CAPEC-660 Detail

An adversary forces a non-restricted mobile application to load arbitrary code or code files, via Hooking, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Adversaries may further leverage these capabilities to escalate privileges or bypass access control on legitimate applications. Although many mobile applications check if a mobile device is Rooted/Jailbroken prior to authorized use of the application, adversaries may be able to "hook" code in order to circumvent these checks. Successfully evading Root/Jailbreak detection allows an adversary to execute administrative commands, obtain confidential data, impersonate legitimate users of the application, and more.

Execution Flow

[Identify application with attack potential] The adversary searches for and identifies a mobile application that could be exploited for malicious purposes (e.g. banking, voting, or medical applications).

• Search application stores for mobile applications worth exploiting

[Develop code to be hooked into chosen target application] The adversary develops code or leverages existing code that will be hooked into the target application in order to evade Root/Jailbreak detection methods.

• Develop code or leverage existing code to bypass Root/Jailbreak detection methods.
• Test the code to see if it works.
• Iteratively develop the code until Root/Jailbreak detection methods are evaded.

[Execute code hooking to evade Root/Jailbreak detection methods] Once hooking code has been developed or obtained, execute the code against the target application to evade Root/Jailbreak detection methods.

• Hook code into the target application.

Prerequisites

The targeted application must be non-restricted to allow code hooking.

Skills Required

Knowledge about Root/Jailbreak detection and evasion techniques.
Knowledge about code hooking.

Resources Required

The adversary must have a Rooted/Jailbroken mobile device.
The adversary needs to have enough access to the target application to control the included code or file.

Mitigations

Ensure mobile applications are signed appropriately to avoid code inclusion via hooking.
Inspect the application's memory for suspicious artifacts, such as shared objects/JARs or dylibs, after other Root/Jailbreak detection methods.
Inspect the application's stack trace for suspicious method calls.
Allow legitimate native methods, and check for non-allowed native methods during Root/Jailbreak detection methods.
For iOS applications, ensure application methods do not originate from outside of Apple's SDK.

Related Weaknesses

References

REF-624

False Sense of Security: A Study on the Effectivity of Jailbreak Detection in Banking Apps
Ansgar Kellner, Micha Horlboge, Konrad Rieck, Christian Wressnegger.
https://cybersecurity.att.com/blogs/security-essentials/mobile-phishing

REF-625

Android Rooting: Methods, Detection, and Evasion
San-Tsai Sun, Andrea Cuadros, Konstantin Beznosov.
http://lersse-dl.ece.ubc.ca/record/310/files/p3.pdf?subformat=pdfa

REF-626

Who owns your runtime?
Jose Lopes.
https://labs.nettitude.com/blog/ios-and-android-runtime-and-anti-debugging-protections/#hooking

REF-627

Android Root Detection Bypass by Reverse Engineering APK
Suresh Khutale.
https://resources.infosecinstitute.com/topic/android-root-detection-bypass-reverse-engineering-apk/

Submission