How to Stop the Menace of Android Rooting Malware Attacks with RASP

Frederik Mennes,

One of the key security issues facing organizations that support Android devices is the risk of rooting malware. A number of malware families on the Android mobile OS attempt to obtain root access once installed because the elevated privileges gained come in handy to perform malicious activities. There is, however, a way to detect rooting and protect your organization and mobile application users from malicious attacks – Runtime Application Self-Protection (RASP).

Read on to learn how two common Android malware families, Tordow v2.0 and Pegasus (or Chrysaor), root mobile devices and how RASP technology can help protect. The research presented in this article was performed by Ludovic Joly from OneSpan’s Security Competence Centre.

What you need to know about Tordow v2.0 and Pegasus

The Tordow v2.0 malware family was first discovered in late 2016 and is a type of Android banking Trojan that attempts to steal money from the user of the infected device by stealing banking credentials, transferring money by SMS, and using its ransomware capabilities.

On the other hand, Pegasus for Android is a stealth spyware designed to monitor targets of surveillance and it is believed to have been developed by lawful intercept vendor NSO Group. Pegasus can be used to remotely control a device via SMS, to exfiltrate data from commonly used communication and social media apps, to capture audio and images using the device’s microphone and camera and to capture screenshots and more. This spyware is so stealth that samples of it could only be found and analysed by a joint effort of security teams at Lookout and Google.

Mobile App Shielding
White Paper

Mobile App Shielding: How to Reduce Fraud, Save Money, and Protect Revenue

Discover how app shielding with runtime-protection is key to developing a secure, resilient mobile banking app.

Download Now

Using Framaroot to obtain root access

Both malware families have the capability to root the device they infect, allowing users of devices and/or apps to attain privileged control or root access over Android subsystems. As Android uses the Linux kernel, rooting an Android device gives similar access to administrative (superuser) permissions as on Linux or any other Unix-like operating system. Administrative rights allow the malware samples to perform a much wider range of nefarious actions, such as accessing other apps’ data, recording key strokes, or reading SMS messages.

Reverse-engineering of some samples of these malware families shows that they rely on the exploits packaged in Framaroot to try to gain root. Framaroot, which describes itself as a one-click app to root some devices, does exactly what it claims and works for a wide range of devices running Android 2 to 4. In practice, Framaroot is used by most malware families to perform rooting.

Indeed, some Tordow v2.0 samples contain the actual Framaroot framework:

Protecting against Android rooting malware using RASP

Pegasus also uses Framaroot, as it comes with the sucopier file, the publicly available Framaroot exploit binary.

Protecting against Android rooting malware using RASP

Now, what happens after one of the exploits of Framaroot was successfully run on a device? In order to ease subsequent root accesses by the malware, an su binary is written to a directory, from where it can later on be executed. In our context, an su binary, sometimes described as super user, is used to execute commands with the super user privileges.

In the case of Pegasus, the su binary (the cmdshell file in the apk) is located at /system/csk on the file system. This unusual location grants the malware the exclusivity of root access and supposedly guarantees it remains hidden.

Protecting against Android rooting malware using RASP

Protecting against rooting malware using RASP technology

To protect mobile devices against rooting malware, organizations should focus on the application layer. A key way of doing so is with Runtime Application Self-Protection (RASP), which protects apps as they run by providing security mechanisms such as integrity protection, debugging prevention, root detection, and more. RASP offers advanced root detection to detect the presence of binaries like those in Tordow v2.0 and Pegasus.

From its position inside the application, RASP understands the data flows and working logic of the app and continuously monitors and analyzes application execution in the background. That means that RASP also knows when the application is under threat.

If a user runs an app that is protected with RASP on a device that is not rooted at first but becomes rooted through infection by malware, RASP will take action to protect the app and user. For instance, RASP could inform the user via a warning message, alert the information security team of the organization, or terminate the app.

Malware attacks against Android devices highlight the need for technology like RASP that provides one-stop protection against rooting malware. It’s important that the root detection and prevention features of RASP technology are continuously updated by testing it against root, root cloaking, and malware applications. This is instrumental to ensure RASP stays ahead of the most advanced rooting malware. 


Frederik leads OneSpan's Security Competence Center, where he is responsible for the security aspects of OneSpan's products and infrastructure. He has an in-depth knowledge of authentication, identity management, regulatory and security technologies for cloud and mobile applications.