Black Hat EU November, London UK. ARMAGEDDON: HOW YOUR SMARTPHONE CPU BREAKS SOFTWARE-LEVEL SECURITY AND PRIVACY Speaker: Clementine Maurice, Moritz Lipp. DETACH ME NOT - DOS ATTACKS AGAINST 4G CELLULAR USERS WORLDWIDE FROM YOUR DESK Speaker: Bhanu Kotte, Dr. Silke Holtmanns, Siddharth Rao. MOBILE ESPIONAGE IN THE WILD: PEGASUS AND NATION-STATE LEVEL ATTACKS Speaker: Max Bazaliy, Seth Hardy. POCKET-SIZED BADNESS: WHY RANSOMWARE COMES AS A PLOT TWIST IN THE CAT-MOUSE GAME Speaker: Federico Maggi, Stefano Zanero. ROOTING EVERY ANDROID: FROM EXTENSION TO EXPLOITATION Speaker: Di Shen, Jiahong (James) Fang. SIGNING INTO ONE BILLION MOBILE APP ACCOUNTS EFFORTLESSLY WITH OAUTH2.0 Speaker: Ronghai Yang, Wing Cheong Lau. STUMPING THE MOBILE CHIPSET Speaker: Adam Donenfeld. WIFI-BASED IMSI CATCHER Speaker: Piers O'Hanlon, Ravishankar Borgaonkar.The most interesting read this week was The bumpy road towards iPhone 5c NAND mirroring a paper by Sergei Skorobogatov. In this paper he shows how to implement a NAND mirroring attack against an iPhone 5C. The basic idea behind this attack is erase the PIN failure counter between each set of tries to avoid the artificial brute force delay and to avoid data deletion after N failed PINs. The paper goes into great detail on various problems he encountered while implementing the attack. I highly recommend reading this paper. The picture below is taken from this paper.
PacSec Tokyo Japan, October. Demystifying the Secure Enclave Processor by Mathew Solnik.
Google's Project Zero now has an Android "Prize" for achieving RCE on a Nexus device with only knowing it's email address or phone number. Apparently you can't use a BTS (via @jduck) for this attack. Overall this looks interesting, I wonder if anybody is going to claim the money soon. Announcement: Project Zero Prize.
iCloud, iHack, iSpam
Android Premium SMS Warning Message Manipulation
tool to inspect, dump, modify, search and inject libraries into Android processes.
How My Rogue Android App Could Monitor & Brute-force Your App's Sensitive Metadata
APK Signature Scheme v2
Just One Photo Can Silently Hack Millions Of Androids (@TimStrazz)
Parse the Qualcomm DIAG format and convert 2G, 3G and 4G radio messages to Osmocom GSMTAP for analysis in wireshark and other utilities.
PEGASUS iOS Kernel Vulnerability Explained by Stefan Esser
Undocumented Patched Vulnerability in Nexus 5X Allowed for Memory Dumping via USB
VB2016 preview: Mobile Applications: a Backdoor into Internet of Things?
Hiding root with suhide
Xiaomi Can Silently Install Any App On Your Android Phone Using A Backdoor
Reverse Engineering Xiaomi's Analytics app
A Case of Misplaced Trust: How a Third-Party App Store Abuses Apple's Developer Enterprise Program to Serve Adware
File-Based Encryption in Android 7
Linux Security Summit Videos a lot is Android relevant
Harvesting Inconsistent Security Configurations in Custom Android ROMs via Differential Analysis (paper)
suhide v0.51 released
Introducing BLESuite and BLE-Replay: Python Tools for Rapid Assessment of Bluetooth Low Energy Peripherals
Samsung Android Security Updates - September
A Survey on Android ELF Malware
Keeping Android safe: Security enhancements in Nougat
Nexus Device Downloads via jduck @ droidsec
Black Hat EU November: ARMAGEDDON: HOW YOUR SMARTPHONE CPU BREAKS SOFTWARE-LEVEL SECURITY AND PRIVACY by Clementine Maurice and Moritz Lipp. DETACH ME NOT - DOS ATTACKS AGAINST 4G CELLULAR USERS WORLDWIDE FROM YOUR DESK by Bhanu Kotte, Siddharth Rao and Silke Dr Holtmanns. POCKET-SIZED BADNESS: WHY RANSOMWARE COMES AS A PLOT TWIST IN THE CAT-MOUSE GAME by Federico Maggi and Stefano Zanero. STUMPING THE MOBILE CHIPSET by Adam Donenfeld.
DerbyCon September: Beyond The ?Cript: Practical iOS Reverse Engineering by Michael Allen. AWSh*t. Pay-as-you-go Mobile Penetration Testing by Nathan Clark. Breaking Android Apps for Fun and Profit by Bill Sempf.
AppSec USA November: QARK: Android App Exploit and SCA Tool by Tushar Dalvi and Tony Trummer. SecureMe - Droid: Android Security Application by Vishal Asthana and Abhineet Jayaraj. OWASP Reverse Engineering and Code Modification Prevention Project (Mobile) by Dave Bott and Jonathan Carter. ShadowOS: Modifying the Android OS for Mobile Application Testing by Ray Kelly.
Apple now has a bug bounty program. Details were presented at Black Hat in Ivan Krstic's talk BEHIND THE SCENES OF IOS SECURITY. Also see Starting this fall, Apple will pay up to $200,000 for iOS and iCloud bugs (via Ars).
Motorola confirms that it will not commit to monthly security patches. This is pretty bad since I actually liked their Pure Edition devices (devices that basically are just AOSP).
Protecting Android with more Linux kernel defenses. They added some features from Grsecurity. This makes me happy.
Google's Android has gotten so out of control that $55 billion Salesforce had to take drastic measures, basically Salesforce in the close future will only support specific Samsung Galaxy and Nexus devices. This is an interesting way to deal with the very diverse Android ecosystem.
Pegasus Spyware / Trident for iOS was based on 3 vulnerabilities unsurprisingly a WebKit memory corruption, a Kernel info leak, and a kernel memory corruption. The spyware was capable of accessing text messages, iMessages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, Facetime, Calendar, Line, Mail.Ru, WeChat, Surespot, Tango, Telegram, and others. (Source: Lookout Technical Report).
Oversec.io seems to implement our idea of mobile OTR on top of any messenger app. Oversec still looks very beta and I haven't tried it out. If anybody has tried it I would like to hear about it.
Pictures of the month:
Technical Analysis of Pegasus Spyware (pdf)
Chainfire suhide tries to hide your Android root access
Android: protecting the kernel (slides)
Wie das BKA Telegram-Accounts von Terrorverdaechtigen knackt (German)
Hackers accessed Telegram messaging accounts in Iran - researchers (same as a above but in English)
Stumping the Mobile Chipset (Qualrooter) (slides)
Analysis of multiple vulnerabilities in different open source BTS products
gpapi (node lib for talking to Play Store)
Demystifying the Secure Enclave Processor (paper)
CopperheadOS ART no longer attempts to use executable code from /data/dalvik-cache, only boot.art
The slide and exploit of: A Way of Breaking Chrome's Sandbox in Android
Adaptive Kernel Live Patching: An Open Collaborative Effort to Ameliorate Android N-day Root Exploits (slides)
iOS 10 - Kernel Heap Revisited (slides)
Hacking Soft Tokens (Android) (slides)
Understanding Dalvik Static Fields part 2 of 2
Attacking BaseStations (slides)
GODLESS Mobile Malware Uses Multiple Exploits to Root Devices (android)
Android Binder Firewall (slides / paper / source)
ARM is bought by SoftBank
iREVERSE ENGINEERING AND EXPLOITING SAMSUNG'S SHANNON BASEBAND (tools)
LTE security, protocol exploits and location tracking experimentation with low-cost software radio (paper)
BtleJuice: The Bluetooth Smart MitM Framework (slides)
CuckooDroid: Automated Android Malware Analysis
Stagefright: An Android Exploitation Case Study (slides from usenix WOOT)
Tracking the Trackers: The most advanced rogue systems exploiting the SS7 Network today
SS7 Security : Putting the pieces together
ARMv8 Shellcodes from A to Z (paper)
SummerCon July, Brooklyn, NY. THE FIREWALL ANDROID DESERVES: A CONTEXT-AWARE KERNEL MESSAGE FILTER AND MODIFIER by DAVID WU.
Defcon August, Las Vegas. SITCH - Inexpensive, Coordinated GSM Anomaly Detection by ashmastaflash. A Journey Through Exploit Mitigation Techniques in iOS by Max Bazaliy. Stumping the Mobile Chipset by Adam Donenfeld. How to Do it Wrong: Smartphone Antivirus and Security Applications Under Fire by Stephan Huber and Siegfried Rasthofer. Discovering and Triangulating Rogue Cell Towers by JusticeBeaver (Eric Escobar). Samsung Pay: Tokenized Numbers, Flaws and Issues and Salvador Mendoza. Attacking BaseStations - an Odyssey through a Telco's Network by Henrik Schmidt and Brian Butterly. Forcing a Targeted LTE Cellphone into an Unsafe Network by Haoqi Shan and Wanqiao Zhang.
Another month has passed and I'm super late again on this blog post.
HushCon EAST badges were super awesome (picture below) did some hacking on them with Trammell Hudson: Hushcon 2016 pagers.
The wait is over, here is the final blog post including source code on Qualcomm's TrustZone: Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption Source extractKeyMaster
The Android Security Bulletin July 2016 fixes a really large number of bugs, including a Remote code execution vulnerability in Bluetooth and Remote code execution vulnerability in OpenSSL & BoringSSL. It is really good to see stuff being fixed and talked about in the open.
Summary on Pokemon GO's permission to your Google Account by the guys from Trail of Bits.
Funny picture of the month:
Breaking Band reverse engineering and exploiting the shannon baseband slides from Recon 2016
Vodafone Global Infrastructure Map
VIDEO: Forcing A Targeted LTE Cellphone Into An Eavesdropping Network
Android changes for NDK developers
Need Android APK samples? `wget -r http://dlapk.etcandroid.com/apk/ ` and wait a few hours... Or until two people do it and server melts... (via @timstrazz)
Android Anti-Hooking Techniques in Java
Tools for analyzing hexagon code
Hacking Team / Crisis Android samples
HARDWARE-ASSISTED ROOTKITS & INSTRUMENTATION: ARM Edition slides from recon 2016
GODLESS Mobile Malware Uses Multiple Exploits to Root Devices
Silent OS 3.0 adds cellular IDS for weak nw encryption. via @raviborgaonkar
Most mobile apps dedicate at least 10% of their traffic to online tracking via @narseo
Strongdb is a gdb plugin that is written in Python, to help with debugging Android Native program.The main code uses gdb Python API
Accessing local variables in ProGuarded Android apps
GOOGLE'S ANDROID REWARDS PROGRAM PAYS OUT HALF MILLION IN FIRST YEAR
This is an all-in-one Java deobfuscator which will deobfuscate code obfuscated by most obfuscators available on the market.
Listening through a Vibration Motor paper
Fingerprint Unlock Security: iOS vs. Google Android (Part I)
Fingerprint Unlock Security: iOS vs. Google Android (Part II)
A cross-platform protocol library to communicate with iOS devices.
Android Anti-Emulator, originally presented at HitCon 2013: "Dex Education 201: Anti-Emulation"
An Online Analysis System for Packed Android Malware
Android Trojan "Hellfire" modified system binaries, boot image, init.rc, SE policy rules, dm_verify, etc. via @claud_xiao
recover deleted information from sqlite files.
TrustZone Kernel Privilege Escalation (CVE-2016-2431)
A dynamic binary instrumentation kit targeting on Android(Lollipop) 5.0 and above.
(In-) Security of Security Applications paper
Hacking smartphones via voice commands hidden in YouTube videos
Bugs in BMWs ConnectedDrive (exploitable via SMS) (German)
Remote Code Execution in Xiaomi MIUI Analytics
Breaking Into the KeyStore: A Practical Forgery Attack Against Android KeyStore (paper)
A Way of Breaking Chrome's Sandbox in Android (slides)
Changes to Trusted Certificate Authorities in Android Nougat
Introducing OpenCellular: An open source wireless access platform (base station)
Android Kernel CVE POCs CVE-2016-3797
Android Kernel CVE POCs CVE-2016-3794
Proof of concept XOR canary support for LLVM
Advanced Android Root : How To Bypass PXN (slides)
PoC for CVE-2016-2434
From HummingBad to Worse NEW DETAILS AND AN IN-DEPTH ANALYSIS OF THE HUMMINGBAD ANDROID MALWARE CAMPAIGN (paper)
This Android Hacking Group is making $500,000 per day
open source 3gpp lte implementation
Lawsuit reveals Silent Circle's Blackphone business is a complete and utter mess
DIFFDroid :Dynamic Analysis for Android
Inside SafetyNet - part 2
Black Hat USA August, Las Vegas. 1000 WAYS TO DIE IN MOBILE OAUTH by Eric Chen, Patrick Tague, Robert Kotcher, Shuo Chen, Yuan Tian, Yutong Pei. ADAPTIVE KERNEL LIVE PATCHING: AN OPEN COLLABORATIVE EFFORT TO AMELIORATE ANDROID N-DAY ROOT EXPLOITS by Tao Wei, Yulong Zhang. ATTACKING BLUETOOTH SMART DEVICES - INTRODUCING A NEW BLE PROXY TOOL by Slawomir Jasek. PANGU 9 INTERNALS by Hao Xu, Tielei Wang, Xiaobo Chen. SAMSUNG PAY: TOKENIZED NUMBERS, FLAWS AND ISSUES by Salvador Mendoza. CAN YOU TRUST ME NOW? AN EXPLORATION INTO THE MOBILE THREAT LANDSCAPE by Josh Thomas. DEMYSTIFYING THE SECURE ENCLAVE PROCESSOR by Mathew Solnik, Tarjei Mandt. BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS by Vincent Tan THE ART OF DEFENSE - HOW VULNERABILITIES HELP SHAPE SECURITY FEATURES AND MITIGATIONS IN ANDROID by Nick Kralevich.Defcon still doesn't have the agenda or accepted talks up.
Shakacon July 13-14, Honolulu, HI. FRUIT VS ZOMBIE: DEFEAT NON-JAILBROKEN IOS MALWARE BY CLAUD XIAO. Bluetooth Low Energy...by SUMANTH NAROPANTH, CHANDRA PRAKASH GOPALAIAH & KAVYA RACHARLA
The Qualcomm Mobile Security Summit was super awesome once again. Good talks, interesting hallway conversations and always good to see friends.
SektionEins (Stefan Esser) release a jailbreak and anomaly detection app for iOS and eventually got band from the AppStore by Apple. The speculation is that Apple wants to hide the fact that certain sandbox and security features don't work as advertised and thus his App got band. The app likely wasn't band just because it can detect a jailbreak since like every app does exactly this, including apps like WhatsApp. There are also several process list viewers for iOS.
I finally could checkout a Blackberry PRIV. The actual hardware looks pretty sweet. I got a quick demo of the security and privacy features added by RIM, specially DTEK. I really liked the device security/privacy status overview, every phone should have that.
Qualcomm KeyMaster keys etracted from TrustZone waiting for the writeup. The previous blog posts where super good already, but this one should be really interesting.
goatattack send pictures of goats to your friends
Android Banking Trojan SpyLocker Targets More Banks in Europe
How to lock the samsung download mode using an undocumented feature of aboot
Script to enumerate JNI methods in ELF files.
Sixty Percent of Enterprise Android Phones Affected by Critical QSEE Vulnerability
A study on obfuscation techniques for Android malware (pdf)
Android dex file extractor, anti-bangbang (Bangcle)
Fridump: Dumping memory from iOS, Android and other applications using Frida
Android: How to run your script/binary from adb in the application sandbox
CopperheadOS online store now available You can now buy Nexus phones with CopperheadOS
Android Spyware Targets Security Job Seekers in Saudi Arabia
Sirin Labs shows off $14K, super private Solarin smartphone, on sale June 1 Will it survive longer then BlackPhone?
MopEye: Monitoring Per-app Network Performance with Zero Measurement Traffic (paper)
How to not break LTE crypto (paper)
Secure Containers in Android: the Samsung KNOX Case Study (paper)
AOSP: recovery: Add support to brick a device. (via @jcase)
Security in cellular-radio access networks Slides on protocol attacks against 3G/4G/LTE
Black Hat USA Las Vegas. DEMYSTIFYING THE SECURE ENCLAVE PROCESSOR by Tarjei Mandt and Mathew Solnik. ADAPTIVE KERNEL LIVE PATCHING: AN OPEN COLLABORATIVE EFFORT TO AMELIORATE ANDROID N-DAY ROOT EXPLOITS by Tao Wei and Yulong Zhang. CAN YOU TRUST ME NOW? AN EXPLORATION INTO THE MOBILE THREAT LANDSCAPE by Josh Thomas. SAMSUNG PAY: TOKENIZED NUMBERS, FLAWS AND ISSUES by Salvador Mendoza.
AppSec EU Rome. Don't Touch Me That Way. by David Lindner and Jack Mannino. Automated Mobile Application Security Assessment with MobSF by Ajin Abraham. Why Hackers Are Winning The Mobile Malware Battle - Bypassing Malware Analysis Techniques by Yair Amit.
Hack in The Box Amsterdam, NL. SANDJACKING: PROFITING FROM IOS MALWARE by Chilik Tamir. FORCING A TARGETED LTE CELLPHONE INTO AN EAVESDROPPING NETWORK by Lin Huang. ADAPTIVE ANDROID KERNEL LIVE PATCHING by Tim Xia and Yulong Zhang. COMMSEC TRACK: INSPECKAGE - ANDROID PACKAGE INSPECTOR by Antonio Martins.
Area41 When providing a native mobile application ruins the security of your existing Web solution by Jeremy Matos. IMSecure - Attacking VoLTE and other Stuff by Hendrik Schmidt & Brian Butterly. Reversing Internet of Things from Mobile Applications by Axelle Apvrille.
Recon Montreal, CA. Breaking Band by Nico Golde and Daniel Komaromy. Hardware-Assisted Rootkits and Instrumentation: ARM Edition by Matt Spisak
This was a long break, I was covered in work and had other things to do. But I'm not giving up this blog. Sadly I missed a bunch of conferences earlier this year. Especially CanSecWest and Troopers/TelSecDay. TelSecDay looked really awesome this year! Sad to have missed it.
Work with me and other awesome people at Square we are looking for a bunch of different mobile security related people. Android and iOS!
For those who are interested in TrustZone or TrustZone implementations check out: War of the Worlds - Hijacking the Linux Kernel from QSEE This blog has a lot of awesome research on TrustZone and Qualcomm's implementation.
60 Minutes: shows how easily your phone can be hacked. As I said earlier on Twitter, this is as good as it gets on TV. All of the people on the show are pros (know all of them personally!). Of course if you are an expert yourself you will complain about anything shown on TV ;-)
Dilbert gets it:
Related to the iPhone will be bricked if the clock is set back too far.
AppMon, GreaseMonkey for Android and iOS
Mobile Security Bullshit Bingo
CVE-2015-1805 root tool, Android Sony
Hacking Samsung Galaxy via Modem interface exposed via USB
Overly restrictive SELinux filesystem permissions in Android N
Android IOMX getConfig/getParameter Information Disclosure
Metaphor - Stagefright with ASLR bypass
Brussels police were forced to use WhatsApp during attacks
eMMC backdoor leading to bootloader unlock on Samsung Galaxy Devices
Android rooting bug opens Nexus phones to "permanent device compromise"
You can install a GSM network with a single command now - $sudo apt-get install gsm-network
Android Installer Hijacking Vulnerability Could Expose Android Users to Malware
How to Build Your Own Rogue GSM BTS for Fun and Profit (using a BladeF)
Multiple vulnerabilities found in Quanta LTE routers (backdoor, backdoor accounts, RCE, weak WPS ...)
Nexus Security Bulletin-April 2016
Android Security Bulletin-May 2016
Dalvik Virtual Execution with SmaliVM
Releasing the Fairphone 2 Open Operating System
Calling all Mobile Researchers!
Analysis of CVE-2016-2414 - Out-of-Bound Write Denial of Service Vulnerability in Android Minikin Library
[CVE-2016-2443] Qualcomm MSM debug fs kernel arbitrary write (Nexus 5, Nexus 7 2013 and maybe other models)
Android is moving to enforcing storage verification at runtime (via @copperheadsec)
Modem interface exposed via USB (samsung)
Hey your parcel looks bad - Fuzzing and Exploiting parcel-ization vulnerabilities in Android (slides)
iovyroot - (temp) root tool
Linux Kernel Exploitation on Android
ss7MAPer - A SS7 pen testing toolkit
Beating Expectations: Android Security Patching for PRIV
Pwn a Nexus device with a single vulnerability (slides)
Exploring the Physical Address Space on iOS
CanSecWest Vancouver, Canada. Don't Trust Your Eye: Apple Graphics Is Compromised! - Liang Chen + Marco Grassi. Having fun with secure messengers and Android Wear - Artem Chaykin. Pwn a Nexus device with a single vulnerability - Guang Gong.
Troopers Heidelberg, Germany. QNX: 99 Problems but a Microkernel ain't one! Georgi Geshev, Alex Plaskett.
Looks like I will go to very few conferences this year.
We finally published our paper on Android application analysis support using intelligent GUI stimulation. The work CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes uses / enhances Andrubis.
Excellent post on Apple vs FBI by Dan Guido: Apple can comply with the FBI court order
BlackBerry powered by Android Security Bulletin - March 2016
Nexus Security Bulletin - March 2016
Attack on Zygote: a new twist in the evolution of mobile threats
How to FBI-proof your iPhone
Reverse Engineering Samsung S6 Modem
Security Analysis of Wearable Fitness Devices (Fitbit)
Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems
GPS hacking (PART 1)
How does Dalvik handle 'this' registers?
Pirated iOS App Store's Client Successfully Evaded Apple iOS Code Review
FileSystem Monitor Tool For iOS and Android
Scammers use mobile POS terminals to scan people cards via NFC (paypass,paywave etc) technology without them knowing
Android: Calling getpidcon for One Way Binder Transactions Returns Wrong Security Context
Network Security Policy configuration for Android apps
[Xposed module] Disable device compatibility check
The ARMv8-A architecture and its ongoing development
Android Secure Coding Free PDF Book
Decoding Syscalls in ARM64
Adafruit Bluefruit LE Sniffer – Bluetooth Low Energy (BLE 4.0)
SyScan360 March, Singapore. Browsers Bug Hunting and Mobile device exploitation by Francisco Alonso.
Black Hat Asia March, Singapore. ANDROID COMMERCIAL SPYWARE DISEASE AND MEDICATION by Mustafa Saad. ENTERPRISE APPS: BYPASSING THE IOS GATEKEEPER by Avi Bashan & Ohad Bobrov. HEY YOUR PARCEL LOOKS BAD - FUZZING AND EXPLOITING PARCEL-IZATION VULNERABILITIES IN ANDROID by Qidan He. SU-A-CYDER: HOMEBREWING MALWARE FOR IOS LIKE A B0$$! by Chilik Tamir.
Mobile Pwn0rama the SyScan version of mobile pwn2own. Very cool!
CopperheadOS beta released for Nexus 5, 9, and 5X. I need to buy a new phone to try this out. For those who don't know about CopperheadOS, it is a hardened Android. I was waiting for something like this for a long time. Not as a user more like somebody should really do this. Anyway, looks pretty cool.
Last weekend I published a write-up on CVE-2016-0728 vs Android. The TL;DR is that this vulnerability was totally over hyped for Android. There is no practical impact for the Android platform.
New Dexguard String decoder for JEB 1.5. Tested on GFE 3.1.3. This release auto parse decoder function.
Android privilege escalation to mediaserver from zero permissions
On SMS logins: an example from Telegram in Iran
URL filtering in kernel land: what could possibly go wrong?
NexMon enables the monitor mode of the bcm4339 Wi-Fi chip on the Nexus 5.
diff of the wifi driver source that nicely shows the bug
Samsung has DBI tool for Android based on Capstone
Android Wifi kernel RC details
FlashFire updated to v0.26 - brings Marshmallow support. Can flash your monthly Nexus OTA and keep root
A Pattern for Remote Code Execution using Arbitrary File Writes and MultiDex Applications
PoC code for android RCE with multidex and ZIP files
Set of scripts to automate AOSP compatible vendor blobs generation from factory images
A few notes on usefully exploiting libstagefright on Android 5.x
LTE security and protocol exploits (slides from ShmooCon 2016)
Dextra for #OAT/#ART/#DEX reversing: now with better disasm,bug fixes.
check the BootUnlocker source for oneplus for details (checks if for tamper flag)
RCE in Open Mobile API
Deoptimize odex from oat.
Android sensord Local Root Exploit
Android ADB Debug Server Remote Payload Execution
HummingBad: A Persistent Mobile Chain Attack
ARTDroid: Simple and easy to use library to intercept virtual-method calls under the Android ART runtime. I totally need to check this out!