Android: Get Root Access to Android Emulators without Rooting or Jailbreaking

Ba Yin Min
3 min readDec 15, 2024

tl;dr — Use android emulator images without Google Play Store icon from the Device Manager in the Android studio.

Overview

When it comes to mobile application pentesting, rooted devices are handy, but it is hard to maintain multiple physical rooted devices or phones. So android emulators are the go-to as alternatives. There are many tutorials of how to root android emulators. However, I came across a way to get root access to the emulator without actually needing to go through the rooting myself. I am not sure you are getting a true rooted device in this way but I can run adb as root and manipulate and look through files in protected directories, so it works for me during the pentest.

You can do this without installing the whole Android studio but it is easier through the Android Studio. The key is to install a version of a virtual android device that does not include Play Store APIs. This approach was tested and worked well in Android API 33 and 35 which are quite close to the latest Android version in the market.

The full steps:

  • Install Android Studio and Create any desired device without Play Store APIs with any Android OS APIs
  • Try to run the virtual device with emulator.exe as writable system
  • Use adb tools to verify root access
  • Make sure writable access is achieved (optional step)

The Demonstration

Install Android Studio and Create any desired device without Play Store APIs with any Android OS APIs

You can choose any type of phone, just make sure you choose the one without the Play Store icon
Pick any desired API level, I chose API level 33 for this test

Try to run the virtual device with emulator.exe as writable system

Launching the emulator through the command prompt is not mandatory, you can just launch the Android image that you created any way you desired. But I chose to use the following command to launch with writable access to the phone.

Assuming your emulator.exe is already set in the Environmental Variables:

emulator -avd <image name> -writable-system

The emulator.exe is typically in the emulator folder under the sdk folder in the Windows OS if you had installed Android Studio:

C:\Users\<username>\AppData\Local\Android\Sdk\emulator\emulator.exe -avd <image name> -writable-system
Opening the desired device with writable access enabled

Use adb tools to verify root access

The adb.exe is typically in the emulator folder under the sdk folder in the Windows OS if you had installed Android Studio:

C:\Users\<username>\AppData\Local\Android\Sdk\platform-tools\adb.exe

Enabling root access:


// enabling root access
adb root

// making the system on the emulator wriable
adb remount

//logging into the emulator
adb shell

//Verifying what user name you're logged in to the emulator as
whoami
Running as root (red arrow), remounted the system to be writable (green arrow) and confirm that your user is root (blue arrow)

At the very first time, when you do an adb remount, the system may ask you to reboot. So just reboot using the following commands. Then verify again as the steps above.

// rebooting
adb shell
reboot

//redo the steps when emulator is up
adb root
adb remount
adb shell
whoami
If you can list or ls the /data/data/ or /data/app/ folders also means you have root access.

Make sure writable access is achieved (optional step)

While we are in shell access to the Android emulator phone, verify that you have write access. system/etc/security/cacerts is one of the write protected folders. I tried creating a test file with touch command.

Confirmed that the test file is created implying wirable access

So this is it. You now have an emulator with root access with very minimum effort.

Thanks for reading.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Ba Yin Min
Ba Yin Min

Written by Ba Yin Min

Pentester. Application & Cyber Security enthusiast. Insatiable learner.

No responses yet

What are your thoughts?