Proceedings of the International Conference on Emerging Trends in Engineering and Management (ICETEM14)

30 – 31, December 2014, Ernakulam, India

158

DETECTION AND PREVENTION METHOD OF ROOTING

ATTACK ON THE ANDROID PHONES

Litty Antony, Asst. Prof. Harlay Maria Mathew, Prof. Jayakumar.P

Department of computer science and Engineering, Sree Narayana Gurukulam college of Engineering, kerala, India

ABSTRACT

As we all know e-banking transactions are increasing day by day with our needs. Developers develop new

applications for e-banking transactions. But do not provide any perfect securities in these applications [2]. E-transaction

plays a vital role in our day to day life, everyone is emerge from the pc to smart phone devices. Smart phones like

Android based OS are experiencing some vulnerabilities when doing transactions. The problems like, getting root access

to the android phone when saving the user’s personal information with the authentication certificate provided during e-

transactions. In this thesis, analyze the structure of the smart phone, from that establishing methods as detection against it

and the preventive measures [3, 4].

Keywords: Android, Rooting Attack, Countermeasure Techniques, Exploit Attack for Smart Work Device Introduction.

1. INTRODUCTION

Recently, the emergence of smart phones, and are the essential factors for doing e-transactions. Almost of the

banks all over the world provide e-banking in smart phones as iPhone and android phones. In android phones banking

applications are available in play store and their own sites.

However, Mobile banking is viewed as a critically important strategic channel by almost financial institutions.

In order to ensure a secure experience for everyone, the protections must increase alongside the risks. Few consumers

have any form of anti-malware software on their mobile devices and, with little consideration for security, many are

willing to download apps of completely unknown provenance from app stores. From that user may experience any

leakage of the personal information’s and authentication certificate that an attacker targeting the android device. By, the

use of e-financial services have to analyze the saving structure of information and vulnerabilities forms in these

applications. Also,it is required to find out the countermeasures against these attacks.

In this thesis, the smart phone device provide a structure for the information that is saved and have to analyze

it.Also, need to analyze the vulnerabilities that could be found in smart phone devices when doing transaction and the

saved personal information in the device follows rooting attack. For a safety measure establishing the personal

information when doing a transaction must be changed, introducing new countermeasures against rooting attacks.

Chapter 2, concerning with the saving structure of personal information in smart phone device .In chapter 3, related on

how the personal information such as authentication certificates affected by the rooting attack and the vulnerabilities.

Chapter 4 specifies the rooting attack detection mechanism. Chapter 5 including the prevention mechanism against the

rooting attack. Chapter 6 concern with the prevention method. Finally in chapter 7, conclusions based on the counter

measures and the task made.

INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING &

TECHNOLOGY (IJCET)

ISSN 0976 – 6367(Print)

ISSN 0976 – 6375(Online)

Volume 5, Issue 12, December (2014), pp. 158-166

© IAEME: www.iaeme.com/IJCET.asp

Journal Impact Factor (2014): 8.5328 (Calculated by GISI)

www.jifactor.com

IJCET

© I A E M E

Proceedings of the International Conference on Emerging Trends in Engineering and Management (ICETEM14)

30 – 31, December 2014, Ernakulam, India

159

2. RELATED WORKS

2.1 Application using for E-financial Transaction

Based on the e-financial transactions, people usually download and install the android application without

another registration process. If the users are a part of the e-financial process he/she can do with the same procedure.

During the e-financial transaction, it is relevant to save the public authentication certificate and other personal

information in the smart phone for the security purposes of the procedure.

For the use of public authentication certificate saved in the android based smart phone device, it is needed to

transmit the public authentication which is saved in a PC to the smart phone. In order for doing that, need to install the

application for the e-transaction. Figure 1 shows how the public authentication certificate transmitted from PC to android

phone. Firstly, when we open the application, click on the ‘digital certificate and copy certificate’ as a request given to

the PC. The user have to enter the accreditation number, resident registration number and password.

If the numbers which is entered are correct, then the PC approve the user by generating a public authentication

certificate to the user’s smart phone device.

Figure 1: Public authentication certificate transmitted from PC to android phone

2.2. A structure of saving the public authentication certificate in the smart-phone Device After generating the public authentication certificate, required to use for each e-transactions via smart phone

where it is saved. Figure 2 shows the internal saving structure. All the information’s saved about the e-transaction

including the public authentication certificate are saved in the sdcard folder in the android device.

Proceedings of the International Conference on Emerging Trends in Engineering and Management (ICETEM14)

30 – 31, December 2014, Ernakulam, India

160

Figure 2: saving structure of public authentication certificate

The important information’s are saved in subfolders of the sdcard. The signCert file, is the public authentication

certificate using the encoding methods. Another file named signPri.key uses the encoding algorithm SEED and PKCS#8

which the information about encrypted personal keys.

The below figure shows public authentication certificate the saved in the PC and the smart phone device. While

analyzing it, possible the OS used in those device are different.

Figure 3: saving structure comparison between Pc and smart phone device

2.3 Android Rooting Vulnerability For the use of the e-financial transaction in the android OS, need to have an authentication certificate. Most of

the android device have to face a security related vulnerabilities, which makes the smart phone for the illegal access of

the malicious process named such as rooting attack. Which gives the device authority for the attacker.

During rooting, an application named Superuser and a program su are installed. We can use su to open a root-

privileged shell. Superuser exchanges information with su and can identify the application, which requested the open a

root shell. Superuser also can ask a user whether she allow or deny the request of su.

RageAgainstTheCage[4] or GingerBreak[5] are the 2 methods mainly used for the rooting attack of the smart

phone, they are made up of C based language. Firstly, what the attacker do is, he/she will create a malignant code which

is based on the Java language in the android device in the android application for the e-transaction. The attacker gives the

user with the C language which is based on the rooting source code, and cross complied it.When the user download,

install and use this application for the android device, this source code is applied to that application for getting the

rooting authority of the smart phone. While getting the root access to the attacker, users have an experience of leakage of

the personal information’s during e-transaction. The above process running in the android device is a background work

without user awareness.

Proceedings of the International Conference on Emerging Trends in Engineering and Management (ICETEM14)

30 – 31, December 2014, Ernakulam, India

161

As shown in figure 4, the method called RageAgainstTheCage is used for the rooting purpose. The android OS

which have LINUX-based shell, so in that method it executes self-reproducing process and a fork () procedure

continuously. When multiple execution is done will cause the internal memory crashed due to process termination and a

new authority is requested to the kernel, then it acquires the rooting authority[6,7,8].

The fork () procedure being executed about 400 times in the Linux shell.

Figure 4: RageAgainstTheCage-based Rooting method

Next, another rooting method called GingerBreak shown in the figure.5.It will manipulate and interrupt the

message sent to the kernel by the Linux shells, for asking the rooting privilege from the manager. It copies a falsified su

file in the system folder su /system/bin into /system/bin folder. When a process executes su, Superuser asks the user

whether to give the Privilege to the process. This method can be divided into 2,one is temporarily getting the rooting

authority using hooking method and another is permanently getting rooting authority in the android device.

Figure 5: GingerBreak-based rooting method

3. EXPLOIT ATTACK FOR THE PUBLIC AUTHENTICATION CERTIFICATE FOR E-FINANCIAL

TRANSACTION

3.1 Android-based E-financial service attack

The malignant application[6,7,8,9] is executed served by the attacker gets the root access, and by that the

financial information which is in the android device can be used by the attacker. Figure 6, how an attacker gets the root

access while executing it. After getting the authentication certificate he/she can do whatever wants.

Proceedings of the International Conference on Emerging Trends in Engineering and Management (ICETEM14)

30 – 31, December 2014, Ernakulam, India

162

When the user download and install and run the malignant application created by the attacker, which gets the

rooting authority after some procedures. After that the rooting attack is initiated, and the information’s regarding

financial transactions saved in the phone are compressed. Then this file is send to the attacker’s server.

Figure 6: Exposure attack for the public authentication certificate based on the rooting attack

3.2 Exposure Attack for the Public Authentication Certificate

3.2.1. Execution of the rooting attack for the android based device

The rooting attack for the android-based device is a kind of preliminary attack to acquire financial information

as shown in Fig. 7. The rooting attack makes it possible to acquire the manager's authority and get access to every system

file. The financial information is compressed by using the tar command in the rooting state, as there is a folder with a

Korean title in thefolde r of the public authentication certificate. The rooting attack can be classified into the temporary

rooting attack and the permanent rooting attack. Through the temporary rooting attack, it is possible to avoid the

detection of the vaccine application.

Figure 7: Requesting root access to the user

3.2.1 Acquisition of the public authentication certificate following the rooting attack

Figure 8. showing how an attacker access the credentials while getting the root access. Firstly, the credentials of

e-transactions are saved in sdcard folder. Subfolder named NPKI which is having the all the personal informations. The

attacker first compress the files creates as xxx.tar file, finally it will send to the attackers specific location (in figure 8

‘package4’ is the folder created by the malicious app).

Proceedings of the International Conference on Emerging Trends in Engineering and Management (ICETEM14)

30 – 31, December 2014, Ernakulam, India

163

Figure 8: acquisition of the public authentication certificate within the device

3.2.3. Exposure of the public authentication certificate in the device

In figure 9. tells the details about exposure of the public authentication certificate in android device. After

compression and creation of the files, they are send to a specific folder in a specific location. From there the xxx.tar file

(i.e, compressed file) is send to the attacker’s server. For getting rid from trace of this, attacker delete the file.

Therefore, in order to positively respond to such vulnerability, it is necessary to prevent the android-based

device subject to the rooting attack from executing a fmancial application. It is necessary to allow the device which is not

subject to the rooting attack to execute a fmancial application. For such a purpose, it is necessary to provide the

necessary detecting and responding techniques for the rooting attack. Throughout this study, the following four methods

were specifically suggested, compared and analyzed.

Figure 9: Exposure of Financial Information

4. ROOTING ATTACK DETECTION MECHANISM

4.1 IPC Monitoring-based Rooting Detecting Technique

IPC (Inter Process Communication) is a communicating method among different processes. In case of the

rooting attack module, the hooking process is executed while acquiring the rooting authority. Also, by using the Pipe

method, the hooking process is executed for messages. The OpenBinder-based android IPC provides communication

Proceedings of the International Conference on Emerging Trends in Engineering and Management (ICETEM14)

30 – 31, December 2014, Ernakulam, India

164

services among different applications at the JAVA code level. Therefore, as shown inFig. 10, the IPC message-based

rooting attack detecting technique detects the rooting attack by analyzing the number of occurrence for the Pipe messages

executed in the application.

As a result, in case of the GingerBreak method, it is possible to distinguish the process, which is suspicious of

being the rooting attack, by analyzing the number of occurrence for the IPC Pipe messages related with the attempt to

carry out the rooting attack.

Figure 10: IPC monitoring based responding technique

However, since the general process also generates the Pipe messages, it is likely to be impossible to provide an

accurate detecting process.

4.2 Signature based rooting detection technique

When users generally download android apk files from internet. But they are not concerned about the digital

signatures given to them.so the verification of the signature of the downloaded e-financial app, this method is useful.

Figure 11 shows by using the technique, downloaded application let for decompilation and find out whether it contains

and any cross compiled file. If it is carrying, then the ELF characteristic of the file is extracted. From the ELF character

string, it will determine whether it is contains any signature or not and detects the rooting module.

Figure 10: Cross-Compile-Based Responding Technique

4.3 Activity based rooting attack detecting technique This method what does is shown in figure 12, it regularly monitors the data’s send from our phone to other

phones or attackers database. When the attacker sends the packets from the phone, the CPU consuming rate of android

device is very high. This technique can be used in 2 rooting methods. In RageAgainstTheCage rooting method, when

Proceedings of the International Conference on Emerging Trends in Engineering and Management (ICETEM14)

30 – 31, December 2014, Ernakulam, India

165

fork () executed with infinite number of times and therefore increase the number of process in the device. In activity

based method, it detect by excessive use of memory. In GingerBreak method, it executes message hooking method in the

program. By the use of activity based method, it can easily detect the problem.

Figure 12: Activity based rooting attack detection

5. ANDROID BASED STEGANOGRAPHY APPLICATION

Cryptography and steganography are two techniques used to ensure information confidentiality, integrity and

authenticity. Cryptography uses encryption to scramble the secret information in such a way that only the sender and the

intended receiver are able to reveal it. Steganography hides the secret information in different carriers in such a way that

it becomes difficult to detect. It is to transmit secret files through Internet and Mobile Networks using a smart phone that

run Android operating system.

The method says that, select BMP Bitmap format for the cover images because it is a lossless format and allows

embedding large quantity of information. The image view tool does not access directly the original image file. It makes a

copy of the original image file and transforms it in an (.png) image type no matter the type of the original image. This

technique reduces very much the dimension of the cover image and this is not proper for LSB because it reduces the

quantity of secret information which is to be hidden. It is able to manipulate carrier images of MB dimensions usually

transferred through Internet and Mobile Networks.

To process the method, follow these steps:

• In the e-financial application, by integrating the steganography application for the hidden purposes.

• After all the verification, personal information have to send from PC to our device and follow some verifications,

also it contain this technique asking the name of the image file to hide and a secret key.

� So Cover image, secret file, and the secret key are loaded into application.

• It verifies the dimension of the two files (cover image and secret file) to see if they are suitable.

• The secret file, its dimension and its execution are encrypted by means of a stream cipher algorithm using the secret

key. The encrypted bits are stored in a temporary array.

• LSB algorithm starts to embed secret bits inside the cover image file using the pseudo random function completed

with modulo 3 operations. The purpose of this random algorithm is to spread the secret message over the cover in a

rather random manner.

• The cover image with the secret file embedded is saved in a specified phone location.

Figure 13: Cover image: original and with secret message embedded

Proceedings of the International Conference on Emerging Trends in Engineering and Management (ICETEM14)

30 – 31, December 2014, Ernakulam, India

166

If a person is doing an e-transaction have some verifications like to reveal the public authentication certificate.

So when we click to the image which is hiding the folder needs a secret key verification. If it is success, then it can be

used for the financial purposes. Here the folder extracted from the image is not saved only can view.

5. CONCLUSION

The study about the technique rooting attack detection and prevention technique is used to find out the

possibility of the attacker get inside to the device.

The e-financial service used by the user in android phone can be compromised with the financial information’s

saved in the android phone. From the financial app itself the malicious code can be injected by the attacker and get the

root access while executing it.

By using the detection method somehow can find out the attack by the attacker, and prevention method like

steganography we can save the file.

REFERENCES

[1] Android.com. (2009b, December 16). What is android? Retrieved December 21, 2009, from

http://developer.android.comlguide/basics/what-is-android.html.

[2] Wikipedia, Rooting (Android OS), November 20, 2011, from

http://en.wikipedia.orgiwiki/Rooting_(Android_OS).

[3] Thesnkchrmr, RageAgainstTheCage, March 24, 2011, from http://thesnkchrmr. wordpress.com/20

11/03124/rageagainstthecagel.

[4] Egzthunderl, Root your Gingerbread Device with Gingerbreak, April 21, 20 II, from

http://www.xda·developers.com/android/root·your·gingerbread·device·with·gingerbreak!.

[5] Jill Duffy, A Concise Guide to Android Rooting, September 23, 2011, from

http://www.pcmag.comlarticle2/0.2817.2393273.00.asp.

[6] Haroon Q. Raja, How to Root Your Android Phone 1 Device, January 8,2011, from

http://www.addictivetips.comlmobile/how-to-root-yourandroid- phone-devicel.

[7] John A., What is Rooting on Android? The Advantages and Disadvantages, February IS, 2011, from

http://droidlessons.comlwhatis-rooting-on-android-the-advantages-and-disadvantages.

[8] Eric Geier, How and Why to Root your Android: 15 Worthwhile Apps, August 25, 2011, from

http://www.tomsguide.com/us/Root-YourAndroid-Phone,review-1688.html.

[9] Derek Scott, Rooting for Dummies: A Beginner's Guide to Rooting your Android Device, March 22, 2011, from

http://www.androidauthority.com/rooting-for-dummies-a.

[10] http://univagora.ro/jour/index.php/ijccc/article/viewFile/642/pdf_64.

[11] Anirudha A. Kolpyakwar, Sonal Honale, Piyush M. Dhande and Pallavi A. Chaudhari, “A Review on Cloud-

Based Intrusion Detection System for Android Smartphones”, International Journal of Advanced Research in

Engineering & Technology (IJARET), Volume 4, Issue 6, 2013, pp. 238 - 245, ISSN Print: 0976-6480,

ISSN Online: 0976-6499.

[12] Kirandeep and Anu Garg, “Implementing Security on Android Application”, International Journal of Computer

Engineering & Technology (IJCET), Volume 4, Issue 2, 2013, pp. 576 - 589, ISSN Print: 0976 – 6367,

ISSN Online: 0976 – 6375.