Thanks to Jagadeesh Chandraiah of SophosLabs for his help with this article.
Facebook popped up in a slew of new cybersecurity conspiracy theories over the weekend.
Apparently, the company’s Android app suddenly started grabbing superuser rights – also known as “root access” in the Linux world. (Android is based on the Linux operating system.)
Apps with root access can pretty much do anything, rather like users with Administrator powers on Windows.
Notably, root-level apps can fiddle with protected system settings, spy on other apps as they run, peek at data from other apps, and more.
The obvious questions were: HOW was Facebook able to get root in the first place, WHY did it need root anyway, WHAT on earth has it been doing with this unwarranted privilege, and WHAT possible excuse will it come up with this time?
Those are all dramatic questions when asked LOUDLY with capital letters, but the answers, fortunately, seem to be fairly mundane, and nowhere near as scary as you might at first think.
Simply put, apps can’t get superuser power on Android just because they want it.
Generally speaking, you have to root your Android device first, which requires physical access to the device in order to install modified versions of the phone firmware. (Firmware refers the operating system images that load when you turn on the device.)
Why root a device? In a paper at the CARO 2017 conference, SophosLabs researcher Jagadeesh Chandriah lists four common reasons: to customise the look and feel of the phone’s interface; to remove unwanted preinstalled apps (what’s often called as bloatware); to install otherwise unspported apps such as firewalls and network tethering tools; or simply for research purposes.
After rooting their devices, most phone rooters then install a superuser management tool that pops up when apps try to acquire superuser powers, and asks for approval.
Popular superuser access control tools include
SuperSU, originally created by an Android researcher who goes by the name Chainfire (this one is mainstream enough to be available from Google Play) and
Here’s the Magisk tool popping up on a rooted device to warn about Facebook’s bid to get superuser powers:
Nikolaos Chrysaidos (@virqdroid) May 18, 2018
If you haven’t rooted your device, you won’t have a superuser access control tool, so you’ll never see a warning dialog like the above – but on an unrooted device, there won’t be any root-level activity to warn you about anyway.
The app will therefore work and behave as usual on unrooted devices.
On rooted phones, the app seems to behave the same whether you chose to deny or grant root privileges.
In other words, the superuser warning only appears if you’ve already set up your phone to permit superuser access with suitable consent, and the app won’t cause any harm even if you do grant it root powers.
Facebook’s app doesn’t try to use any tricks or vulnerabilities to get root on an unpatched phone (and therefore can’t do so without your consent), making the question of “How?” essentially redundant.
What about “Why?”
However, even without a conspiracy theory for “How?”, there isn’t an obvious answer for “Why?”
Was this another Facebook privacy overreach that somehow escaped from the laboratory and got found out?
Was it an attempt to detect and ban users with rooted Android devices from accessing Facebook at all?
Or was it just a new feature that attempted root detection (many apps, including Sophos Mobile Security, do this for security and safety reasons), and, while doing so, triggered a “get root” warning, too?
Android researcher Nikolaos Chrysaidos (@virqdroid) suggested on Twitter that the most likely culprit might be a service called WhiteOps that Facebook apparently integrated recently to help it look out for dodgy postings connected with fake news sites:
Along with other various checks. Facebook is probably integrating WhiteOps SDK and they forgot to re-implement the… twitter.com/i/web/status/9…—
Nikolaos Chrysaidos (@virqdroid) May 18, 2018
Perhaps various unneeded security features in the WhiteOps toolkit, or some other newly included module in the Facebook app, caused the unexpected warning?
Judging by Facebook’s response, that sounds likely:
A coding error in one of our anti-fraud systems caused a small number of people […] to see a request for additional access permissions. We do not need or want these permissions, and we have already fixed this issue. We apologize for any confusion.
What do do?
Make sure your Facebook app is up-to-date.
As we mentioned above, Facebook already reissued the “root grabbing” flavour of the app, so an update will sidestep this issue entirely.
To check your apps, open
Google Play, tap the hamburger button (the three horizontal lines at top left) to open the menu and choose
My apps & games.