Two new rooting tools against a wide spectrum of Android devices, ranging from version 4.0 till 4.4, were recently found. These tools allow an adversary to bypass the Android permission model and gain full control of the smartphone/ tablet – essentially enabling an attacker to execute attacker-controlled code under system (administrator) privileges, access files and sensitive information on the device. Furthermore, these tools allow an attacker to inject a persistent backdoor on the device for complete remote control of the device.
Both rooting tools are available as a free download in various mobile forums. The tools require minimal technical understanding. All the user needs is a computer connection to the device.
Each tool exploits a separate vulnerability, both of which were patched for Android 4.4. However, due to delays in users patching devices – these tools are still current and popular.
The first tool, VROOT, communicates with a remote server located in China. VROOT extracts sensitive mobile data such as: the phone number, IMEI (unique identifier of a device), and device properties.
VROOT exploits a privilege escalation vulnerability in Linux’s kernel API reading and writing functionalities (CVE-2013-6282, published on Oct. 25) in order to root the device. Upon completion of the VROOT’s rooting process, it installs a Chinese “suid” application. Installing the suid application means that the rooting survives a reboot – in other words, it continues to runs with root privileges regardless of the user’s behavior.
The second rooting tool, MotoChopper, allows the user to easily root a device. The MotoChopper exploits a privilege escalation Linux Kernel vulnerability related to Qualcomm graphic driver (CVE-2013-2596, published mid-March). Interestingly, this particular vulnerability previously exploited Motorola devices (hence, the MotoChopper name) and has now been enhanced to support the rooting of a multitude of devices (for example, Samsung, Huawei, and Sony and others).
As mentioned, VROOT and MotoChopper tools require a direct computer connection. However, the past has demonstrated that the exploitation of vulnerabilities for device rooting does not necessarily require a cable connection. Other methods include convincing the user to install a malicious Android application – either from the Official Google Play App Store, or from a 3rd party such as an unofficial app store or via email (recall DroidDream, GingerMaster and BaseBridge which were distributed in such a manner). Also the recent Pwn2Own contest has demonstrated another viable rooting distribution channel where a Web attack exploits a 0-day vulnerability in an existing application (CVE-2013-6632).
Learning from the past, we can assume that it is only a matter of time until exploits for these aforementioned vulnerabilities are distributed through other channels.
Mitigation Techniques:
The following mitigation controls will not provide 100% protection. However, following these best practices will largely minimize the threat of exposure.
1. Check whether there your device is affected by the vulnerabilities CVE-2013-6282 and CVE-2013-2596.
For your convenience, we listed below those devices for which exploits in the wild already exist.
2. Install applications only from reputable sources, i.e. from the official Google Play app store. Read reviews and the developer’s popularity scores.
3. Do not open suspicious/unknown links sent to the device.
4. Do not root the device.
Exploits in the wild exist for the following devices:
Samsung: I9100G, I9108, I9050, I9260, I9268, I8552, I8190N, I869, I739, I9128, I9128V, I9082, S4 series models: I9500, I959, I9502, E300S, E300L, S5830i/I869 KEAMEA/I9128 ZMAMC3/I9128V ZCAMD3, I739/I8190N/I9105P/I9082
Lenovo: A298T
Huawei: G610C Telecom version, Y320-T00, Y500-T00, Y220T
ZTE: U970 4.1 system, N909, N980, N980
Motorola: RAZR XT 910
Sony: LT22i, L36h, M35h, LT26i, LT28h, LT26ii, M35h 12.0.A.1.211