Dark Mode

Settings

Capec-660 Detail

Root/Jailbreak Detection Evasion via Hooking

Detailed Software Likelihood: Medium Typical Severity: Very High

Parents: 251

Description

An adversary forces a non-restricted mobile application to load arbitrary code or code files, via Hooking, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Adversaries may further leverage these capabilities to escalate privileges or bypass access control on legitimate applications. Although many mobile applications check if a mobile device is Rooted/Jailbroken prior to authorized use of the application, adversaries may be able to "hook" code in order to circumvent these checks. Successfully evading Root/Jailbreak detection allows an adversary to execute administrative commands, obtain confidential data, impersonate legitimate users of the application, and more.

Not present

External ID Source Link Description
CAPEC-660 capec https://capec.mitre.org/data/definitions/660.html
CWE-829 cwe http://cwe.mitre.org/data/definitions/829.html
T1055 ATTACK https://attack.mitre.org/wiki/Technique/T1055 Process Injection
REF-624 reference_from_CAPEC https://cybersecurity.att.com/blogs/security-essentials/mobile-phishing Ansgar Kellner, Micha Horlboge, Konrad Rieck, Christian Wressnegger, False Sense of Security: A Study on the Effectivity of Jailbreak Detection in Banking Apps, 2019--06---17, Technische Universität Braunschweig
REF-625 reference_from_CAPEC http://lersse-dl.ece.ubc.ca/record/310/files/p3.pdf?subformat=pdfa San-Tsai Sun, Andrea Cuadros, Konstantin Beznosov, Android Rooting: Methods, Detection, and Evasion, 2019--06---17, Technische Universität Braunschweig
REF-626 reference_from_CAPEC https://labs.nettitude.com/blog/ios-and-android-runtime-and-anti-debugging-protections/#hooking Jose Lopes, Who owns your runtime?, 2015--10---12, Nettitude Labs
REF-627 reference_from_CAPEC https://resources.infosecinstitute.com/topic/android-root-detection-bypass-reverse-engineering-apk/ Suresh Khutale, Android Root Detection Bypass by Reverse Engineering APK, 2018--03---06, InfoSec Institute
Explore

  1. Identify application with attack potential: The adversary searches for and identifies a mobile application that could be exploited for malicious purposes (e.g. banking, voting, or medical applications).

    2. Techniques
    Search application stores for mobile applications worth exploiting
Experiment

  1. Develop code to be hooked into chosen target application: The adversary develops code or leverages existing code that will be hooked into the target application in order to evade Root/Jailbreak detection methods.

    2. Techniques
    Develop code or leverage existing code to bypass Root/Jailbreak detection methods.
    Test the code to see if it works.
    Iteratively develop the code until Root/Jailbreak detection methods are evaded.
Exploit

  1. Execute code hooking to evade Root/Jailbreak detection methods: Once hooking code has been developed or obtained, execute the code against the target application to evade Root/Jailbreak detection methods.

    2. Techniques
    Hook code into the target application.
  1. The targeted application must be non-restricted to allow code hooking.
  1. The adversary must have a Rooted/Jailbroken mobile device.
  2. The adversary needs to have enough access to the target application to control the included code or file.
High Medium
Knowledge about Root/Jailbreak detection and evasion techniques.
Knowledge about code hooking.
Integrity Authorization Access Control Confidentiality
Execute Unauthorized Commands (Through Root/Jailbreak Detection Evasion via Hooking, the adversary compromises the integrity of the application.) Execute Unauthorized Commands (Through Root/Jailbreak Detection Evasion via Hooking, the adversary compromises the integrity of the application.) Read Data (An adversary may leverage Root/Jailbreak Detection Evasion via Hooking in order to obtain sensitive information.) Gain Privileges
Gain Privileges Read Data (An adversary may leverage Root/Jailbreak Detection Evasion via Hooking in order to obtain sensitive information.)
  1. An adversary targets a non-restricted iOS banking application in an attempt to compromise sensitive user data. The adversary creates Objective-C runtime code that always returns "false" when checking for the existence of the Cydia application. The malicious code is then dynamically loaded into the application via the DYLD_INSERT_LIBRARIES environment variable. When the banking applications checks for Cydia, the hooked code returns "false", so the application assumes the device is stock (i.e. not Jailbroken) and allows it to access the application. However, the adversary has just evaded Jailbreak detection and is now able to glean user credentials and/or transaction details.
  2. An adversary targets a mobile voting application on an Android device with the goal of committing voter fraud. Leveraging the Xposed framework, the adversary is able to create and hook Java code into the application that bypasses Root detection methods. When the voting application attempts to detect a Rooted device by checking for commonly known installed packages associated with Rooting, the hooked code removes the suspicious packages before returning to the application. As a result, the application believes the device is stock (i.e. not Rooted) when in actuality this is not the case. Having evading Root detection, the adversary is now able to cast votes for the candidate of their choosing as a variety of different users.

We use cookies to ensure you get the best experience on our website.