Tamper-Protection Bypass × Protectt.ai security solution

A publicly-reported instance of Tamper-Protection Bypass bypassing Protectt.ai security solution, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Protectt.ai security solution

Technique

Tamper-Protection Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-09-17

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-09-17 · original source · via exa

Reported as

The module hooks into the Kotak Neo app using the Xposed framework, intercepting and modifying Protectt.ai's runtime checks.

Mechanism

The module hooks into the Kotak Neo app using the Xposed framework, intercepting and modifying Protectt.ai's runtime checks. Specifically, it bypasses detection by altering property checks that Protectt.ai uses to identify rooted devices or LSPosed presence, effectively disabling the security solution with minimal effort.

Detection & mitigation

Monitor for unexpected Xposed/LSPosed framework loading in protected apps via Android system logs or EDR on managed devices. Mitigate by enforcing hardware-backed attestation and integrity checks that cannot be bypassed by user-space hooks.

Tamper-Protection Bypass has also been recorded against

AppSealing Arxan BeyondTrust Broadcom (Symantec)Byfron CrowdStrike DANA Elastic FireEye Kemco LoGiC.NET McAfee

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.