Cybersecurity researchers have uncovered a critical flaw in KernelSU version 0.5.7 that could allow malicious Android applications to impersonate the manager app and obtain root access.

According to analysts from Zimperium zLabs, the vulnerability exposes persistent weaknesses in rooting and jailbreaking frameworks, which are often developed by independent teams without formal security audits. The research, published on August 14, 2025, demonstrates how attackers could exploit authentication design flaws to bypass security protections.

How the Vulnerability Works
KernelSU, along with other rooting tools like APatch and SKRoot, typically gains root access by patching the Android kernel and hooking key functions to execute arbitrary code. While this approach enables advanced management features, it also introduces significant security risks.

Rooting frameworks generally rely on two types of authentication:

• Password-based authentication, which can be weak or improperly validated, as seen in APatch and SKRoot.
• Package-based authentication, where the kernel trusts a specific manager app’s package name or signature, as implemented in KernelSU.

In KernelSU, the package-based method verified the first APK file found in a process’s file descriptor table. Attackers could manipulate the order of descriptors to present their malicious APK as the first match, bypassing signature checks. For the exploit to succeed, the attacker’s app had to run before the legitimate manager app, such as after a device reboot, which could be automated using the RECEIVE_BOOT_COMPLETED permission. Despite timing constraints, the attack remains feasible under real-world conditions.

Wider Implications
Zimperium noted that similar vulnerabilities are common across rooting frameworks, often due to:

• Weak or missing authentication between user apps and kernel modules
• Excessive reliance on unvalidated user-space inputs
• Insecure communication channels
• Poor privilege separation between apps and root-level functions

Past examples include an APatch flaw that allowed arbitrary apps to perform privileged operations and Magisk’s CVE-2024-48336, which let local apps impersonate Google Mobile Services to gain root silently.

The researchers concluded that nearly all rooting frameworks experience critical vulnerabilities at some point, largely because modifying kernel behavior from user space is inherently complex and most frameworks lack structured security assessments.

Source: https://www.infosecurity-magazine.com/news/kernelsu-flaw-android-apps-root