Hack In The Box: How Attackers Manipulate Root Access and Configuration Changes

Securing iOS and Android smartphones and tablets is still a relatively new concept. Taking control of a mobile device was once considered an unlikely threat because it was hard to do. However, malware has moved forward, making attacks a more imminent threat. One of the causes for this is malware’s advances in attack capabilities. Technical procedures which were once the realm of hardcore, tech-savvy hackers have become common knowledge. The best example of this is rooting.

Rooting a mobile device (or Jailbreaking, in the case of an iOS device) is a way of breaking out of predefined boundaries set by the operating system. Users can root devices to harness the full potential of their devices and customize them according to their needs. Various rooting tools can be found online easily today and while these tools are useful for adventurous users, low-level attackers can also use rooting and jailbreaking to attack devices with severe consequences.

Webinar: How to Keep Mobile Threats at Bay

Enabling and Securing iOS and Android in the Enterprise

Securing today’s powerful mobile devices and the data on them is critical for the enterprise, but more than half of decision makers in a recent IDC survey had security and compliance issues during mobility rollouts. Join guest presenter Rob Westervelt, research manager for security products at IDC and Michael Shaulov, head of mobility at Check Point to learn why it’s more important than ever to have security for iOS and Android that provides continuous mobile protection for apps, networks, and operating systems.

> Register for Americas Session

> Register for Europe Session

Another example of a widespread technique used by ordinary attackers is making configuration changes on a device. Configuration changes are even less complicated than rooting, and are sometimes even used by legitimate apps. Nevertheless, they are often an easy way in for malware. Like rooting, configuration changes are not a complicated process. In many cases, low-level attackers trick a user into making changes that enable the malware.

In both cases, the risk arises from circumventing a device’s built-in defenses. Whether the user gets fooled into allowing the malware to intrude, or if the malware does so itself, the goal is the same: to bypass basic security measures that stand between the average perpetrator and his objective. The main difference between the two techniques is the possible control the attacker will have. While it is easier to change device configurations, rooting the device provides unlimited capabilities.

What kind of security will defend you?

It is a common misconception that mobile device management (MDM) and enterprise mobility management (EMM) solutions can protect business users against these threats. Both MDM and EMM can manage devices, configuration settings, and security policies, but these only offer static root indicators which aren’t sufficient when dealing with the real-life threats we encounter daily.

A device rooted by the user will have an SU binary installed, and a user might install a supervisor app to run root privileges on the device. Many MDM/EMM solutions can detect these and claim to protect against their dangers. Sophisticated malware, however, can root the device and gain control without necessarily installing an SU binary or a supervisor app. Moreover, some malware hides its rooting to avoid detection. These techniques render MDM/EMM detection methods useless.

Keeping mobile devices fully protected isn’t easy, so organizations should use security measures that can detect malicious apps that attempt any configuration changes or rooting on devices. Such a solution should include threat emulation and static code analysis that can reveal and stop malicious code in apps from running on a device.

To learn more about the major threats facing
mobile devices in the enterprise, read our

CISO’s Guide to Mobile Security.