Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

ROOTECTOR: Robust Android Rooting Detection Framework Using Machine Learning Algorithms

  • Research Article-Computer Engineering and Computer Science
  • Published:
Arabian Journal for Science and Engineering Aims and scope Submit manuscript

Abstract

Recently, the newly launched Google protect service alerts Android users from installing rooting tools. However, Android users lean toward rooting their Android devices to gain unlimited privileges, which allows them to customize their devices and allows Android Apps to bypass all Android security logging and security system. Rooting is one of the most malicious tactics that is used by Android malware that offers malware with the ability to open backdoor, server ports, access the Android kernel commands, and silently install malicious App and make them irremovable and undetectable. The existing Android malware detection frameworks propose embedded root-exploit code detection within the Android App. However, most frameworks overlook the rooted device detection part. In addition, many evasion techniques are developed to cloak the rooted devices. The above facts pose the challenging tasks of rooting detection and the current studies highlighted a deficiency in root detection research. Hence, this study proposes “Rootector” Android Rooting Detection Framework that uses machine learning classification techniques to detect Android rooted devices. The study proposes a model using machine learning algorithms that previously proves detection performance excellence in different fields of study. The research creates a rooting dataset with more than 13,000 mobile scans, which incorporates physical Android devices as well as simulators. Using the dataset, the study evaluates the performance of the ten machine learning classifiers to identify the best classification model. The study incorporates hyper-parameter optimization techniques to define the optimal machine learning parameters. The study adopts the LASSO (least absolute shrinkage and selection operator) regression algorithm to identify the best minimum number of classification features, which forms a compact dataset. Using LASSO regression, the study proposes a compact model for Android rooting detection. The experimental evaluation results show a very promising performance of Rootector framework with about 98.16% overall accuracy using the full dataset and slightly degraded to 97.13% using the compact dataset.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

Similar content being viewed by others

Notes

  1. https://github.com/wfarouk/Rootector

  2. https://github.com/samoa-moa/samoa-moa

  3. https://www.h2o.ai/

  4. https://github.com/cran/glmnet

References

  1. Miller, C.: Android Market Share. https://9to5mac.com/2016/08/18/android-ios-smartphone-market-share/ (2016). Accessed 01/04/2017

  2. Statista: Number of apps available in leading app stores as of March 2017. https://www.statista.com/statistics/276623/number-of-apps-available-in-leading-app-stores/ (2017). Accessed 1-May-2018 2018

  3. Statista: statistics mobile-payment-transaction-volume and 2019 forecast. https://www.statista.com/statistics/226530/mobile-payment-transaction-volume-forecast/ (2018). Accessed 3rd June 208 2018

  4. Oester, P.: Dirty Cow (CVE-2016–5195) (2016).

  5. Zhang, V.: GODLESS Mobile Malware Uses Multiple Exploits to Root Devices. June. http://blog.trendmicro.com/trendlabs-security-intelligence/godless-mobile-malware-uses-multiple-exploits-root-devices/ (2016). Accessed 22/05/2017

  6. NIST: Root Exploit TowelRoot CVE-2014–3153 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3153 (2014). Accessed 1/4/2017

  7. Spreitzer, R.; Griesmayr, S.; Korak, T.; Mangard, S.: Exploiting data-usage statistics for website fingerprinting attacks on android. In: 9th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2016 (2016). https://doi.org/10.1145/2939918.2939922

  8. Geist, D., Nigmatullin, M., Bierens, R.: Jailbreak/Root Detection Evasion Study on iOS and Android. University of Amsterdam (2016)

  9. Evans, N.S.; Benameur, A.; Shen, Y.: All your root checks are belong to us: the sad state of root detection. In: Proceedings of the 13th ACM International Symposium on Mobility Management and Wireless Access (2015). https://doi.org/10.1145/2810362.2810364

  10. Nguyen-Vu, L.; Chau, N.-T.; Kang, S.; Jung, S.: Android rooting: An arms race between evasion and detection. In: Security and Communication Networks 2017 (2017).

  11. Sun, S.-T.; Cuadros, A.; Beznosov, K.: Android rooting: Methods, detection, and evasion. In: Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (2015). https://doi.org/10.1145/2808117.2808126

  12. Xu, M.; Song, C.; Ji, Y.; Shih, M.W.; Lu, K.; Zheng, C.; Duan, R.; Jang, Y.; Lee, B.; Qian, C.; Lee, S.; Kim, T.: Toward engineering a secure android ecosystem: A survey of existing techniques. ACM Comput. Surv. (2016). https://doi.org/10.1145/2963145

    Article  Google Scholar 

  13. Hao, H.K.; Li, Z.J.; He, Y.Y.; Ma, J.X.: Characterization of android applications with root exploit by using static feature analysis. Lect. Notes Comput. Sci. 9532, 153–165 (2015). https://doi.org/10.1007/978-3-319-27161-3_14

    Article  Google Scholar 

  14. Ham, Y.J.; Choi, W.-B.; Lee, H.-W.: Mobile root exploit detection based on system events extracted from android platform. In: Proceedings of the International Conference on Security and Management (SAM) 2013, p. 1. The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp)

  15. Ho, T.-H.; Dean, D.; Gu, X.; Enck, W.: PREC: practical root exploit containment for android devices. In: Proceedings of the 4th ACM conference on Data and application security and privacy (2014). https://doi.org/10.1145/2557547.2557563

  16. Jang, W.J.; Cho, S.W.; Lee, H.W.; Ju, H.I.; Kim, J.N.: Rooting attack detection method on the android-based smart phone. In: 2011 International Conference on Computer Science and Network Technology (Iccsnt), Vols 1–4 (2012). https://doi.org/10.1109/ICCSNT.2011.6182000

  17. Kaspersky: Rooting your Android: Advantages, disadvantages, and snags. https://www.kaspersky.com/blog/android-root-faq/17135/ (2017). Accessed 26th May 2018 2018

  18. Zhang, H.; She, D.; Qian, Z.: Android root and its providers: A double-edged sword. In: 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015 2015-October, pp. 1093–1104 (2015). https://doi.org/10.1145/2810103.2813714

  19. Jiang, X.: Gingermaster: First android malware utilizing a root exploit on android 2.3 (gingerbread). http://www.csc.ncsu.edu/faculty/jiang/GingerMaster (2011). Accessed 21/05/2017

  20. Shao, Y.R.; Luo, X.P.; Qian, C.X.: RootGuard: Protecting rooted android phones. Computer 47(6), 32–40 (2014). https://doi.org/10.1109/MC.2014.163

    Article  Google Scholar 

  21. Admin, M.: Moto X, unlocking the bootloader does void the warranty. https://forums.lenovo.com/t5/Moto-X-Pure-Moto-X-Style/Bootloader-Policy-re-Warranty-for-Pure-Style/m-p/3202233#M5570 (2016). Accessed 20/05/2017

  22. Shen, Y.; Evans, N.; Benameur, A.: Insights into rooted and non-rooted Android mobile devices with behavior analytics. In: Proceedings of the 31st Annual ACM Symposium on Applied Computing (2016). https://doi.org/10.1145/2851613.2851713

  23. Gasparis, I.; Qian, Z.; Song, C.; Krishnamurthy, S.V.: Detecting android root exploits by learning from root providers. In: 26th {USENIX} Security Symposium ({USENIX} Security 17) 2017, pp. 1129–1144. USENIX} Association}

  24. Feizollah, A.; Anuar, N.B.; Salleh, R.; Suarez-Tangil, G.; Furnell, S.: AndroDialysis: analysis of android intent effectiveness in malware detection. Comput. Secur. 65, 121–134 (2017)

    Article  Google Scholar 

  25. Afifi, F.; Anuar, N.B.; Shamshirband, S.; Choo, K.-K.R.: DyHAP: dynamic hybrid ANFIS-PSO approach for predicting mobile malware. PLoS ONE 11(9), e0162627 (2016). https://doi.org/10.1371/journal.pone.0162627

    Article  Google Scholar 

  26. Razak, M.F.A.; Anuar, N.B.; Salleh, R.; Firdaus, A.: The rise of “malware”: Bibliometric analysis of malware study. J. Netw. Comput. Appl. 75, 58–76 (2016). https://doi.org/10.1016/j.jnca.2016.08.022

    Article  Google Scholar 

  27. Yuan, Z.; Lu, Y.; Xue, Y.: Droiddetector: android malware characterization and detection using deep learning. Tsinghua Sci. Technol. 21(1), 114–123 (2016). https://doi.org/10.1109/TST.2016.7399288

    Article  Google Scholar 

  28. You-Joung, H.; Won-Bin, C.; Hyung-Woo, L.; Jaedeok, L.; Jeong Nyeo, K.: Vulnerability monitoring mechanism in Android based smartphone with correlation analysis on event-driven activities. In: 2012 2nd International Conference on Computer Science and Network Technology (ICCSNT), pp. 371–375 (2012). https://doi.org/10.1109/ICCSNT.2012.6525958

  29. MWR-Labs-Drozer: Drozer—A Comprehensive Security and Attack Framework for Android. https://labs.mwrinfosecurity.com/tools/drozer/ (2013). Accessed 1/2/2017

  30. Park, Y.; Lee, C.; Lee, C.; Lim, J.; Han, S.; Park, M.; Cho, S.-J.: RGBDroid: a novel response-based approach to android privilege escalation attacks. In: Presented as part of the 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (2012).

  31. HTC: Unlock Bootloader - Unlock the possibilities with total customization. http://www.htcdev.com/bootloader (2017). Accessed 20/05/2017

  32. Jaramillo, D.; Katz, N.; Bodin, B.; Tworek, W.; Smart, R.; Cook, T.: Cooperative solutions for bring your own device (BYOD). IBM J. Res. Dev. 57(6), 5:1-5:11 (2013). https://doi.org/10.1147/JRD.2013.2279600

    Article  Google Scholar 

  33. Meng, H.; Thing, V.L.; Cheng, Y.; Dai, Z.; Zhang, L.: A survey of Android exploits in the wild. Comput. Secur. 76, 71–91 (2018)

    Article  Google Scholar 

  34. Xu, W.; Fu, Y.: Own Your Android! Yet Another Universal Root. In: WOOT 2015

  35. Goodin, D.: New type of auto-rooting Android adware is nearly impossible to remove (ShiftyBug). https://arstechnica.com/security/2015/11/new-type-of-auto-rooting-android-adware-is-nearly-impossible-to-remove/ (2015). Accessed 22/05/2017

  36. Hojjati, A.; Adhikari, A.; Struckmann, K.; Chou, E.; Tho Nguyen, T.N.; Madan, K.; Winslett, M.S.; Gunter, C.A.; King, W.P.: Leave your phone at the door: Side channels that reveal factory floor secrets. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security 2016, pp. 883–894. ACM

  37. Spreitzer, R.; Moonsamy, V.; Korak, T.; Mangard, S.: Systematic classification of side-channel attacks: a case study for mobile devices. (2018).

  38. Kadir, A.F.A.; Stakhanova, N.; Ghorbani, A.A.: Understanding android financial malware attacks: taxonomy, characterization, and challenges. J. Cyber Secur. Mob. 7(3), 1–52 (2018)

    Article  Google Scholar 

  39. Ward, B.: How Linux Works: What Every Superuser Should Know. No Starch Press, San Francisco (2014)

    MATH  Google Scholar 

  40. Salva, S.; Zafimiharisoa, S.R.: APSET, an Android aPplication SEcurity Testing tool for detecting intent-based vulnerabilities. Int. J. Softw. Tools Technol. Transf. 17(2), 201–221 (2015). https://doi.org/10.1007/s10009-014-0303-8

    Article  Google Scholar 

  41. Luyi, X., Xiaorui, P., Rui, W., Kan, Y., XiaoFeng, W.: Upgrading your android, elevating my malware: privilege escalation through mobile OS updating. In: 2014 IEEE Symposium on Security and Privacy (SP), 18–21 May 2014 2014, pp. 393–408

  42. Valcke, J.: Feature: best practices in mobile security. Biometric Technol. Today 2016, 9–11 (2016). https://doi.org/10.1016/S0969-4765(16)30051-0

    Article  Google Scholar 

  43. Zhang, Z.W.; Wang, Y.W.; Jing, J.W.; Wang, Q.X.; Lei, L.G.: Once root always a threat: analyzing the security threats of android permission system. Inf. Secur. Privacy Acisp 2014(8544), 354–369 (2014). https://doi.org/10.1007/978-3-319-08344-5_23

    Article  MATH  Google Scholar 

  44. Amazon: Amazon Web Service - Device Farm. https://aws.amazon.com/device-farm/ (2018). Accessed 2-OCT-2018 2018

  45. PCloudy: PCloudy Device Farm. https://www.pcloudy.com/ (2015). Accessed 2 April 2017

  46. Casati, L., Visconti, A.: The dangers of rooting: data leakage detection in android applications. In: Mobile Information Systems 2018 (2018).

  47. Alam, M., Cheng, Z., Vuong, S.: Context-aware multi-agent based framework for securing Android. In: 2014 International Conference on 2014 Multimedia Computing and Systems (ICMCS), pp. 961–966. IEEE

  48. Genymotion: Genymotion Android Emulator – Fast • Easy • Anywhere. https://www.genymotion.com/ (2014). Accessed 2/4/2017

  49. Player, N.: Nox App Player. https://www.bignox.com/ (2015). Accessed 2/4/2017

  50. Vilkomir, S.: Multi-device coverage testing of mobile applications. Softw. Quality J. (2017). https://doi.org/10.1007/s11219-017-9357-7

    Article  Google Scholar 

  51. Vilkomir, S., Marszalkowski, K., Perry, C., Mahendrakar, S.: Effectiveness of multi-device testing mobile applications. In: 2015 2nd ACM International Conference on Mobile Software Engineering and Systems (MOBILESoft), pp. 44–47 (2015). https://doi.org/10.1109/MobileSoft.2015.12

  52. Cyanogenmod: Cyanogen OS. http://www.cyanogenmods.org/ (2014). Accessed 26 March 2017

  53. Druffel, A.; Heid, K.: Davinci: Android app analysis beyond Frida via dynamic system call instrumentation. In: International Conference on Applied Cryptography and Network Security 2020, pp. 473–489. Springer

  54. Feizollah, A.; Anuar, N.B.; Salleh, R.; Amalina, F.: Comparative study of k-means and mini batch k-means clustering algorithms in android malware detection using network traffic analysis. In: 2014 4th International Symposium on Biometrics and Security Technologies, ISBAST 2014 2014, pp. 193–197. Institute of Electrical and Electronics Engineers Inc.

  55. Rastogi, V.; Chen, Y.; Jiang, X.: Catch me if you can: Evaluating android anti-malware against transformation attacks. IEEE Trans. Inf. Forensics Secur. 9(1), 99–108 (2014). https://doi.org/10.1109/TIFS.2013.2290431

    Article  Google Scholar 

  56. Liaw, A.; Wiener, M.: Classification and regression by randomForest. R news 2(3), 18–22 (2002)

    Google Scholar 

  57. Geurts, P.; Ernst, D.; Wehenkel, L.: Extremely randomized trees. Mach. Learn. 63(1), 3–42 (2006). https://doi.org/10.1007/s10994-006-6226-1

    Article  MATH  Google Scholar 

  58. Freund, Y.; Schapire, R.E.: A desicion-theoretic generalization of on-line learning and an application to boosting. In: European Conference on Computational Learning Theory (1995). https://doi.org/10.1007/3-540-59119-2_166

  59. Altman, N.S.: An introduction to kernel and nearest-neighbor nonparametric regression. Am. Stat. 46(3), 175–185 (1992). https://doi.org/10.1080/00031305.1992.10475879

    Article  MathSciNet  Google Scholar 

  60. Friedman, J.H.: Greedy function approximation: a gradient boosting machine. Ann. Stat. 1, 1189–1232 (2001)

    MathSciNet  MATH  Google Scholar 

  61. Candel, A., Parmar, V., LeDell, E., Arora, A.: Deep Learning with H2O. H2O. ai Inc. (2016).

  62. Ng, S.S.Y., Zhu, W., Tang, W.W.S., Wan, L.C.H., Wat, A.Y.W.: An independent study of two deep learning platforms—H2O and SINGA. In: 2016 IEEE International Conference on Industrial Engineering and Engineering Management (IEEM), 4–7 Dec. 2016 2016, pp. 1279–1283

  63. Richter, A.N., Khoshgoftaar, T.M., Landset, S., Hasanin, T.: A multi-dimensional comparison of toolkits for machine learning with big data. In: IEEE International Conference on Information Reuse and Integration (IRI), 2015 (2015). https://doi.org/10.1109/IRI.2015.12

  64. Rong, C.: Using mahout for clustering wikipedia's latest articles: A comparison between k-means and fuzzy c-means in the cloud. In: 2011 IEEE Third International Conference on Cloud Computing Technology and Science (CloudCom) (2011). https://doi.org/10.1109/CloudCom.2011.86

  65. Esteves, R.M., Pais, R., Rong, C.: K-means clustering in the cloud--a Mahout test. In: 2011 IEEE Workshops of International Conference on Advanced Information Networking and Applications (WAINA) (2011). https://doi.org/10.1109/WAINA.2011.136

  66. Riondato, M., DeBrabant, J.A., Fonseca, R., Upfal, E.: PARMA: a parallel randomized algorithm for approximate association rules mining in MapReduce. In: Proceedings of the 21st ACM International Conference on Information and Knowledge Management (2012). https://doi.org/10.1145/2396761.2396776

  67. Meng, X.; Bradley, J.; Yavuz, B.; Sparks, E.; Venkataraman, S.; Liu, D.; Freeman, J.; Tsai, D.; Amde, M.; Owen, S.: Mllib: Machine learning in apache spark. J. Mach. Learn. Res. 17(34), 1–7 (2016)

    MathSciNet  MATH  Google Scholar 

  68. Morales, G.D.F.; Bifet, A.: SAMOA: scalable advanced massive online analysis. J. Mach. Learn. Res. 16, 149–153 (2015)

    Google Scholar 

  69. Ooi, B.C., Tan, K.-L., Wang, S., Wang, W., Cai, Q., Chen, G., Gao, J., Luo, Z., Tung, A.K., Wang, Y.: SINGA: A distributed deep learning platform. In: Proceedings of the 23rd ACM International Conference on Multimedia (2015). doi:https://doi.org/10.1145/2733373.2807410

  70. Bengio, Y.: Learning deep architectures for AI. Foundations and trends®. Mach. Learn. 2(1), 1–127 (2009). https://doi.org/10.1561/2200000006

  71. Arnold, L., Rebecchi, S., Chevallier, S., Paugam-Moisy, H.: An introduction to deep learning. In: European Symposium on Artificial Neural Networks (ESANN) (2011).

  72. Glorot, X., Bordes, A., Bengio, Y.: Deep Sparse Rectifier Neural Networks. In: Aistats 2011, vol. 106, p. 275

  73. Ngiam, J., Coates, A., Lahiri, A., Prochnow, B., Le, Q.V., Ng, A.Y.: On optimization methods for deep learning. (2011)

  74. LeCun, Y.; Bengio, Y.; Hinton, G.: Deep learning. Nature 521(7553), 436–444 (2015)

    Article  Google Scholar 

  75. Bergstra, J.; Bengio, Y.: Random search for hyper-parameter optimization. J. Mach. Learn. Res. 13(Feb), 281–305 (2012)

    MathSciNet  MATH  Google Scholar 

  76. Bergstra, J.S., Bardenet, R., Bengio, Y., Kégl, B.: Algorithms for hyper-parameter optimization. In: Advances in Neural Information Processing Systems, pp. 2546–2554 (2011)

  77. Friedman, J., Hastie, T., Tibshirani, R.: glmnet: Lasso and elastic-net regularized generalized linear models. R package version 1(4) (2009).

  78. Tibshirani, R.: Regression shrinkage and selection via the lasso. J. R. Stat. Soc. Ser. B (Methodol.) 267–288 (1996).

  79. Usai, M.G.; Goddard, M.E.; Hayes, B.J.: LASSO with cross-validation for genomic selection. Genet. Res. 91(06), 427–436 (2009). https://doi.org/10.1017/S0016672309990334

    Article  Google Scholar 

  80. Wang, Q.; Garrity, G.M.; Tiedje, J.M.; Cole, J.R.: Naive Bayesian classifier for rapid assignment of rRNA sequences into the new bacterial taxonomy. Appl. Environ. Microbiol. 73(16), 5261–5267 (2007). https://doi.org/10.1128/AEM.00062-07

    Article  Google Scholar 

  81. Kohavi, R.: A study of cross-validation and bootstrap for accuracy estimation and model selection. In: Ijcai 1995, vol. 2, pp. 1137–1145. Stanford, CA

  82. Guyon, I.: A scaling law for the validation-set training-set size ratio. AT & T Bell Laboratories, 80 (1997).

  83. Feurer, M., Springenberg, J.T., Hutter, F.: Initializing Bayesian Hyperparameter Optimization via Meta-Learning. In: AAAI 2015, pp. 1128–1135

  84. Powers, D.M.: Evaluation: from precision, recall and F-measure to ROC, informedness, markedness and correlation. (2011). http://hdl.handle.net/2328/27165

Download references

Acknowledgements

 The work of the authors was supported by Impact-oriented Interdisciplinary Research Grant (IIRG), Universiti Malaya under grant IIRG001C-2020SAH.

Author information

Authors and Affiliations

  1. Department of Computer System and Technology, Faculty of Computer Science and Information Technology, Universiti Malaya, Kuala Lumpur, Wilayah Persekutuan Kuala Lumpur, Malaysia

    Wael F. Elsersy, Nor Badrul Anuar & Mohd Faizal Ab Razak

  2. Faculty of Computer Systems and Software Engineering, University Malaysia Pahang, Lebuhraya Tun Razak, 26300, Gambang, Kuantan, Pahang, Malaysia

    Mohd Faizal Ab Razak

Authors
  1. Wael F. Elsersy
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nor Badrul Anuar
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mohd Faizal Ab Razak
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nor Badrul Anuar.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Elsersy, W.F., Anuar, N.B. & Razak, M.F.A. ROOTECTOR: Robust Android Rooting Detection Framework Using Machine Learning Algorithms. Arab J Sci Eng 48, 1771–1791 (2023). https://doi.org/10.1007/s13369-022-06949-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13369-022-06949-5

Keywords

Search

Navigation