Android - Root Detection Bypass.md

Root Detection Bypass using Frida in Android

Root detection is a common security measure implemented in many Android applications to prevent their execution on rooted devices. However, with tools like Frida, it's possible to bypass such detection mechanisms. This guide will walk you through the process of bypassing root detection using Frida in Android.

Prerequisites

Before getting started,

• Ensure you have good rooted device or emulators:
  • NoxPlayer
  • Genymotion
  • Android Studio
• Python from Microsoft Store

Setup Frida:

1. Install Frida by using following commands:

   python -m pip install frida
   python -m pip install frida-tools

   Alternatively, you can install them directly using pip:

   pip install frida
   pip install frida-tools

2. Add frida into Environment Variables

   • Open the "Environment Variables" window
   • Select the Path variable under "System Variables" and click the "Edit" button
   • Click the "New" button
   • Insert path %USERPROFILE%\AppData\Local\Programs\Python\Python312\Scripts in the text field

3. Run below command to verify if Frida is installed properly

   frida -h
   

   Frida is properly installed if help is displayed.

Setup ADB - Android Debug Bridge

Check this ADB and Fastboot setup guide.

Steps

1. Connect ADB Device

Connect the rooted device with wired, and run the following command to identify connected device:

adb devices

In result it will show the device ID as following:

PS D:\ADB-Platform-Tools\> adb devices
List of devices attached
J9AAGF002486Y9M device

If you are using emulator, then directly run the above command. in result it will show you the above:

PS D:\ADB-Platform-Tools\> adb devices
List of devices attached
127.0.0.1:62001 device

2. Identify CPU Architecture

First, identify the CPU architecture of the target device by executing the following command:

adb shell getprop ro.product.cpu.abi

In my case, it was:

x86

3. Download Frida Server

Download the appropriate Frida server android binary from the official Frida releases page, based on the CPU architecture obtained in the previous step.

In my case, it was frida-server-16.2.1-android-x86.xz

4. Push Files to Device

1. Before pushing it, extract downloaded Frida server android binary file using WinRAR or 7-zip

In Linux, run this command:

unxz frida-server.xz

2. Push the extracted Frida server binary to the device:

adb push frida-server-16.2.1-android-x86 /data/local/tmp

3. Make it executable:

adb shell chmod 755 /data/local/tmp/frida-server-16.2.1-android-x86

5. Start Frida Server

Start the Frida server on the device:

adb shell "/data/local/tmp/frida-server-16.2.1-android-x86 &"

Alternative, If it dosent work:

adb shell /data/local/tmp/frida-server-16.2.1-android-x86

Still?

adb shell
cd /data/local/tmp/
./frida-server-16.2.1-android-x86

Error? : Unable to save SELinux policy to the kernel: Out of memory

adb shell
setenforce 0

6. Check Package Name

Now, open a new terminal.

Use frida-ps command to identify the package name of the target application:

frida-ps -Ua

If it dosen't show, then open the target application and then run command again.

7. Execute Frida Script

Execute the Frida script to bypass root detection for the target application, but first, you need to download a javascript file, Download form here

Now open the targeted app that you wanted to bypass root detection, then run the following command:

frida -U -f com.example.app -l [email protected]

Replace com.example.app with the actual package name of the target application.

Scripts to bypass the common root and emulator detection mechanisms on different frameworks:

• https://codeshare.frida.re/@Gand3lf/xamarin-antiroot/
• https://codeshare.frida.re/@dzonerzy/fridantiroot/
• https://github.com/shino-337/Frida-script-bypass-Framgia-Emulator/blob/master/bypass_framgia_emulator.js

N0te: You can remember this command as "Frida you fuck example.app and use lub script.js"

Root Detection Bypass using Objection in Android

Setup Objection:

1. Install Objection by using following commands:

   python -m pip install objection

   Alternatively, you can install them directly using pip:

   pip install objection

2. Add Objection into Environment Variables

   • Open the "Environment Variables" window
   • Select the Path variable under "System Variables" and click the "Edit" button
   • Click the "New" button
   • Insert path %USERPROFILE%\AppData\Local\Programs\Python\Python312\Scripts in the text field

3. Run below command to verify if Frida is installed properly

   objection --help
   

   Objection is properly installed if help is displayed.

Setup ADB - Android Debug Bridge

Check this ADB and Fastboot setup guide.

Steps

1. Connect ADB Device

Connect the rooted device with wired, and run the following command to identify connected device:

adb devices

In result it will show the device ID as following:

PS D:\ADB-Platform-Tools\> adb devices
List of devices attached
J9AAGF002486Y9M device

If you are using emulator, then directly run the above command. in result it will show you the above:

PS D:\ADB-Platform-Tools\> adb devices
List of devices attached
127.0.0.1:62001 device

2. Check Package Name

Use frida-ps command to identify the package name of the target application:

frida-ps -Ua

If it dosen't show, then open the target application and then run command again.

3. Bypass root detection

By exploring the application using objection, you can easily try to bypass the root detection by simply calling the android root disable method, as in the following:

objection -g com.example.app explore

[usb]> android root disable

Replace com.example.app with the actual package name of the target application.

BOOM! BYPASSED!

With these steps, you should be able to bypass root detection in Android applications using Frida and Objection. It's essential to understand that bypassing security measures like root detection may have legal implications and should only be performed on applications you have explicit permission to test or modify. Use this knowledge responsibly and ethically.

# Root Detection Bypass using MAGISK in Android

Magisk is a comprehensive solution for rooting Android devices, offering a secure and powerful experience. It provides root access and a host of additional features like MagiskSU, Magisk Hide, and easy management of root permissions for third-party apps. A key advantage is its ability to root Android and enable custom MODs without disrupting critical components like Google Play Services.

Magisk operates as a "systemless" root method, meaning it doesn't alter the system or boot partition. This makes it a user-friendly and secure alternative to other rooting methods.

Beyond just rooting, Magisk allows users to manage root permissions, tweak apps without affecting system files, remove certain kernel features, and incorporate third-party features through Magisk Modules. It's widely recognized as the go-to tool for rooting Android devices.

Download Link

To bypass root detection in Magisk, follow these steps:

1. Enable Zygisk: Open Magisk, go to settings, and enable Zygisk.
2. Configure DenyList: In Magisk settings, configure the DenyList and add the apps you want to hide root from.
3. Install Shamiko Module: Download and install the Shamiko module from GitHub or another trusted source.
4. Hide Magisk App: In Magisk settings, use the "Hide Magisk" option to change the app's name and package.

After completing these steps, reboot your device and the selected apps should no longer detect root.