Sergey Nivens - Fotolia

How does auto-rooting malware LevelDropper gain device root access?

Auto-rooting app LevelDropper has the ability to silently root devices and gain system level privileges. Expert Michael Cobb explains how to detect and stop it.

Security researchers discovered a malicious app in the Google Play store called LevelDropper. According to the researchers, LevelDropper spreads what's called "auto-rooting" malware. How does LevelDropper work, and what can enterprises do to detect and mitigate auto-rooting malware like this?

Like many malicious apps, LevelDropper appears on the surface to be a regular app -- in this case, a digital spirit level with a simulated air bubble. However, once installed, it triggers a crash that the app uses to gain root access to the device on which it is running. The researchers at Lookout who discovered LevelDropper's malicious activities categorize LevelDropper as auto-rooting malware, as it silently roots a device in order to gain system level privileges. This allows it to perform actions off-limits to most apps and to effectively take control of the infected device, bypassing many of Android's built-in security protections.

LevelDropper abuses the root privileges it obtains to download and install further applications to the victim's device -- 14 new applications were installed within 30 minutes after LevelDropper was launched for the first time, according to Lookout. These additional apps are installed without any kind of user interaction, as LevelDropper has access to the Android package manager that removes the need to prompt users to approve installation of additional applications.

The exploits used by LevelDropper to gain root access were not new; the binary files contained in the package included two privilege escalation exploits, both of which appear to use publicly available proof-of-concept code to gain root access.

Despite this, it managed to slip past Google's security system Bouncer, which scans apps before they are made available via the Google Play store. Its creators also managed to eliminate the usual telltale signs typical of root malware. There was no evidence of a super user binary or rewritten "install-system-recovery" script, which is used to ensure that root access survives upgrades. The only evidence that Lookout found was the fact that the system partition was writable -- it is usually mounted in read-only mode to prevent modifications. The malicious app also included additional Android application packages that make use of the root privileges to display obtrusive ads that are difficult to stop.

The threat from auto-rooting malware is likely to continue until Android's operating system acquires new protections that make it even harder to root devices. At the moment, LevelDropper and similar auto-rooting malware like ShiftyBug, Shuanet and Shedun are only being used to install other apps to increase popularity ratings and ad revenue, but a fully weaponized version could easily appear at any time.

If a device is infected with auto-rooting malware, it will require a factory reset to remove it, so it's essential for enterprises to deploy a security app capable of warning users of potentially malicious apps on their devices, and to even use some form of app risk security service that works with their mobile device management system to automate defenses and responses.

As it's not possible for a regular application to download and install additional apps without the user's permission unless it has root access to the package manager, users should be warned that if new and unexpected applications appear on their devices without their permission, it's very likely that their device has been compromised in some way. The device should be turned off and returned to the IT department for further investigation.

Next Steps

Find out how a malicious app managed to bypass Google Play store security

Learn how to detect jailbroken devices in your enterprise

Read about the risks that come with sideloading Android apps

This was last published in October 2016

Dig Deeper on Malware, virus, Trojan and spyware protection and removal