knowledge center / theme 03
mobile runtime attacks
Each attack is a technical phenomenon — documented, named, observable.
Thirteen attack classes that operate in the mobile runtime, plus one regional threat-intel report. Each entry covers the mechanism, the syscalls and APIs it touches, which checkpoints it bypasses, the EEI signal class that makes it observable, and the Evidence Token shape produced when the substrate sees it. Reusable inside a security review or fraud-team briefing without rewriting.
14 articles · attack catalogue · cite as published
The signal-class column maps each attack to the field on the
Evidence Token that surfaces when the substrate observes the
technique in production. Five classes cover the catalogue:
device.integrity, runtime.environment,
code.integrity, binding.status,
network.identity.
Each article documents an attack class as a technical phenomenon. The mechanism, the syscalls and APIs touched, the checkpoints (Play Integrity, App Attest, FIDO2, hardware attestation) bypassed, the observable signal class, the Evidence Token shape produced when the substrate sees the technique. We write so that an engineer who builds detection for these techniques would read the page and recognise their work — not as accusation, as documentation.
- 01 · 2025·12catalogue intermediate security developer
Overlay injection — system-overlay UI manipulation on Android
TYPE_APPLICATION_OVERLAY misuse, PIN-screen capture and substitution. The class of attacks that hides above legitimate UI.
READ →
- 02 · 2025·12catalogue intermediate security fraud-team
Transaction parameter tampering — modifying values between confirm and submit
Race-condition class on hybrid runtimes. The user confirms one set of values; the network receives another.
READ →
- 03 · 2026·01catalogue entry security regulatory
Accessibility service abuse — automated UI scraping and input synthesis
Android accessibility API misuse. The OS-permission gradient that turns a legitimate API into an attack vector at scale.
READ →
- 04 · 2026·01catalogue intermediate security developer
Malicious input-method editor (IME) compromise
Keyboard apps as keylogger and OTP-injector vectors. The compromise sits in the input chain itself.
READ →
- 05 · 2026·01catalogue deep security developer
Snapshot timing — exploiting visible state during background transition
Task-switch screenshot exposure and the FLAG_SECURE bypass class. A few hundred milliseconds of unintended visibility.
READ →
- 06 · 2026·01explainer deep security developer
The SDK 31–33 run-as vulnerability window
Android Studio's run-as shell + permission elevation. The vulnerability class that affected SDK 31–33 and what mitigations land in 34+.
READ →
- 07 · 2026·01catalogue intermediate security developer
Screen-capture attacks — MediaProjection abuse
Projection API consent UX and the persistent screen-cast attack class. What stays running after the user thinks it stopped.
READ →
- 08 · 2026·01catalogue intermediate security developer
Library injection via Frida and Xposed
Dynamic instrumentation frameworks and method-hook detection. The two long-running Android-instrumentation toolchains.
READ →
- 09 · 2026·01catalogue intermediate security developer
Root cloaking — hiding root state from in-app checks
Magisk Hide and DenyList. How root-cloaking defeats SafetyNet-style probes and what hardware-backed attestation still catches.
READ →
- 10 · 2026·02catalogue deep security developer
Hook-detection bypass and counter-detection
The arms race: anti-Frida techniques in apps and the bypasses that follow. Why the substrate cannot rely on detection alone.
READ →
- 11 · 2026·02catalogue intermediate security developer
Debugger attachment and runtime introspection
gdb / lldb / ptrace attach surfaces, TracerPid, and the platform signals that betray a debugger across both Android and iOS.
READ →
- 12 · 2026·02catalogue deep security
Magisk and Zygisk — rootkit-class module abuse
The module loader architecture and the zygote-injection class. Where Zygisk runs in the process lifecycle and what it can reach.
READ →
- 13 · 2026·02catalogue deep security developer
Runtime memory manipulation — process-memory rewriting
/proc/[pid]/mem access, GameGuardian-class tooling, and the memory-write attack class. What changes after the binary loaded.
READ →
- 14 · 2025·07case-study intermediate security fraud-team
How advanced malware from Asia is targeting Africa's financial sector
Field report — overlay attacks, accessibility-service abuse, GoldFactory tooling, and device-takeover fraud across African mobile banking.
READ →