Deep Technical Analysis

THE SILENT
HIJACK.

Analysis of Kernel-Level Malware (Magisk / KernelSU). When the execution layer beneath the OS is compromised, the "Brain" of the device becomes the attacker.

// Use Case Analysis

Attackers gain control over the execution layer below the OS by unlocking the bootloader and modifying the kernel image. The banking app and its fraud checks run normally, but the entire system response surface is controlled.

Unchecked OS Access Verified Boot Broken

// Foundation

The Silicon Anchor

Private key burned into silicon (SIK)
Immutable Boot ROM
Outside the reach of Malware/Root

!!! FAILURE POINT: LEGACY RASP

Software cannot verify
a compromised Kernel.

RASP solutions (Appdome/Guardsquare) rely on Filesystem visibility and System APIs provided by the Kernel. If the Kernel is already compromised, it intercepts checks:

if (check_root == true) → return false;

"Root detection works only if the OS is honest. In kernel compromise, the OS becomes the attacker".

ATTACK_LOG_KERNEL_HOOK.log

Step 1 — Bootloader Unlock

fastboot flashing unlock [! eFuse / RPMB Tripped]

Step 2 — Kernel Modification

boot.img patched // Magisk init injection

Step 3 — Runtime Hooking

Zygisk spawned // Injected into app process

Step 4 — System Call Interception

stat() / open() / readdir() -> HIDDEN

The Deterministic Edge

Hardware Attestation.

Chain of Measurements

At boot time, every stage hashes the next. Results are stored in Write-once hardware registers and TEE secure memory. They do not rely on the OS and cannot be intercepted.

Boot ROM → Bootloader → Kernel

The Hardware Witness

PayShield queries the TEE / Secure Enclave directly. It uses a hardware private key to sign the boot state and kernel hash.

verifiedBootState = UNVERIFIED

deviceLocked = FALSE

// Unforgeable Proof Produced

Final Verdict.

"Appdome operates inside the system boundary. PayShield verifies outside the system boundary".

Deterministic Security

Request Live Simulation →

THE SILENT HIJACK.