My fav 7 methods for Bypassing Android Root detection
Hola H3ck3rs,
You peeps already know, when we are into an android pentest/BB, the root detection protections are basically a creepy thing for all of us.
I am not going to explain a new methodology or any of my own discovery rather than listing out a few of the existing traditional and modern methods.
Prerequisites:
Familiar with Basic Android Pentesting and tools such as adb, frida, Objection, Magisk application, Decompiling/Recompiling APK, APK Signing and Dex to Jar Conversion.
What we are gonna cover today:
- MagiskHide module in the Magisk application (= <v23.0)
- Zygisk DenyList in the Magisk Application ( >v23.0 )
- Tampering the Smali code
- Objection’s common method
- Bit manual with Objection
- Using Frida scripts
- Medusa framework
!!! I’ haven’t covered the basic stuff like setting up the frida server, decompiling/Re-compiling the android application, etc. Hope u guys are already familiar with them!!!
1 ) MagiskHide module in the Magisk application (v23.x< =)
If your device is rooted with Magisk, then you can try the MagiskHide available in the Magisk Application. And please note that this feature is only available up to the Magisk version 23.x
Step:1 Enable the MagiskHide module from the app settings
Step 2: Choose the application in which we have to hide the root
2. Zygisk Denylist (Magisk App > v23.x)
Magisk App > v23.0 provides an alternative feature -Zygisk Denylist instead of the MagiskHide. By enabling this feature, we can bypass the root detection of most applications.
Step 1: Enable Zygisk, DenyList from the app settings
Step 2: Choose the application that we have to hide the root detection
3. Tampering the Smali Code
Yes, sometimes we can do a spell with the application smali code which can be obtained after decompiling the application with Apktool.
Step 1: Decompile the apk file using JADX-GUI or any other alternative.
Step 2: Identify the code which is in charge of the root detection process:
Step 3: In this case, the application is using the rootbeer library for the root detection. And we can see there is a “if” condition is the decision maker element that decides whether the application is rooted or a Non-rooted device.
Step 4: Now decompile the APK with Apktool and and find smali code for the above “if “statement.
Step 2: Modify the condition statement as illustrated in the below picture.
Step 3: Now save the file and re-build the application, don’t forget to sign the apk file.
This will change the application logic and bypass the root detection.
4. Using Objection’s Common method
I hope u guys are familiar with the objection tool, if not, pull it out using pip
pip3 install objection
Step 1: start the frida server on the android device/ Virtual device.
Step 2: Now, launch the application with the following Objection command.
objection -g com.test.app explore
Step 3: now the application will be launched on your device, then execute the following objection command.
This module will modify the values of the class methods of the root detection library in order to bypass the root detection
Step 4: If the root detection prompt is still there on the application, just press the back button and exit from the application (don’t kill the app from background) and open it again.
The root detection will disappear :)
5. Bit Manual with Objection tool
This method is a kinda tricky.
Following are my steps.
Step 1: First convert the apk file into class files using dex2jar
Step 2: Analyse the class files and identify which library is being used for the root detection
Step 3: Now connect the app with objection (objection -g pkg_name/processID explore)
Step 4: Execute the following command
android hooking list class_methods <root detection class>
Step 5: Now we can identify that the following boolean method isDeviceRooted() (may differ in other libraries) is in charge of root detection.
Step 5: We can change its return value true to false with the following command:
android hooking set return_value <root_detect_class.method> false
Step 6: Thats it, here we have changed the boolean value returned by the root detection class method, and this will change the application logic for root detection process and bypass the root detection.
6. Using Frida scripts
Here comes the most and widely used root detection bypass method.
Step 1: Make sure the frida server is running on your device and the USB cable is properly connected (if it is a physical device)
Step 2: Also make sure that your PC and the device have established a proper frida connection.
Step 3: You can verify the frida connection by using the command, shown in the below image.
Step 4: Now we have to find a good and popular frida scripts from the Codeshare or any other git repositories
My fav one is:
i) https://codeshare.frida.re/@dzonerzy/fridantiroot/
Step 5: Now connect your application with frida and load the frida script with the command, shown in below image.
7. Medusa Framework
Similar to Objection tool, MEDUSA is also a flexible framework that automates the procedures and methods used in the dynamic analysis of Android applications.
Git repo:
Ch0pin/medusa: Binary instrumentation framework based on FRIDA (github.com)
Step 1: Launch medusa
Step 2: We have to use the helpers/anti_debug module for bypassing the root detection
Step 3: Follow the steps illustrated in the following screenshots.
That’s it peeps, I’m sure there is a 90% possibility that any of these methods will help you to get rid of the root detection problem.
See you on next write up
References:
Ch0pin/medusa: Binary instrumentation framework based on FRIDA (github.com)