System log-based android root state detection

Abstract

Android rooting enables device owners to freely customize their own devices. However, rooting system weakens the security of Android devices and opens the backdoor for malware to obtain privileged access easily. For this reason, some developers have introduced detection mechanisms for sensitive or high-value mobile apps to mitigate the potential security risks. Nevertheless, the existing root prevention and detection methods generally lack universality. In this paper, we studied the existing Android root detection methods and found the both parties have ignored the traces of the relevant behavior in the log. Thus, we proposed the system log based root state detection method. In the method, we directly use the existing log information to find clues to verify the system root state on one hand, on the other hand, to use the triggering features of some special operations to update and enrich the log information. The results show that, even be deliberately erased, some log information is still remained which can be used to verify whether system was rooted or not.