Security researchers at Zimperium’s zLabs have uncovered a critical vulnerability in popular Android rooting frameworks that could allow malicious applications to hijack rooted devices completely.
The flaw, initially discovered in mid-2023, demonstrates how attackers can exploit authentication weaknesses in tools like KernelSU to gain unrestricted system access without user knowledge.
The vulnerability affects KernelSU version 0.5.7, a widely used rooting framework that employs kernel patching techniques to provide root access.
Unlike traditional rooting methods, modern frameworks like KernelSU, APatch, and SKRoot directly modify the Android kernel by hooking into critical system functions, creating covert communication channels between kernel space and user applications.
Authentication Bypass Exposes Root Interface
The core issue lies in KernelSU’s flawed authentication mechanism, which was designed to prevent unauthorized applications from accessing privileged kernel interfaces.
The framework uses the prctl system call with a magic value (0xDEADBEEF) to route commands between a manager application and the kernel, including powerful operations like CMD_GRANT_ROOT and CMD_SET_SEPOLICY.
To authenticate as the legitimate manager, applications must pass three validation checks: path verification, ownership confirmation, and APK signature verification.
However, the signature check contains a critical flaw it examines the first base.apk file found in the process’s file descriptor table, assuming it belongs to the calling application.
Attackers can exploit this by manipulating file descriptor ordering to trick the kernel into reading the legitimate KernelSU manager’s APK signature instead of their malicious application.
The attack involves identifying the attacker’s APK file descriptor, locating a lower-numbered descriptor, and strategically opening the official manager’s APK file (bundled within the malicious app) to appear first in the validation sequence.
Widespread Risk Across Rooting Ecosystem
Zimperium’s research reveals that authentication vulnerabilities are endemic across rooting frameworks.
“Nearly every rooting framework contains at least one critical vulnerability at some point in its lifecycle,” the researchers noted, citing similar flaws in APatch’s password authentication and a recent Magisk vulnerability (CVE-2024-48336) that allowed privilege escalation through Google Mobile Services impersonation.
These tools typically suffer from improper authentication mechanisms, excessive trust in user-space input, and poor privilege boundaries creating multiple attack vectors for malicious applications.
The attack scenario becomes particularly dangerous during device boot cycles, where malicious applications with RECEIVE_BOOT_COMPLETED permissions could authenticate before legitimate manager applications, establishing persistent root access.
While the vulnerability requires specific timing conditions, it represents a practical threat in real-world scenarios where users install untrusted applications on rooted devices.
Zimperium’s Mobile Threat Defense solutions can detect such compromises through real-time monitoring of device rooting status, system tampering, and malware presence, providing enterprises with essential protection against these evolving mobile security threats.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.jpg?resize=1068,580&ssl=1&description=rooted Android phone hack - Security researchers at Zimperium's zLabs have uncovered a critical vulnerability in popular Android rooting.){kind=link}