How does Riskminder DDNA check for malicious App leading to "jailbreak=true"

book

Article ID: 129139

calendar_today

Updated On:

Products

CA Rapid App Security CA Advanced Authentication CA API Gateway

Issue/Introduction

Broadcom DDNA looks for Apps on a client's phone that may have Rooted access that a client may be unaware of.

These are few applications that are reported to be used for rooting: 
---------------------------------------------------------------------------------------------- 
ROM Manager 
Lucky Patcher 
InAppBillingService.COIN 
App Quarantine 
Superuser 
SuperSU 
magisk 
RootCloak 
Xposed Installer 
Cydia Substrate 
Hide My Root 
Hide Rooting Lite 

And below are the packages that we check to identify if a particular app is malicious 
------------------------------------------------------------------------------------------------------------------------ 
"com.devadvance.rootcloak" 
"com.devadvance.rootcloakplus" 
"de.robv.android.xposed.installer" 
"com.saurik.substrate" 
"com.zachspong.temprootremovejb" 
"com.amphoras.hidemyroot" 
"com.amphoras.hidemyrootadfree" 
"com.formyhm.hiderootPremium" 
"com.formyhm.hideroot 
"com.koushikdutta.rommanager" 
"com.koushikdutta.rommanager.license" 
"com.dimonvideo.luckypatcher" 
"com.chelpus.lackypatch" 
"com.ramdroid.appquarantine" 
"com.ramdroid.appquarantinepro" 
"com.android.vending.billing.InAppBillingService.COIN" 
"com.chelpus.luckypatcher" 
"com.noshufou.android.su" 
"com.noshufou.android.su.elite" 
"eu.chainfire.supersu" 
"com.koushikdutta.superuser" 
"com.thirdparty.superuser" 
"com.yellowes.su" 
 

How does Riskminder DDNA check for malicious App leading to "jailbreak=true" 

Environment

CA/Broadcom Android DDNA SDK

Resolution

These are few applications that are reported to be used for rooting: 
---------------------------------------------------------------------------------------------- 
ROM Manager 
Lucky Patcher 
InAppBillingService.COIN 
App Quarantine 
Superuser 
SuperSU 
magisk 
RootCloak 
Xposed Installer 
Cydia Substrate 
Hide My Root 
Hide Rooting Lite 

And below are the packages that we check to identify if a particular app is malicious 
------------------------------------------------------------------------------------------------------------------------ 
"com.devadvance.rootcloak" 
"com.devadvance.rootcloakplus" 
"de.robv.android.xposed.installer" 
"com.saurik.substrate" 
"com.zachspong.temprootremovejb" 
"com.amphoras.hidemyroot" 
"com.amphoras.hidemyrootadfree" 
"com.formyhm.hiderootPremium" 
"com.formyhm.hideroot 
"com.koushikdutta.rommanager" 
"com.koushikdutta.rommanager.license" 
"com.dimonvideo.luckypatcher" 
"com.chelpus.lackypatch" 
"com.ramdroid.appquarantine" 
"com.ramdroid.appquarantinepro" 
"com.android.vending.billing.InAppBillingService.COIN" 
"com.chelpus.luckypatcher" 
"com.noshufou.android.su" 
"com.noshufou.android.su.elite" 
"eu.chainfire.supersu" 
"com.koushikdutta.superuser" 
"com.thirdparty.superuser" 
"com.yellowes.su" 
 

Additional Information

None