Q
Problem solve Get help with specific problems with your technologies, process and projects.

How does auto-rooting malware LevelDropper gain device root access?

Auto-rooting app LevelDropper has the ability to silently root devices and gain system level privileges. Expert Michael Cobb explains how to detect and stop it.

Security researchers discovered a malicious app in the Google Play store called LevelDropper. According to the...

researchers, LevelDropper spreads what's called "auto-rooting" malware. How does LevelDropper work, and what can enterprises do to detect and mitigate auto-rooting malware like this?

Like many malicious apps, LevelDropper appears on the surface to be a regular app -- in this case, a digital spirit level with a simulated air bubble. However, once installed, it triggers a crash that the app uses to gain root access to the device on which it is running. The researchers at Lookout who discovered LevelDropper's malicious activities categorize LevelDropper as auto-rooting malware, as it silently roots a device in order to gain system level privileges. This allows it to perform actions off-limits to most apps and to effectively take control of the infected device, bypassing many of Android's built-in security protections.

LevelDropper abuses the root privileges it obtains to download and install further applications to the victim's device -- 14 new applications were installed within 30 minutes after LevelDropper was launched for the first time, according to Lookout. These additional apps are installed without any kind of user interaction, as LevelDropper has access to the Android package manager that removes the need to prompt users to approve installation of additional applications.

The exploits used by LevelDropper to gain root access were not new; the binary files contained in the package included two privilege escalation exploits, both of which appear to use publicly available proof-of-concept code to gain root access.

Despite this, it managed to slip past Google's security system Bouncer, which scans apps before they are made available via the Google Play store. Its creators also managed to eliminate the usual telltale signs typical of root malware. There was no evidence of a super user binary or rewritten "install-system-recovery" script, which is used to ensure that root access survives upgrades. The only evidence that Lookout found was the fact that the system partition was writable -- it is usually mounted in read-only mode to prevent modifications. The malicious app also included additional Android application packages that make use of the root privileges to display obtrusive ads that are difficult to stop.

The threat from auto-rooting malware is likely to continue until Android's operating system acquires new protections that make it even harder to root devices. At the moment, LevelDropper and similar auto-rooting malware like ShiftyBug, Shuanet and Shedun are only being used to install other apps to increase popularity ratings and ad revenue, but a fully weaponized version could easily appear at any time.

If a device is infected with auto-rooting malware, it will require a factory reset to remove it, so it's essential for enterprises to deploy a security app capable of warning users of potentially malicious apps on their devices, and to even use some form of app risk security service that works with their mobile device management system to automate defenses and responses.

As it's not possible for a regular application to download and install additional apps without the user's permission unless it has root access to the package manager, users should be warned that if new and unexpected applications appear on their devices without their permission, it's very likely that their device has been compromised in some way. The device should be turned off and returned to the IT department for further investigation.

Next Steps

Find out how a malicious app managed to bypass Google Play store security

Learn how to detect jailbroken devices in your enterprise

Read about the risks that come with sideloading Android apps

This was last published in October 2016

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What has your enterprise's experience been with malware that abuses root privileges on devices?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close