Android Root Detection Bypass Using Objection and Frida Scripts
This article is a follow up to the previous article. If you guys haven’t checked it out, feel free to visit it.
Assuming that the setup for objection and frida is done already, we can proceed further to bypass root detection. As mentioned in first article, here again 2 ways to bypass root detection is explained using objection and frida.
Steps to bypass root detection using objection:
Objection can be used in two different ways in case of root detection bypass. Both the scenarios are explained.
- APK is patched with frida server.
- Frida server is running in the mobile device.
Scenario 1:
If apk is patched with frida server, then the steps mentioned in the previous article can be followed in order to spawn the application with objection.
When the application is loading, enter the command “android root disable” in objection screen.
This will patch the root detection technique in run-time as shown in the screenshot and allows the application to run on a rooted device.
Scenario 2:
When frida is already running in the device, we need to know the exact package name of the application to spawn it with objection.
One of the way to identify this is to run the application on the device and then enter the command “frida-ps -U” in system.
From the output, we can identify the package name.
Now enter the command: objection -g com.test.test explore .
This will spawn the application using frida running on the device. When the application is loading, enter the command “android root disable” in objection console to bypass root detection. This will do the trick again.
Steps to bypass root detection using Frida script:
Root detection using objection works for typical root detection implementation. If the detection mechanism is tricky and hardened, then objection will not be able to do the trick for us. This is where Frida scripts come in handy.
There are two ways to use Frida scripts again.
- One is to use the publicly shared frida code from Frida’s codeshare site (https://codeshare.frida.re/) or commonly shared scripts from other sites or researchers blogs.
- Another way is to write a new JavaScript by understanding the root detection code.
Scenario 1:
Commonly shared frida script can be used to perform root detection bypass. In this case copy the JavaScript locally or script can be executed directly.
If script is copied locally then run the command: frida -l rootbypass.js -f com.test.test
If script needs to be executed directly then run the command: frida — codeshare author/scriptname -f YOUR_BINARY
Scenario 2:
Writing JavaScript to bypass root detection implementation is not rocket science. One needs to understand the code in order to write the counter code.
Process typically starts with reverse engineering. Once reverse engineering is done in any method (personally preferable — zip and unzip the apk, use dex2jar to convert dex to jar file, use jd-gui tool to view the source code of the jar file), source code can be used to identify the implementation.
Some quick keyword searches such as superuser.apk, /su, supersu, busybox etc., will help to identify the class file where the technique is written. This code needs to be understood in order to write the counter code.
For instance, in the below code a Boolean logic is implemented which will detect the presence of the mentioned package or change in state of the system and will respond with a true or false based on the detection.
package com.test.testpublic class roottest
{
public static boolean root()
{
boolean bool1 = detectmethods();
return (bool1)
}
private static boolean detectmethods()
{
String[] arrayOfString = new String[10];
arrayOfString[0] = "/system/app/Superuser.apk";
arrayOfString[1] = "/sbin/su";
arrayOfString[2] = "/system/bin/su";
arrayOfString[3] = "/system/xbin/su";
arrayOfString[4] = "/data/local/xbin/su";
arrayOfString[5] = "/data/local/bin/su";
arrayOfString[6] = "/system/sd/xbin/su";
arrayOfString[7] = "/system/bin/failsafe/su";
arrayOfString[8] = "/data/local/su";
arrayOfString[9] = "/su/bin/su";
int a = arrayOfString.length;
int b = 0;
while (a < b)
{
if (new File(arrayOfString[a]).exists()) {
return true;
}
a += 1;
}
return false;
}
In this code it can be understood that if any presence of suspicious package or system change is detected, then the code will return true which in turn will not allow the application to run since root detection is identified and if the value is returned as false then the application is allowed to run since no root is detected.
This logic can be bypassed in run-time by writing the below JavaScript:
Java.perform(function ()
{
var MainActivity = Java.use('com.test.test.roottest');
MainActivity.root.implementation = function (detectmethods) {
console.log('Done: bypassed');
return false;
};
In this JavaScript, we are forcing the value to be returned as false which will make the application think that it’s running on a non-rooted device. Hence the application now will run a rooted device.
Command: frida -l rootbypass.js -f com.test.test . Frida runs this script in run-time, hence not allowing the application to executes its own code rather feeding this code, thus fooling the application to run on the rooted device.
The above methods will be successful in most cases and this helps the individual to enhance the testing scope by running the application on rooted device.