It has recently come to my attention that there are people out there that believe that Superuser in the wrong hands can be a dangerous thing. A quote from my @DroidSecurity on twitter (edit: @AVGFree agreed with this tweet shortly after DroidSecurity posted it):
Now I may be arguing semantics here, but I have to disagree with this. The discussion came up because I asked AVG to reconsider their app flagging Superuser as a risk. While I can’t argue that a rooted phone can be a risk, Superuser itself is not. In fact, once a phone is rooted, Superuser is one of the few things that provides any sort of protection. Without it, any app would be able to use root at will and unchecked. Superuser gives the user a notification when an app is using the root user, and gives them a way to look back at what has used it and when. Similar to UAC on windows computers, it forces the user to consider what they are doing before they alter their system.
Regarding AVG, there are two situations in which their app would detect Superuser being installed. The first is that the user has rooted his phone. In this situation, Superuser.apk is installed in /system/app. In this case, there isn’t really anything that AVG can do about it. In order for it to remove the risk, it would have to remount the system partition (and it would have to use Superuser to achieve that), and manually remove the apk. Instead it displays the system’s uninstall window, which naturally fails to uninstall the app, and goes back to scanning, once again finding the “infected” Superuser thus starting the process all over again. Infinite loop?
The second situation is that the user does not have a rooted phone and they download Superuser from the market. In this case, Superuser is completely useless to them, as Superuser has no way of allowing other apps to use the root user without already having the su binary installed in a directory in the PATH. and since none of these directories are writeable at runtime, there is no way to do that. Superuser does not use any of the exploits that are widely available (Gingerbreak, Rageagainstthecage). Superuser will not root your phone by itself, it needs outside methods for it to do anything at all. This becomes a false positive for AVG, as Superuser cannot do any harm to the user or his phone.
This brings into question the method that AVG uses to find “infected” apps. This post did not start off to be a post slamming AVG, but I got really frustrated when, while researching for this post (installing AVG and trying it out), I found that AVG also flags Superuser Elite as “infected.” This made me realize AVG may be using some kind of sophisticated scanning, but more likely they are simply using a list of package names that they have deemed to be “infected.” I had planned to baksmali their app and dig around to see just how their “scanner” worked, but it seemed much easier to do it this way:
- Fire up Eclipse and make a new android app with the package name “com.noshufou.android.su.helloworld”.
- Do not change anything in the app.
- Install the app on my phone that is running AVG.
Result? Popup window on the phone telling me that this “Hello, World!” app is infected. Seems as though Google has some serious problems if a basic “Hello, World!” is a virus. More likely is that AVG is looking at nothing more than the package name and determining that the app is a threat simply because it has “com.noshufou.android.su” in the package name. I would have attempted making an app that has one of the exploits in it, but with a different package name to see if it gets caught, but that’s not something I have time for. I do encourage my readers to try this though. It would be interesting to see if AVG, or any of the Android “antivirus” apps, can detect a true threat.
At the end of the day, I hope this article encourages companies like AVG to implement true threat scanning, if they haven’t already, or stop posing as antivirus. A blacklist based on package name is not antivirus and provides the user with a dangerous sense of false security. I also welcome AVG or any other maker of an antivirus program for Android to come forward with a response to this telling the users how their app actually protects their phone.