5

I got a call from my company's Google Suite administrator that they got an alert about my phone (a Samsung S10 running Android 10) getting rooted this morning.

Google's support site isn't really helpful with this, stating only that they consider my device compromised because it's rooted.

All additional information I got about the alert is:

Summary: An Android device was rooted. (Device ID xxxxxxxxxxxxxxxx)

Date: Feb 12, 2020, 09:23 AM CET (2020-02-12T09:23:17+01:00)

Device owner: [email protected]

As I'm pretty sure that I didn't root my company phone (especially not this morning, I was in a meeting). As I understand some apps installed can (?) root my phone, but I also don't have apps installed from untrusted sources, and I didn't install any apps in the last two days even from Google Play.

I also tried it with Root Checker, and it seems like that the phone is not rooted.

The SafetyNet Test status is

  • Basic Integrity: Success
  • CTS Profile Match: Success
  • Response Signature Verification: Success

Is there a way that I can check on my phone what exactly causes Google to think that the device is compromised / rooted?

Community
  • 1
ytg
  • 398
  • 1
  • 3
  • 14
  • 1
    this user reported similar situation, device is most likely unmodified but detected as rooted (just for reference, please ignore suggestions in comments) https://android.stackexchange.com/q/221031 – alecxs Feb 12 '20 at 10:19
  • 2
    You should also ask the person who called you to get some more details what was written in the alert and include that in your question. – Robert Feb 12 '20 at 10:29
  • No, Google will never call you without you first reaching out to them. They do not use live or direct analytics from your device. Unless some sort of exploit is used you cannot root a device with a locked bootloader. Upon boot the security checks would flag and prevent the device from booting. You can check if it is root with the `id' command through either a adb shell or a terminal emulator. – Bo Lawson Feb 12 '20 at 11:19
  • 1
    This might be not very helpful, but just for reference: Compromised device events report. Also, this is an interesting topic, but I'm afraid only Google knows the answer. At the very least, I feel this is a false alarm. Also, are you sure the device ID of the report is the same with your device? Perhaps you have more than 1 company phones unknowingly? – Andrew T. Feb 12 '20 at 11:21

1 Answers1

0

I got this same thing. I have Google for business and my devices that access the business accounts are managed by the google system. It is a SM-P610 Samsung, and I have personal and work accounts on it. It alerted "An Android device was rooted" at 7:23AM then later at 8:32 alerted that "An Android device was recovered from rooted state".

The alerts are from google.admin.com, through the Google for Business account.

Derek Kite
  • 101
  • 1