Characterization of android applications with root exploit by using static feature analysis

Abstract

Recently, more and more rootkit tools are provided by some well-known vendors in the mainstream Android markets. Many people are willing to root their phones to uninstall pre-installed applications, flash third-party ROMs and so on. As it is reported, a significant proportion of Android phones are rooted at least one time. However, applications with root exploit bring critical security threat to users. When the phone is rooted, the permission system, which enforces access control to those privacy-related resources in Android phones, could be bypassed. Thus, the phone will be an easy point for malware to launch attacks. What’s more, even the phone is unrooted, permission escalation attacks also can be carried out. Remarkably, an amount of sophisticated Android malware embeds root exploit payloads. Hence, root exploit always suggests high security risk. It is a pressing concern for researchers to characterize and detect applications with root exploit. In this paper, a novel method to extract key features of apps with root exploit is proposed. Contrary to existing works, contrasting the static features between applications with and without root exploit comprehensively are considered at the first time. We complete and evaluate the methodology on two clean apps and two malware dataset, comprising 52, 1859, 463 and 797 applications respectively. Our empirical results suggest the peculiar features can be obtained, which can capture the key differences between applications with and without root exploit to characterize Android root exploit applications.