"We found a few security flaws that allowed us to unpack and de-obfuscate the exploits much easier than expected," Qian said.
The large commercial root providers also have a comprehensive collections of root exploits, which gives attackers a strong incentive to target such providers, since the same mechanism used to protect one exploit is typically used to protect all the exploits in a collection.
One company studied, for example, had more than 160 exploits,
"It's hard for an attacker themselves to build this many high-quality, well-engineered exploits," Qian said.
Some of those exploits were unique, original creations, he added.
"The legitimate rooting software actually has a lot of secret weapons otherwise unknown to the community," he said.
Smartphone manufacturers and Google itself can do more to make rooting less attractive by getting rid of the baked-in bloatware and offering more legitimate alternatives to the customization options and tools that users get by rooting.
But the biggest problem, Qian said, is the Android upgrade process.
Once Apple spots a problem it can push out a patch almost immediately,
The Android ecosystem, however, is composed of many different carriers and manufacturers. That add significant time to the updates.
"The process can be delayed for a few months, or even a year," Qian said. "And some devices are basically abandoned."
Shorting this update process is the best solutions, he said.
"Vulnerabilities are always going to be discovered," he said. "We aren't yet a the place where we can create perfect software."
Sign up for CIO Asia eNewsletters.