RootCloakingAppDetector
Pre-configured tamper detector that identifies device compromise by checking for root cloaking applications.
This detector extends PackageDetector and specifically looks for installed packages of applications designed to hide or cloak root access from other applications. The presence of these applications is often a strong indicator that the device has been rooted, as they serve no purpose on unrooted devices.
Root cloaking applications work by:
Intercepting system calls that would reveal root access
Hiding root binaries and files from detection
Spoofing system properties to appear unrooted
Blocking or modifying responses from root detection methods
Using framework hooks (like Xposed) to manipulate app behavior
The detector checks for the following categories of cloaking applications:
Direct Root Cloaking Tools:
RootCloak (com.devadvance.rootcloak) - Popular root hiding application
RootCloak Plus (com.devadvance.rootcloakplus) - Enhanced version with more features
Hide My Root (com.amphoras.hidemyroot) - Root concealment tool
Hide My Root Ad-Free (com.amphoras.hidemyrootadfree) - Premium ad-free version
Hide Root Premium (com.formyhm.hiderootPremium) - Commercial root hiding solution
Hide Root (com.formyhm.hideroot) - Basic root hiding functionality
Framework-Based Cloaking:
Xposed Installer (de.robv.android.xposed.installer) - Framework for system modifications
Substrate (com.saurik.substrate) - Runtime manipulation framework
Temporary Root Management:
Temp Root Remove (com.zachspong.temprootremovejb) - Temporary root access removal
The presence of any of these applications suggests sophisticated attempts to hide device tampering, which ironically makes them strong indicators of compromise.
Example usage:
val detector = RootCloakingAppDetector()
val isTampered = detector.isTampered(context)
// Or in analyze DSL:
val isTampered = analyze {
detector {
add(RootCloakingAppDetector())
}
}