Security BSides Las Vegas 2025

This project, called Yaga, was developed with the goal of learning how Zygote injection attacks and frameworks like Riru and Zygisk works, and how they can be applied in an offensive context. Over the past two years, I’ve become fascinated by understanding how the Android system works and how its behavior differs from other operating systems.

The Zygote process is the first one launched on Android, acting as a template or interface for spawning other processes. Due to its elevated privileges, it can interact with any application, unlike the highly restricted communication between apps enforced by Android’s SELinux policies. This makes Zygote an interesting target for bypassing Android’s sandboxing mechanisms.

Today, many people use root binaries like Magisk to customize their devices without understanding what the modules do. Some modules might even use Zygisk to steal sensitive user information or hook critical application functions to subvert them!

In this talk, I will explain and demonstrate how these injections are carried out during the loader process, Zygote hooking, and hooking of both native and Dalvik (DEX) application code.

In a few years or months, I hope to use this project as a tool or a way to educate others on how to conduct these attacks and emphasize the importance of studying this technique deeply.

Reference Projects:
Riru - https://github.com/RikkaApps/Riru
Zygisk - https://github.com/topjohnwu/Magisk
ARTDroid - https://github.com/vaioco/ARTDroid

Yaga project will be released on beginning of June! I will put a PoC here to give an idea what is coming, on the video I show the installation of Magisk module and a log message showing the injection was performed successfully coming from Zygote process and making it print process names:
https://drive.google.com/file/d/1U3WYDDI5KS2B-uGUdYTdpgKkHIhKJnkK/view?usp=sharing

The project will be released on my GitHub:
https://github.com/Tricta