In this post I will be comparing root detection features on 24 UK mobile banking apps using the latest version of Magisk (v24.3) on a Google Pixel 3a. You can head straight to the comparisons table if you want to see the results.

Test Device

The device used was a Google Pixel 3a running Android 10. It had been rooted using the latest version of Magisk which was v24.3 (at the time of writing). I had also installed three Magisk modules the latest versions of: MagiskFrida, Move Certificates, and Universal SafetyNet fix. All of which were enabled during testing.

Methodology

The test itself is fairly basic. Every app was downloaded directly from the Google PlayStore and not from a third-party or mirroring site. The app versions were the latest available as of 15th March 2022. I ran each app in three different Magisk configurations:

  • Default Magisk config
  • Attempt hiding Magisk by renaming the app
  • Renaming the app and also enable Zygisk with enfored denylist

I also made sure to clear each app’s cached files and storage before running them under a different configuration.

Configuration

Go to Settings and scroll down: rename Magisk, enable Zygisk, and select denylists: alt text

Frida

I also included a check on whether an instance of Frida is detected. Frida is a dynamic instrumentation toolkit used for reverse engineering software and bypassing certain security restrictions.

frida -U -l hook.js -f com.bank.name --no-pause

I used the above command to spawn each app while supplying a hook.js script, to try bypass certificate pinning. If the app crashes or stops responding I assumed Frida’s process injection is being detected.

Bank comparisions

All testing was conducted on 15th March 2022 with the latest available app versions.

Top UK Banks

A no means root or Frida (is not) detected. No visual indications like warnings or app crashes. The app runs as normal and I can get to the log-in menu without issues. Note: It’s possibile that passive detections features do exist but doesn’t limit usability.

A yes means root or Frida (is) detected. A warning message may be display and/or the app stops working entirely, and fails to launch properly.

# Bank Version Magisk (default) Magisk (rename) Magisk (denylist) Frida (inject)
1 Barclays 2.55.0 yes yes no yes
2 HSBC 3.17.1 yes* yes* yes* yes
3 NatWest 07.15.0001.36.0 no no no no
4 RBS 07.15.0001.36.0 no no no no
5 Lloyds 85.01 no no no yes
6 Santander 4.19.1 (12) yes yes yes yes
7 Nationwide 21.0.1 no no no no
8 TSB 6.2.3 yes yes no no
9 Halifax 85.01 no no no yes

notes:

  • Barlcays gives a warning message and exits. Injecting with Frida crashes the app.
  • HSBC gives a warning but doesn’t exit. Injecting into with Frida crashes the app.
  • Lloyds hangs when injecting with Frida and does not open the app.
  • Santander gives a warning and exits. Injecting with Frida hangs the app.
  • Halifax crashes the app when injecting with Frida.

Other Banks

# Bank Version Magisk (default) Magisk (rename) Magisk (denylist) Frida (inject)
1 Amex 6.51.0 no no no no
2 Capital One 8.56.8149 no no no no
3 Chase 1.9.0 no no no yes
4 Clydesdale 22.2.181 no no no no
5 Co-op 20211001 yes yes no no
6 First Direct 4.13.0 yes* yes* yes* no
7 M&S 4.18.0 yes yes yes yes
8 Tesco 4.12.0 no no no yes
9 Triodos 3.30.0 no no no no
10 Monzo 4.22.1 no no no no
11 Virgin Money 22.2.181 no no no no
12 Starling 2.40.0.62912 yes yes no no
13 Sainsbury’s 2.8.0 yes yes yes no
14 Metro 9.10.1 yes yes no no
15 MBNA 85.01 no no no yes

notes:

  • Chase hangs when injecting with Frida.
  • TSB exits without a warning.
  • M&S bank crashes everytime, even when injecting with Frida.
  • First direct gives a warning but allows you to use the app.
  • Starling gives a warning and exits.
  • Metro gives a warning and exits.
  • Sainsburys gives a warning but allows you to use the app.
  • Tesco bank crashes when injecting with Frida.
  • Co-op gives a warning then exits.

Resources