Two recently discovered vulnerabilities allow any app to gain root access via SuperSU or Superuser

XDA-developers membercernekee recently found serious vulnerabilities in all three root packages, with which malicious apps can enable superuser (root) privileges on various devices. Users aren’t aware of this action, because no notification is displayed. Developers have already been contacted and are working to address the issues. If you are using an older version, it’s best to update as soon as possible.

superuserSuperuser from ChainsDD is no longer in development and doesn’t work on 4.3+ Android platforms. On Android 4.2 or lower the root package runs several privilege checks, to determine if an operation should be allowed. The two vulnerabilities are:

  • On ClockWorkMod Superuser, /system/xbin/su does not set PATH to a known-good value, a malicious user could therefor trick /system/bin/am into using a trojaned app_process binary
  • Other environment variables may be used to affect the behavior of the (moderately complex) subprocesses. For example, manipulation of BOOTCLASSPATH could cause a malicious .jar file to be loaded into the privileged Dalvik VM instance. Dalvik’s BOOTCLASSPATH was allowed implementation by all three Superuser root packages.

In order to fix this, stop using ChainsDD’s Superuser and install the already patched SuperSU by Chainfire. Koush’s Superuser is about to be fixed soon.

There are, however, other exploits in Koush’s Superuser versions prior to and Chainfire’s SuperSU versions predecessing 1.69. Two vulnerabilities (one for Android 4.2 and lower, one for 4.3+) depend on exploiting the broadcasting of failure notifications from privilege checks. A “su” command can easily be inserted where it shouldn’t be.

  • 4.2 and older: /system/xbin/su is a setuid root binary which performs a number of privilege checks in order to determine whether the operation requested by the caller should be allowed. If any of these checks fail, the denial is recorded by broadcasting an intent to the Superuser app through the Android Activity Manager binary, /system/bin/am. /system/bin/am is invoked as root, and user-supplied arguments to the “su” command can be included on the “am” command line.
  • 4.3 and newer: due to changes in Android’s security model, /system/xbin/su functions as an unprivileged client which connects to a “su daemon” started early in the boot process. The client passes the request over a UNIX socket, and the daemon reads the caller’s credentials using SO_PEERCRED. As described above, /system/bin/am is called (now from the daemon) to communicate with the app that implements the user interface.

Another less dangerous loophole in Koush’s Superuser, where the attacker could hijack a legitemate root command with ADB shell access, has been fixed in the latest update.

To summarize, this isn’t a Android OS problem, but cuased by user installed components/apps, which are able to gain root. So don’t use Superuser from ChainsDD – it’s outdated. SuperSU has apparently been patched, Koush’s Superuser is still to be. And always stay up to date.


3,126 total views, 1 views today


About MMWolverine

Inter-lingual communicator by profession, Marko is a technology enthusiast. He fell in love with Android little over a year ago, now spending most of his time on xda-developers and similar forums. Quick learner and always there to help. Contact him at
Bookmark the permalink.