Disable or Modify Tools × Talsec freeRASP for Android

A publicly-reported instance of Disable or Modify Tools bypassing Talsec freeRASP for Android, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Talsec freeRASP for Android

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-12-05

Config / version noted

Not stated

Provenance

regne.me
disclosed 2025-05-09 · original source · via exa
fireshellsecurity.team
disclosed 2024-12-05 · original source · via exa

Reported as

bypass freeRASP Android runtime protections by hooking the System.exit method

Mechanism

freeRASP threat callbacks (e.g., onRootDetected, onHookDetected) all call exitProcess(0), which compiles to System.exit(0). By using Frida to hook System.exit and replace its implementation with an empty function, the app continues running even when threats are detected, effectively bypassing all RASP protections with a single hook.

Detection & mitigation

Monitor for Frida or other dynamic instrumentation frameworks attaching to the app process via /proc/self/maps or ptrace events. Implement integrity checks on critical system methods like System.exit and use code obfuscation to raise the cost of hooking.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes Microsoft multiple commercial EDR/AV vendors Palo Alto Palo Alto Networks

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.