1

I'm using Frida over USB debug and when I run frida-ps -U, I see zygiskd64, zygiskd32 and zygote appearing in the process list. This alarms me as some of my apps might be detecting those as an anti-root measure.

Obviously, I'm rooted on Android 12 with Magisk, and modules Play Integrity, Shamiko and Lsposed installed.

Is it possible that it's only me seeing the zygisk process but Magisk effectively filtered out (hidden) those from the apps are can apps see the same thing when they emulate running process? If so, is there a way to hide (or at least rename) those processes? Of course apps have very diverse range of anti-root measures, some are easily bypassed some are stronger, but I'm sure this is one of them.

dazzleworth
  • 31
  • 4
  • Use Shamiko and see if it makes a difference – beeshyams Dec 08 '23 at 09:16
  • 2
    Non-root apps cannot see running processes except its own. See the reason 3 here. – Irfan Latif Dec 08 '23 at 10:20
  • @IrfanLatif so my question is it is possible for apps to implement process enumeration the same way as frida-ps -U either in native or Dalvik code that will give them the same output which they can use to check for certain processes? Even when not running in a root environment – dazzleworth Dec 10 '23 at 11:10
  • 1
    @dazzleworth frida does no magic in getting process list. It can see all running processes because it has ADB or root privileges. Apps don't have, unless they explicitly ask for, and you explicitly grant them. – Irfan Latif Dec 10 '23 at 13:39

0 Answers0