5

Oppo (to my knowledge) makes it basically impossible to root, due to locking the boot loader and removing fast boot. So I'm wondering if this changes anything in regards to Privilege escalation exploits, whether they still work exactly the same or if they don't work at all. It might sound stupid, but I ask because if I can't gain root access to my own device, how can other malicious applications, programs and scripts do so.

(Assuming the Oppo phone in question uses up-to-date security updates)

Also I'm specifically talking about Privilege escalation exploits that can root a phone

beeshyams
  • 40,739
  • 30
  • 119
  • 269
Maddox
  • 51
  • 2
  • 2
    Exploits are not necessarily always related to rooting. They could be be at lower levels like chip level, progressing to framework, exploits in pre-installed apps and back doors in user installed apps// I think you will get better answers at Security SE – beeshyams Jul 28 '23 at 12:01
  • @beeshyams I'm using rooting because I've done some research into mobile spyware, and so far I've seen that gaining root access is a consistent step some of these spywares, I will now look into other exploit types though! Thanks – Maddox Jul 28 '23 at 12:04
  • 1
    somewhat related – beeshyams Jul 28 '23 at 12:31
  • @beeshyams do Zero-click versions of Root apps exist? I'm the type to keep my installation sources to the playstore and don't click on/auto block spam, so I doubt user interaction would be a factor – Maddox Jul 28 '23 at 12:35
  • I am not knowledgeable but I wouldn't be surprised if they did especially in the past – beeshyams Jul 28 '23 at 12:40
  • @beeshyams fair enough, it's just a lot of the spyware I've been researching this spyware, supposedly dangerous government spyware but requires you to install an app via clicking a link, which seems like an only an idiot would click it – Maddox Jul 28 '23 at 12:43
  • I recalled Pegasus which is a zero-click and obviously costs $$$$$$$$$$$$ and not for sale to non-governmental agencies// anyway, I guess we are going off-topic – beeshyams Jul 28 '23 at 12:47
  • @beeshyams yeah that's scary, but it's funny that Pegasus was so invasive that even my country's government didn't use it (for the record, they use FINSPY). But still I don't think government should go around using exploits like these (though I think it's mainly China, Russia and the US) – Maddox Jul 28 '23 at 12:52

1 Answers1

11

A locked bootloader and non-existent fastboot and most important Android Verified Boot (vnmeta), which cryptographically verifies the content of the system partition, make it extreme hard to root the device, respectively infect the device in a way that would survive a factory reset.

However this has absolutely no effect on privilege escalation exploits. It only makes it harder to use the gained privileges to create a persitent infection.

Privilege escalation exploits are executed at run-time, the bootloader state is not relevant for such an attack. If such an attack is successful in a worst case get an attacker root permissions and/or bypass SeLinux restrictions.

Using those elevated permissions the attacker could then try to make the attack persistent in a way that it survives a reboot. Or the permissions could be used to spy and/or manipulate on the system and other installed/running apps.

Robert
  • 20,025
  • 6
  • 47
  • 66
  • Thanks for the response, sort of off topic, but would it be possible for a exploit to activate and execute it's payload with no user interaction? I constantly reboot my device so persistent infection isn't a problem – Maddox Jul 28 '23 at 12:11
  • 2
    @Maddox That depends on the attacked app/system component and the used exploit (or more often the combination of exploits that are used). In history there were attacks that were triggered by the reception of a MMS or a message in a messenger. And even if you reboot your phone with elevated privileges you could simply install an app start starts after boot and re-executes the exploit. – Robert Jul 28 '23 at 12:29
  • Yeah, I heard about those MMS attacks through WhatsApp and messenger, they're nasty and certain scary. But I don't think I'll see that in the wild, and since asking the question, I've come to the conclusion that there are 0 root apps – Maddox Jul 28 '23 at 12:39
  • Related to your comment "One-click" root apps don't work anymore. Why not? – beeshyams Jul 28 '23 at 12:43