Hunting for Android 1-days: analysis of rooting ecosystem

Eugene Rodionov (Google), Richard Neal (Google) & Lin Chen (Google)
live only
16:00 UTC on Day 2
THURSDAY 01 OCTOBER
With every new release of Android OS it becomes increasingly harder to gain root privileges on modern Android devices with locked bootloaders due to improvements and new features in Android platform security. However, there still exist a number of applications that offer one-click rooting solutions. Some of the largest rooting providers offer rooting as a service via rooting SDKs. Usually, such applications exploit unpatched 1-day vulnerabilities present in certain Android platforms to gain root privileges.

During this research the authors took a deeper look into the biggest rooting providers targeting modern versions of the Android platform (Android 7.0 and higher) with the aim of better understanding the rooting ecosystem: which vulnerabilities are being used by these applications and what devices/platforms they are targeting.

In this presentation the authors will share the results of the long-term monitoring of one of the largest rooting providers for Android devices: Kingroot. They will provide details on Kingroot's modus operandi: reverse engineering of a sophisticated network communication protocol with C2 server to download the exploits, analysis and deobfuscation of payload. Additionally, the authors will provide analysis of the rooting exploits for various device models and Android builds that they managed to obtain in the course of Kingroot monitoring. To conclude the presentation, the authors will speak about what Google is doing to protect Android users from unpatched 1-days.
Eugene Rodionov
Google Eugene Rodionov, Ph.D., is a security researcher at Google on the Android Malware Research team. In his current position, Eugene focuses on in-depth analysis and reverse engineering of threats targeting the Androidplatform. Prior to that, Rodionov performed offensive security research on UEFI firmware for client platforms at Intel, and ran internal research projects and performed in-depth analysis of complex threats at ESET. His fields of interest include reverse engineering, vulnerability analysis, firmware security and anti-rootkit technologies. Rodionov is a co-author of the 'Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats' book and has spoken at security conferences such as Black Hat, REcon, ZeroNights, and CARO.
Richard Neal
Google Richard Neal is a lead on the Android Malware Research team at Google, managing a team of security and software engineers working to solve problems around Android malware, and trying to do as much technical work as possible. He has 22 years' professional experience in computer security, starting in development of secure systems and then moving into vulnerability and malware analysis, as reverse engineering is more fun than writing design documents.
Lin Chen
Google Lin is currently working as a software engineer in the Android Malware Research team at Google. Prior to this he held a position in a privacy team at Facebook. Lin earned his M.Sc. from École Polytechnique Fédérale de Lausanne (EPFL) with a focus on information security, and his B.Sc. from Peking University.
arrow left Back

Hunting for Android 1-days: analysis of rooting ecosystem

16:00 - 16:30 UTC Thu 1 Oct 2020
Eugene Rodionov (Google), Richard Neal (Google) & Lin Chen (Google)
With every new release of Android OS it becomes increasingly harder to gain root privileges on modern Android devices with locked bootloaders due to improvements and new features in Android platform security. However, there still exist a number of applications that offer one-click rooting solutions. Some of the largest rooting providers offer rooting as a service via rooting SDKs. Usually, such applications exploit unpatched 1-day vulnerabilities present in certain Android platforms to gain root privileges.

During this research the authors took a deeper look into the biggest rooting providers targeting modern versions of the Android platform (Android 7.0 and higher) with the aim of better understanding the rooting ecosystem: which vulnerabilities are being used by these applications and what devices/platforms they are targeting.

In this presentation the authors will share the results of the long-term monitoring of one of the largest rooting providers for Android devices: Kingroot. They will provide details on Kingroot's modus operandi: reverse engineering of a sophisticated network communication protocol with C2 server to download the exploits, analysis and deobfuscation of payload. Additionally, the authors will provide analysis of the rooting exploits for various device models and Android builds that they managed to obtain in the course of Kingroot monitoring. To conclude the presentation, the authors will speak about what Google is doing to protect Android users from unpatched 1-days.
Eugene Rodionov
Google Eugene Rodionov, Ph.D., is a security researcher at Google on the Android Malware Research team. In his current position, Eugene focuses on in-depth analysis and reverse engineering of threats targeting the Androidplatform. Prior to that, Rodionov performed offensive security research on UEFI firmware for client platforms at Intel, and ran internal research projects and performed in-depth analysis of complex threats at ESET. His fields of interest include reverse engineering, vulnerability analysis, firmware security and anti-rootkit technologies. Rodionov is a co-author of the 'Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats' book and has spoken at security conferences such as Black Hat, REcon, ZeroNights, and CARO.
Richard Neal
Google Richard Neal is a lead on the Android Malware Research team at Google, managing a team of security and software engineers working to solve problems around Android malware, and trying to do as much technical work as possible. He has 22 years' professional experience in computer security, starting in development of secure systems and then moving into vulnerability and malware analysis, as reverse engineering is more fun than writing design documents.
Lin Chen
Google Lin is currently working as a software engineer in the Android Malware Research team at Google. Prior to this he held a position in a privacy team at Facebook. Lin earned his M.Sc. from École Polytechnique Fédérale de Lausanne (EPFL) with a focus on information security, and his B.Sc. from Peking University.