ROOTECTOR: Robust Android Rooting Detection Framework Using Machine Learning Algorithms

Recently, the newly launched Google protect service alerts Android users from installing rooting tools. However, Android users lean toward rooting their Android devices to gain unlimited privileges, which allows them to customize their devices and allows Android Apps to bypass all Android security logging and security system. Rooting is one of the most malicious tactics that is used by Android malware that offers malware with the ability to open backdoor, server ports, access the Android kernel commands, and silently install malicious App and make them irremovable and undetectable. The existing Android malware detection frameworks propose embedded root-exploit code detection within the Android App. However, most frameworks overlook the rooted device detection part. In addition, many evasion techniques are developed to cloak the rooted devices. The above facts pose the challenging tasks of rooting detection and the current studies highlighted a deficiency in root detection research. Hence, this study proposes “Rootector” Android Rooting Detection Framework that uses machine learning classification techniques to detect Android rooted devices. The study proposes a model using machine learning algorithms that previously proves detection performance excellence in different fields of study. The research creates a rooting dataset with more than 13,000 mobile scans, which incorporates physical Android devices as well as simulators. Using the dataset, the study evaluates the performance of the ten machine learning classifiers to identify the best classification model. The study incorporates hyper-parameter optimization techniques to define the optimal machine learning parameters. The study adopts the LASSO (least absolute shrinkage and selection operator) regression algorithm to identify the best minimum number of classification features, which forms a compact dataset. Using LASSO regression, the study proposes a compact model for Android rooting detection. The experimental evaluation results show a very promising performance of Rootector framework with about 98.16% overall accuracy using the full dataset and slightly degraded to 97.13% using the compact dataset.