Cybersecurity

The original report: https://www.zimperium.com/blog/catch-me-if-you-can-rooting-tools-vs-the-mobile-security-industry/

This isn't so much security research as it is marketing for the company's mobile endpoint security tool.

Their stats on the surface are interesting. According to the data collected by Zimperium:

According to our data, the exposure factor of rooted devices versus stock devices varies from 3x to ~3000x, which suggests that rooted devices are potentially much more vulnerable to threats than stock devices.

But then the paper doesn't even speculate as to why that might be. The rest of the report is basically a sales pitch for their security software. Rooting is bad and you need to keep these devices off your corporate networks (by buying our software) is the only message they're sending.

Off the top of my head, here are some hypotheses for the correlation, each of which has different implications for how to best mitigate the risks:

1. rooted devices are more likely to produce false-positive security alerts in the endpoint detection software
2. rooting tools themselves are used as an initial loader in infection chains
3. users of rooted devices are more technical and therefore more likely to install more apps overall, increasing attack surface area
4. users of rooted devices are more technical and therefore more likely to engage in risky software installation (sideloading untrusted software)
5. rooted devices contain more vulnerabilities
6. stock OS security is good at stopping malware from misbehaving, rooting removes those mitigations

The implication of the paper seems to be that (5) or (6) is the case: "rooted devices are potentially much more vulnerable to threats than stock devices." If the cause is (3) or (4) on the other hand, then there's not much that can be done outside of user education, since these users are inherently more likely to increase the attack surface of their devices whether the device is rooted or not.

(1) or (2) however would imply that the whole research is bogus, as in the case of (1) the data would be completely unreliable and in the case of (2) the causation is actually the reverse of what the paper implies, which is to say that malware causes rooting of the device, not the other way around.

Interestingly then, the paper includes this illustration:

Figure 4 illustrates this idea, showing a case of a rooted device that ended with a full compromise after sideloading malicious applications.

The infection with malware occurs 10 seconds after the installation of Magisk, the tool used to get root access to the device. It should be obvious to anyone that this was not a coincidental infection caused by the user rooting their device, but actually the malware was using the rooting tool as the first step in compromising the device. So in this case, malware caused rooting of the device, not the reverse.

The linked Hackread article essentially just regurgitates the points from the Zimperium report without any critical analysis of why or how rooted devices pose a threat. For users of rooted devices it would be helpful to know whether they are actually at more risk, and why, so that they can mitigate the risks. But this article is not about security research, it's just a sales pitch.