Hunting for Android 1-days: analysis of rooting ecosystem

Thursday 1 October 16:00 - 16:30, Green room

Eugene Rodionov (Google)
Richard Neal (Google)
Lin Chen (Google)

With every new release of Android OS it becomes increasingly harder to gain root privileges on modern Android devices with locked bootloaders due to improvements and new features in Android platform security. However, there still exist a number of applications that offer one-click rooting solutions. Some of the largest rooting providers offer rooting as a service via rooting SDKs. Usually, such applications exploit unpatched 1-day vulnerabilities present in certain Android platforms to gain root privileges.

During this research the authors took a deeper look into the biggest rooting providers targeting modern versions of the Android platform (Android 7.0 and higher) with the aim of better understanding the rooting ecosystem: which vulnerabilities are being used by these applications and what devices/platforms they are targeting.

In this presentation the authors will share the results of the long-term monitoring of one of the largest rooting providers for Android devices: Kingroot. They will provide details on Kingroot's modus operandi: reverse engineering of a sophisticated network communication protocol with C2 server to download the exploits, analysis and deobfuscation of payload. Additionally, the authors will provide analysis of the rooting exploits for various device models and Android builds that they managed to obtain in the course of Kingroot monitoring. To conclude the presentation, the authors will speak about what Google is doing to protect Android users from unpatched 1-days.



Eugene Rodionov

Eugene Rodionov, Ph.D., is a security researcher at Google on the Android Malware Research team. In his current position, Eugene focuses on in-depth analysis and reverse engineering of threats targeting the Android platform. Prior to that, Rodionov performed offensive security research on UEFI firmware for client platforms at Intel, and ran internal research projects and performed in-depth analysis of complex threats at ESET. His fields of interest include reverse engineering, vulnerability analysis, firmware security and anti-rootkit technologies. Rodionov is a co-author of the 'Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats' book and has spoken at security conferences such as Black Hat, REcon, ZeroNights, and CARO.



Richard Neal

Richard Neal is a lead on the Android Malware Research team at Google, managing a team of security and software engineers working to solve problems around Android malware, and trying to do as much technical work as possible. He has 22 years' professional experience in computer security, starting in development of secure systems and then moving into vulnerability and malware analysis, as reverse engineering is more fun than writing design documents.



Lin Chen

Lin is currently working as a software engineer in the Android Malware Research team at Google. Prior to this he held a position in a privacy team at Facebook. Lin earned his M.Sc. from École Polytechnique Fédérale de Lausanne (EPFL) with a focus on information security, and his B.Sc. from Peking University.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.