From Anime Game to Android System Security Vulnerability

Table of Contents

TL;DR

Fate/Grand Order

Experiments

Analysis

  1. The effectiveness of process monitoring (FGO spawns processes that are not handled by Magisk)
  2. MagiskHide is simply just too slow (FGO detects root before MagiskHide have a chance to hijack the process)

Digging Deeper

com.cih.game_cih
com.hexview.android.memspector
cn.mm.gk
pl.Nyki.Dax
catch_.me_.if_.you_.can_
com.sbgamehacker
jp.kbc.ma34.devicefaker
com.saurik.substrate
de.robv.android.xposed.installer
com.felixheller.sharedprefseditor
cn.mc.sq
cn.mc1.sq
com.cih.game_cih
pl.aqua.gameguardian
org.sbtools.gamehack
com.hexview.android.memspector
mr.big.stuff
cat.dcat.roothide
de.robv.android.xposed.installer
com.saurik.substrate
com.topjohnwu.magisk
com.loserskater.suhidegui
eu.chainfire.suhide
eu.chainfire.supersu
eu.chainfire.supersu.pro
com.noshufou.android.su
com.koushikdutta.superuser
me.phh.superuser
/system/app/superuser.apk
/system/app/Superuser.apk
/system/app/SuperUser.apk
/system/app/SUPERUSER.apk
/su/suhide
A snippet of the strace output

ProcFS Leak

PID 2665 and PID 4654 should not show up here

The Bug

What’s the Issue?

Widespread

ProcGate

Conclusion

--

--

--

Creator of Magisk

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

10 terms you must know about Docker as a beginner — Bot Techie

How backend devs can save an hour a day in local development & testing

Atmega16 / Atmega32, Tutorial Mengakses DHT11 dan LCD I2C 16x2

Atmega16 / Atmega32, Tutorial Mengakses DHT11 dan LCD I2C 16x2

Kubernetes is Linux

SOLID Design Principles Explained: The Single Responsibility Principle

A Golang library to parse JVM thread dumps

S3 — AWS Security

Read JSON Data in MSSQL from Different Rows

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
John Wu

John Wu

Creator of Magisk

More from Medium

Secure Data in Android Room DataBase

Android & How to secure it?!

Configure an Android simulator to connect with Burp Suite Proxy

Beetlebug — A Vulnerable Android CTF App