2025-12-06 –, Track 1
Android’s Zygote process is responsible for spawning every application on a device, making it one of the most sensitive targets in the mobile ecosystem. The Zygote Injection vulnerability (CVE-2024-31317) - discovered by researchers at Meta - exposes a flaw in Android’s Zygote process that lets attackers inject arbitrary arguments, making it possible to launch apps with elevated privileges, run them as debuggable apps, or spawn interactive system-level shells.
While this issue has been mitigated in newer Android versions, it remains highly relevant in the wild. Devices such as POS machines, kiosks, and other embedded Android systems often operate on outdated versions of Android, leaving them vulnerable.
This talk walks through how Zygote Injection works, explores its modern exploitation potential, and introduces open-source tooling we have developed to automate the attack chain. Attendees will walk away with both practical knowledge and a hands-on toolkit to test Android systems still vulnerable in 2025.
The lightning talk will start by outlining the role of the Zygote process within Android’s architecture and explaining why its compromise has significant security implications. We will define the vulnerability, explaining how CVE-2024-31317 - discovered by researchers at Meta - allows crafted arguments to be passed into the Zygote process. We will describe how a payload can be created with practical examples of payloads used to illustrate the explanation, showing how this helps achieve common attacker objectives, such as privilege escalation and maintaining persistent access.
We will discuss the attack's relevance in 2025, investigating the ongoing risks posed by the vulnerability. Although newer Android releases patch the flaw, many real-world devices do not keep pace. POS terminals, kiosks, and embedded Android deployments often lag behind, creating a lasting attack surface.
Early proof-of-concept exploits for Zygote Injection often relied on manual sequence guessing and unstable payloads, which limited their reliability and practical use. To address these limitations, we developed an open-source toolkit that automates key steps in the process. Its features include:
- Automated discovery of startup sequence numbers
- Injection of debuggable apps for reverse engineering
- System- and app-level shell access
- Integration with Frida for runtime instrumentation
This toolkit transforms an unstable exploit into a repeatable, consistent and practical attack path.
The talk will close with key takeaways:
- Zygote Injection remains a threat in outdated but widely deployed Android systems.
- The vulnerability enables real privilege escalation paths, not just theoretical exploits.
- Our tooling lowers the barrier for practitioners to test and validate these flaws.
David works as a cybersecurity consultant with a focus on securing web and mobile applications, as well as AI-centric systems. He has a background in Computer Engineering (BEng) and holds an MSc in Machine Learning and Artificial Intelligence. Outside of work, he enjoys doing triathlons and creating educational content around cybersecurity and AI.