Root detection bypass by Objection and Frida

What is root bypass?

When an application is developed, developers implement root detection mechanism to prevent the user from using that in the rooted android device. When a user tries to install some application, it throws an error message and doesn’t allow the application to install on rooted device. While performing the root bypass we make changes in the code and restricts the application from closing which further leads to installation of the application on rooted android device. So for performing this first of all I will install frida and after that i will bypass the root detection.

Step1: Open cmd and type the following command as shown in the below fig, one can check the version of frida also.

Command: pip install frida

Fig 1: Install Frida

Step 2: Now I have to set up frida on Android for the I need to download the Frida server for the specific android platform from the site: https://github.com/frida/frida/releases/

Fig 2: Download frida server

Step 3: Copy Frida server file into the android phone tmp directory using adb push command as shown in fig. Here I have used Genymotion as an android emulator. After the copying the file change the permissions of the frida server files.

Command: adb push frida server /data/local/tmp/

Fig 3: adb push command

Step:4 : I will install the application from playstore in genymotion android emulator and you can easily connect to frida server by cmd and can use the following command to list all the process running. When I tried to install the application, it shows an error message that the device is rooted.

Command: frida-ps -U

Fig 4: Error message

Fig 5: List of process

Step:5 Next I have used objection and frida scripts to perform root bypass as shown in the figure.

Script used: $ frida — codeshare dzonerzy/fridantiroot -f YOUR_BINARY

Fig 6: frida codeshare script

Fig 7: Root detection bypass by script

Step: 6 So, to connect to one of those apps (which is shown in above figure), specify the name with the –gadget (names are referred as gadgets in Objection) flag.

Command: objection -g “com.abc.xyz” explore

Fig 8: Connecting to the application

Step: 7 Now i will use the command :android hooking list activities which will list all the activities that have been specified by the AndroidManifest.xml and activity classes found using this command could be used with the`android intent launch_activity` command to launch them. Here I have launched the intent for OTP for login.

Command :android hooking list activities

Fig 9: List of all the activities and launching intent.