Detecting device hacks (root)
Kaspersky Security for Mobile enables you to detect device hacks (root). System files are unprotected on a hacked device, and therefore can be modified. Moreover, third-party apps from unknown sources could be installed on hacked devices. Upon detection of a hack attempt, we recommend that you immediately restore normal operation of the device.
To detect when a user obtains root privileges, Kaspersky Endpoint Security for Android uses the following services:
- Embedded service of Kaspersky Endpoint Security for Android is a Kaspersky service that checks whether a mobile device user has obtained root privileges (Kaspersky Mobile Security SDK).
- SafetyNet Attestation is a Google service that checks the integrity of the operating system, analyzes the device hardware and software, and identifies other security issues. For more details about SafetyNet Attestation, visit the Android Technical Support website.
If the device is hacked, you receive a notification. You can view hacking notifications in the workspace of the Administration Server on the Monitoring tab. You can also disable notifications about hacks in the event notification settings.
On devices running Android, you can impose restrictions on the user's activity on the device if the device is hacked (for example, lock the device). You can impose restrictions by using the Compliance Control component (see the figure below). To do this, in the scan rule settings, select the Device has been rooted criterion.
