Bypass Root Detection

To understand root detection, we must first understand what rootage is. Rooting is the process of obtaining the highest privileges possible on the operating system. In the case of Android, rooting allows you to change or replace applications, files and system settings, and run specialized applications ("apps") that require administrator-level permissions. Root detection is the process of detecting whether a device is rooted. This is usually done when the application is launched. Sometimes root checks are implemented in applications such that the application will not respond or exit when running on a rooted device.

Resources :

Frida

# verify frida connection
frida-ls-devices

# find package name
frida-ps -Ua

# Take one script :
# https://codeshare.frida.re/@dzonerzy/fridantiroot/
# https://gist.githubusercontent.com/pich4ya/0b2a8592d3c8d5df9c34b8d185d2ea35/raw/db83ed8d4d3dfc29687724e4393e173362b1d7a9/root_bypass.js
# hook the script using Frida using the command:
frida -U -f $package frida-root.js

Objection

Common method

# instal
pip3 install objection

# start frida server on android device
adb shell 
cd /data/local/tmp
./frida-server

objection -g “com.package.android” explore
android root disable
# else
android root simulate

Manual method

  1. Convert the apk file into class files using dex2jar

  2. Analyse the class files and identify which library is being used for the root detection (for example, de.cyberkatze.iroot)

  3. Connect the app with objection : objection -g “com.package.android” explore

  4. Execute in objection : android hooking list class_methods <root detection class> 2. Change return value for the method in charge of Root Detection : android hooking set return_value <root_detect_class.method> false

  5. For de.cyberkatze.iroot, in objection :

    1. android hooking list class_methods de.cyberkatze.iroot.IRoot

    2. Change return value for the method : android hooking set return_value de.cyberkatze.iroot.IRoot.isDeviceRooted false

Tampering Smali Code

  1. Decompile the apk file using JADX-GUI or any other alternative.

  2. Identify the code which is in charge of the root detection process

    1. If the library rootbear is used and there is an 'if' condition to verify if the device is rooted or not :

      1. Decompile the apk with apktool : ``apktool d app.apk -o app-decompile```

      2. Find the SMALI code for the 'if' statement (can look like this) : if-eqz v0, :cond_0

      3. Change it by : if-nez v0, :cond_0

      4. Save the file and rebuild the application : apktool b app-decompile -o app-root-patch.apk

      5. Sign the application (see '## Decompile/Compile Source Code)

      6. Re-install the application on the android device

AndroPass

Allows to bypass root and emulator detection. Can also bypass the RootBeer detection mechanism.

# installation
git clone https://github.com/koengu/AndRoPass.git
pip install -r requirements.txt

# usage
python3 AndRoPass.py -a app.apk

Medusa Framework

# install
git clone https://github.com/Ch0pin/medusa.git
cd medusa/
pip3 install -r requirements.txt
python3 medusa.py

# in medusa
search anti_debug
use helpers/anti_debug
compile
run -f $package_name

Magisk - MagiskHide

  1. Launch it in your device : Allow SuperUser access

  2. Enable MagiskHide : Magisk App > Settings > Magisk > Magisk Hide (enable)

  3. Choose the application in which we will hide the root

Last updated

Was this helpful?