. Well-proven schemes usually go overseas quite quickly. For now, the malware appears to be interested in U.S., German, Belarusian and Ukrainian victims. Currently the Trojan is configured to mimic popular Russian banks. Upon the launch of the mobile banking app, the Trojan replaces the open window with its own to swindle out the password.

Another implemented attack is more versatile as it targets Google Play users. When victim launch the Android online market app, the Trojan overlaps Google’s windows with its own and proposes that users add a credit card to the account.

During three months of the Trojan’s existence, Kaspersky Lab has discovered over 50 modifications of this malware, which means that criminals recognize its high “commercial value”. No doubt, we will see new versions of the Trojan that will able to steal from clients of various banks in multiple countries very soon. The current version spread itself using SMS spam, but other variations might utilize another infection tactic.

To avoid infection, follow the Android user golden rules:

• Switch off “Allow installation from unknown sources” in security settings
• Use Google Play, do not use untrusted third-party app stores
• Before installing a new app, check every permission requested by this app and consider if those permissions are reasonable for that type of app
• Check app ratings and download counts, avoid applications with low ratings and a small number of downloads
• Use full-scale security protection for your Android