BusyBoxProgramFileDetector

Pre-configured tamper detector that identifies device rooting by checking for the BusyBox program file.

This detector extends FileDetector and specifically looks for the presence of the busybox binary in the device filesystem. BusyBox is a comprehensive Unix utilities package that combines many common POSIX utilities into a single executable, making it a popular choice for rooted Android devices and custom firmware.

What is BusyBox:

• A collection of Unix utilities in a single binary

• Provides commands like ls, cp, mv, grep, awk, sed, and many others

• Significantly smaller than having separate binaries for each utility

• Commonly included in custom ROMs, rooting tools, and embedded systems

• Often referred to as "The Swiss Army Knife of Embedded Linux"

Why BusyBox indicates tampering:

• Stock Android devices do not include BusyBox by default

• BusyBox is typically installed as part of rooting procedures

• Custom ROMs and firmware often include BusyBox for enhanced functionality

• Rooting tools frequently install BusyBox to provide additional command-line utilities

• Its presence suggests system-level modifications have been made

Detection methodology: The detector searches for the busybox binary across all known system paths including:

• Standard system directories (/system/bin/, /system/xbin/)

• Root-specific locations (/su/bin/, /data/local/bin/)

• All paths from the system PATH environment variable

• Custom installation directories used by rooting tools

This detector provides reliable tamper detection as BusyBox is commonly installed on rooted devices but absent from stock Android installations.

Example usage:

val detector = BusyBoxProgramFileDetector()
val isTampered = detector.isTampered(context)

// Or in analyze DSL:
val isTampered = analyze {
    detector {
        add(BusyBoxProgramFileDetector())
    }
}

See also