I’m mainly talking about root, though I’m pretty sure some damage is possible by being a device administrator, however that will no doubt be logged and apps can detect that.
As a malware developer I will actively search (and find) a workaround which will have the time to do plenty of damage before they figure it out (if they ever do so) and block it. That stupid restriction of theirs is doing more to hurt legitimate usage (power users with rooted devices) than malicious use.
Presumably their root detection looks at user space tools like sudo/su and leftovers from consumer-grade root programs… what if the malware uses its own rooting method (instead of using an off the shelf one) and only leaves the bare minimum for the malware to function (simply embedding itself into an important shared library or even the kernel itself)? I’m willing to bet a compromised kernel will bypass any and all “root detection” methods.
Just looked at that post and seems like I’m right:
Barclays app uses a native library to detect root by sending a request to escalate to root (triggering SuperSU, etc.) and seeing the response, and by looking in the filesystem for /system/xbin/su and its variants.
Wouldn’t prevent any custom malware that uses a root exploit to install itself without installing the su & sudo binaries. Just a joke really, this harms legitimate usage but any malware developer worth their salt can bypass this in 5 minutes.