A Word About Superuser and Security

It has recently come to my attention that there are people out there that believe that Superuser in the wrong hands can be a dangerous thing. A quote from my @DroidSecurity on twitter (edit: @AVGFree agreed with this tweet shortly after DroidSecurity posted it):

@TeamAndIRC @ChainsDD @AVGFree : SuperUser is not considered bad , but rather can be dangerous in a non-techie hands , The Antivirus team

Now I may be arguing semantics here, but I have to disagree with this. The discussion came up because I asked AVG to reconsider their app flagging Superuser as a risk. While I can’t argue that a rooted phone can be a risk, Superuser itself is not. In fact, once a phone is rooted, Superuser is one of the few things that provides any sort of protection. Without it, any app would be able to use root at will and unchecked. Superuser gives the user a notification when an app is using the root user, and gives them a way to look back at what has used it and when. Similar to UAC on windows computers, it forces the user to consider what they are doing before they alter their system.

Regarding AVG, there are two situations in which their app would detect Superuser being installed. The first is that the user has rooted his phone. In this situation, Superuser.apk is installed in /system/app. In this case, there isn’t really anything that AVG can do about it. In order for it to remove the risk, it would have to remount the system partition (and it would have to use Superuser to achieve that), and manually remove the apk. Instead it displays the system’s uninstall window, which naturally fails to uninstall the app, and goes back to scanning, once again finding the “infected” Superuser thus starting the process all over again. Infinite loop?

The second situation is that the user does not have a rooted phone and they download Superuser from the market. In this case, Superuser is completely useless to them, as Superuser has no way of allowing other apps to use the root user without already having the su binary installed in a directory in the PATH. and since none of these directories are writeable at runtime, there is no way to do that. Superuser does not use any of the exploits that are widely available (Gingerbreak, Rageagainstthecage). Superuser will not root your phone by itself, it needs outside methods for it to do anything at all. This becomes a false positive for AVG, as Superuser cannot do any harm to the user or his phone.

This brings into question the method that AVG uses to find “infected” apps. This post did not start off to be a post slamming AVG, but I got really frustrated when, while researching for this post (installing AVG and trying it out), I found that AVG also flags Superuser Elite as “infected.” This made me realize AVG may be using some kind of sophisticated scanning, but more likely they are simply using a list of package names that they have deemed to be “infected.” I had planned to baksmali their app and dig around to see just how their “scanner” worked, but it seemed much easier to do it this way:

  1. Fire up Eclipse and make a new android app with the package name “com.noshufou.android.su.helloworld”.
  2. Do not change anything in the app.
  3. Install the app on my phone that is running AVG.

Result? Popup window on the phone telling me that this “Hello, World!” app is infected. Seems as though Google has some serious problems if a basic “Hello, World!” is a virus. More likely is that AVG is looking at nothing more than the package name and determining that the app is a threat simply because it has “com.noshufou.android.su” in the package name. I would have attempted making an app that has one of the exploits in it, but with a different package name to see if it gets caught, but that’s not something I have time for. I do encourage my readers to try this though. It would be interesting to see if AVG, or any of the Android “antivirus” apps, can detect a true threat.

At the end of the day, I hope this article encourages companies like AVG to implement true threat scanning, if they haven’t already, or stop posing as antivirus. A blacklist based on package name is not antivirus and provides the user with a dangerous sense of false security. I also welcome AVG or any other maker of an antivirus program for Android to come forward with a response to this telling the users how their app actually protects their phone.

</rant>

Comments (20)

  1. 18:34, June 13, 2011Craig Gomez  / Reply

    Hear hear… we need more people exposing the crap that most Android antivirus apps do… if a user isn’t smart enuf to understand root… he probably won’t root his phone…

  2. 18:55, June 13, 2011Joël Bourquard  / Reply

    These are wise words IMHO. And even with signature-based scanning, malicious apps could still easily hide from a non-root antivirus by declaring themselves as “protected” apps (whose APK’s cannot be read by non-root apps).

    Protected apps are deprecated, yes, but they’re still supported on all Android platforms. So right now, no Android anti-virus could truly scan all apps without using Superuser. Thus flagging Superuser as “infected” is braindead.

  3. 19:36, June 13, 2011Paul McManus  / Reply

    To echo the above, Superuser keeps my rooted phone secure. Gladly got Elite installed too ;-)

  4. 02:52, June 14, 2011ben  / Reply

    I just bought superuser elite because of this post. Not because I need the app, but because it helps you. Also, thank you for your contribution to a sane society.

  5. 05:34, June 14, 2011Dania  / Reply

    Yeah. Totally buying superuser elite.
    I would hope that a root user became familiar and friendly
    with superuser. Undershanding it’s main function of
    protection :0) should be a given, if one chooses to root.
    Rooting at your own risk, thus choosing apps to grant root access.
    In my opinion superuser is quite an amazing tool which protects a persons phone much more than any other..

  6. 20:54, June 24, 2011Joshp406  / Reply

    Now THIS is why I use Lookout.

  7. 10:27, June 28, 2011Cyc  / Reply

    Does anyone at AVG know what Superuser even does?! Do they think that this roots the phones?! Do they think that stupid people could blindly allow access and rooted phones without superuser would not work…. NO Without superuser any app wanting root gets it no questions asked. NOW THAT IS SCARY! If I wasn’t so sleep deprived I would go on a rampage with AV companies especially AVG right now!

  8. 22:12, June 29, 2011Hussle  / Reply

    people like you should run for president

  9. 20:54, June 30, 2011DeTard  / Reply

    Yeah I’ve been frustrated with AVG over this whole thing for a while now. I decided to put AVG on my phone about a month ago, figuring “oh hey, what’s the harm right?” But now that I see it’s making false positives for nothing more than the app name and claiming that the one app that is protecting me is the source of the problem, I realize what harm it really is doing. I guess they don’t understand that this is blatant defamation and fairly scare monger-ish. Anyone that is rooting their phones should know the risks involved, and while it CAN brick the phone in the process, once Superuser is installed, the dangerous part (from the hardware aspect) is basically over. And now we have the software danger, but your app is protecting us there. And now with Elite, we have extra protection! PIN and/or Ghost modes? Come on now, how much more security could you ask for?

    I really do wish that I could get this point across to AVG. I was a fairly big supporter of Grisoft (before their company name change to AVG to match their product name) back when they were mostly unheard of. They had made a great product back when Norton and McAfee were really the only products people were using, and theirs was free! But I really don’t like where they are going with this whole idea of protecting users from themselves by saying your app is infected rather than sending them to a link stating what “root” is, what the potential risks are with being rooted, and giving the option of ignoring the rooted state. If they did this, my gripe would be completely moot. Will they do this? Anyone want to bet a case of beer?

  10. 09:15, July 15, 2011Palaryel  / Reply

    Tested, AVG doesnt detect exploits inside of installed apps (or apk packages for that matter), seems like you were right, it only checks vs a list of “unwanted” package names.

    To be honest, supersuser adds some protection for rooted phones, in the form of notifying you which application uses su, and giving you the option to block/approve it, however, once android viruses become more popular, expect a system which will bypass the su logger, and just execute itself (if i find time ill code a proof of concept for this, ive got the basic idea on how to implement it).

    • 23:07, August 1, 2011Nemosfate  / Reply

      @Palaryel
      So why not create a better av then to close the loophole you know of? And does anyone know how lookout scans their apps?

  11. 12:51, July 26, 2011Montanaskibum  / Reply

    I think you nailed it on the head. The only way i even feel safe is by knowing what apps are using root (thank you ChainsDD). Keep doing what you do because it has and will change the Android world.

  12. 19:10, August 3, 2011fury  / Reply

    Wow really really stupid of AVG to do this based upon filename and not something more intelligent like a signature within the files or something of that level. Whomever QAd this should be shot, imho.

  13. 00:13, August 9, 2011NattyBee  / Reply

    Superuser is probably the most important app available to a rooter…and anyone who has rooted his/her own device is likely aware that it is NOT a threat, but actually a tool for the user…still, you have brought an interesting point, and hopefully you have drawn the attention of AVG here, so that they may improve the accuracy of their virus protection. Thankyou for all you do for our community.

  14. 18:46, October 13, 2011Bexton  / Reply

    And once again: From my point of view, the Superuser app provides the security you need, when using a rooted device (especially for those 75% of rooters, that actually have no frigging clue about what a user id 0 on a linux filesystem means).

    Point 2; without going into (technical) detail: To the contrary to Chain’s “Hello World”-example, i was able to place a malicious app in the market that is able to brick a device, if you download and install it on a rooted device that has not the Superuser app installed. And not only i was able to place it in the market, but also it was not recognized by 7 AV sw’s (also paid ones). In fact – sadly – i was not able to find a AV sw that alerted the danger.

    So, the bottom line – for me: Superuser is securing my phone more than every AV sw does!

  15. 09:25, October 31, 2011doktornotor  / Reply

    I stick with Dr.Web Light. It really does scan inside the code – and it really works — at least in a sense that it does what it is expected to do, i.e. – look for malicious code/behaviour inside packages.

    Recently it caught some fishy stuff (namely android.smssend.origin.151) inside GO SMS Pro v3.72 – while this one has most likely been a false positive, at least you do not get a placebo AV like most others. (I still have some fishy feelings about this whole GO suite of stuff and if a similar incident happens again, will start looking for alternatives.)

    AVG for Android definitely is a horrible example of useless junk providing totally false sense of security, and frankly anything that actually claims to have checked an APK in 1-2 seconds must be doing the same, which sadly would include Lookout. So, real antivirus scanning seems to be quite a unique creature in the Android world, considering that I can only see Dr.Web users mentioning this issue on Market comments and also on the GO Team website.

  16. 13:46, November 16, 2011Duff  / Reply

    What I’m interested in, does superuser protects from exploits that try to gain root rights?

  17. 20:14, November 23, 2011Wrxtc714  / Reply

    @duff I had this same question. I asked chainsdd and he said YES it will block the exploits

  18. 11:16, September 25, 2013Teo Bajar  / Reply

    Thanks for finally writing about > A Word About Superuser and Security < Liked it!

  19. 00:56, July 20, 2014davenut79@gmail.com  / Reply

    I’m sorry i got upset bout 3 bucks, good show servin our country. i grew up a navy brat and thank u for u’re service. GOD BLESS YOU

Leave a Reply

Allowed Tags - You may use these HTML tags and attributes in your comment.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>