RootApkDetector

Tamper detector that identifies device rooting by checking for root management APK files.

This detector works by searching for APK files of popular root management applications that are commonly installed in the system partition on rooted devices. Unlike package-based detection that checks installed applications, this detector looks for the actual APK files in system directories where they are typically placed by rooting tools.

The detector checks for APK files of well-known root management applications:

• Superuser.apk - One of the original Android root management apps

• SuperSU.apk - Popular root access management application by Chainfire

• magisk.apk - Modern systemless root solution by topjohnwu

These APK files are typically installed to /system/app/ directory during the rooting process and remain there even if the applications are hidden from the launcher or package manager queries. This makes file-based detection more reliable than package-based detection in some scenarios.

The detection is performed by checking file existence in the filesystem, which:

• Can detect root apps even if they're hidden from package manager

• Works regardless of whether the apps are currently active

• Is difficult to bypass without modifying the filesystem directly

• Provides evidence of past rooting attempts even if tools were removed

The scoring system returns a Double value:

• 1.0 indicates at least one root APK file was found (high confidence of tampering)

• 0.0 indicates no root APK files were found

Example usage:

val detector = RootApkDetector()
val isTampered = detector.isTampered(context)

// Or in analyze DSL:
val isTampered = analyze {
    detector {
        add(RootApkDetector())
    }
}

See also