Companies that create tools for "rooting" Android phones may be within the law, but they may be inadvertently paving the way for malware developers.
According to a paper presented this week by University of California professor Zhiyun Qian, the developers of commercial root apps work hard to break the security of Android devices -- and then malware developers either piggyback on those exploits or figure out how they work and incorporate them into their own apps.
Somewhere between 27 and 47 percent of all Android smartphones are rooted, said Qian. This allows users to get rid of pre-installed apps that are otherwise impossible to remove, to personalize their phones beyond what is allowed by the official limits, to get better backups, or better power management tools.
"In the U.S., jailbreaking is legal," he said. "It's actually a legitimate business to distribute these exploits. It can be used to do good things."
In practice, however, it means that users are, in effect, hacking into their own phones.
"I'm launching an attack against my own device," Qian said.
And what users can do, hackers can do as well.
Google banks the rooting applications from its Google Play store, though it continues to allow the distribution of app that rely on a device already being rooted. There are many other channels through which Android users can find apps.
"If you are interested in rooting software, it is easy to find it," Qian said.
The way that rooting apps typically work is that that users runs the tool, and it sends a message back to its server with all the relevant device details -- manufacturer, Android version, and so on. The server then looks up the appropriate exploit for that particular device and configuration and sends it back.
Few of these exploits can be detected by mobile anti-virus, Qian added.
Criminals can hijack this process in two ways, he said.
Once the bad guys get the user to install their malware by, say, disguising it as a game or screensaver, they can contact the rooting software's server and request the appropriate exploit. They will then use it to root the device, take control of the smartphone, and start collecting financial information or doing whatever else the criminals want to do.
Criminals can also reverse-engineer or unpack and deobfuscate the exploit code itself, so that they can use it in their own applications.
Some of the legitimate root providers have security in place so that, in theory, only their own apps can request the exploits and use them.
In practice, however, the commercial root providers have systematic weaknesses and flaws in their security protection measures, Qian said.
Sign up for CIO Asia eNewsletters.