Detecting root, emulators, and scrcpy-like projection through an Android audit-log side channel

Overview

This post is about an Android audit-log information leak fixed by the AOSP change Hide procfs related audit messages from appdomain.

Inside a restricted third-party Android app sandbox, even when the app cannot directly read another process under /proc/<pid>, touching procfs may trigger SELinux audit logs. If those logs are visible through logcat, the tcontext field can reveal the SELinux domain of the target process.

In other words, this is a detection technique based on an audit-log side channel.

I tried three scenarios with this idea:

Detecting root, emulators, and scrcpy-like projection through an Android audit-log side channel

Other newsrooms on this story

Related reading

Android Adds Intrusion Logging for Sophisticated Spyware Forensics

Linux kernel flaw opens root-only files to unprivileged users

⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub…

IIT Delhi study reveals security gap in Android apps that use location

Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455…

300 dollari al mese per controllare qualsiasi Android: il nuovo spauracchio si…