Mobile Threat Catalogue

Abusing Existing Root Access


Threat Category: Malicious or privacy-invasive application

ID: APP-25

Threat Description: Rooting or jail-breaking an Android or iOS device significantly degrades its security architecture by enabling arbitrary apps to execute commands as root. A malicious app could, under an assumption some percentage of devices have been rooted or jail-broken, attempt to abuse implicit root privilege escalation.

Threat Origin

Not Applicable, See Exploit or CVE Examples

Exploit Examples

How to clean up the Duh iPhone worm 1

CVE Examples

Not Applicable

Possible Countermeasures


Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.

Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.

For the lowest risk tolerance, deploy MDM or containerization solutions with policies that can detect and block access to enterprise resources by rooted/jail-broken devices.

Use application threat intelligence data to detect potential abuse of rooted/jail-broken BYOD devices

Mobile Device User

Use Android Verify Apps feature to identify harmful apps.

Mobile App Developer

To avoid launching applications that handle sensitive information on a rooted/jail-broken device, perform device integrity checking, such as using Android SafetyNet, Samsung Knox hardware-backed remote attestation, or other applicable remote attestation technologies device integrity attestation API


  1. P. Ducklin, “How to clean up the Duh iPhone worm”, Naked Security, Sophos, 24 Nov. 2009; [accessed 8/25/2016]