Android’s RootBeer Library Bypass | Done By Ishara Abeythissa

This post is to follow up how to bypass RootBeer Library on Android. Let me give you brief idea what is actually RootBeer. RootBeer an open source root checking application specific to the android platform.

Tools,

Frida Framework

JavaScript

ADB

JADX-GUI

Figure 01: Results of RootBeer Library of Rooted Device

As you can see in above application performed gathering/testing listed testcases inside device once it’s start. Let’s go through each test cases.

TEST KEYS — In Android architecture includes test-keys under build/target/product/security. APK signing process is handle by using test-keys.Since the test-keys are publicly known, anybody can sign their own .apk files with the same keys, which may allow them to replace or hijack system apps built into your OS image.

BUSYBOX BINARIES — RootBeer is always checking BusyBox binaries in device once application started. Process is same for SU Binary & SU Exists.

Reversing the Application,

Now let’s reverse the RootBeer APK using JADX-GUI tool.

Figure 02: Decompile RootBeer APK using JADX-GUI

Figure 03: Root Checking functions

You can see functions which are use for check device root status in RootBeer application. Let’s look closer

Figure 04: Return type of functions

If you closer into functions you can see all functions having boolean return type. It mean if we can intercept the process and modify the return value of functions we can change the output of application. For that, I’m using frida application.

Figure 05: ADB push frida-server

Figure 06: Execute Frida-Server

Java.perform(function(){
    var RootBeer = Java.use("com.scottyab.rootbeer.RootBeer");
    var Utils = Java.use("com.scottyab.rootbeer.util.Utils");   
    
    RootBeer.detectRootManagementApps.overload().implementation = function(){
        return false;
    };
    
    RootBeer.detectPotentiallyDangerousApps.overload().implementation = function(){
        return false;
    };
    
    RootBeer.detectTestKeys.overload().implementation = function(){
        return false;
    };
    
    RootBeer.checkForBusyBoxBinary.overload().implementation = function(){
        return false;
    };
    
    RootBeer.checkForSuBinary.overload().implementation = function(){
        return false;
    };
    
    RootBeer.checkSuExists.overload().implementation = function(){
        return false;
    };
    
    RootBeer.checkForRWPaths.overload().implementation = function(){
        return false;
    };
    
    RootBeer.checkForDangerousProps.overload().implementation = function(){
        return false;
    };
    
    RootBeer.checkForRootNative.overload().implementation = function(){
        return false;
    };
    
    RootBeer.detectRootCloakingApps.overload().implementation = function(){
        return false;
    };
    
    Utils.isSelinuxFlagInEnabled.overload().implementation = function(){
        return false;
    };
    
    RootBeer.checkForMagiskBinary.overload().implementation = function(){
        return false;
    };
    
    RootBeer.isRooted.overload().implementation = function(){
        return false;
    };
});

We can use this code to bypass RootBeer application, if you go through the code you can see this code modify the return type of application’s root checking functions. let’s run this code.

Happy Hacking :)