Hurm, lets see how we going to fix this RKP thing ...

I use pif_nozygisk with Tricky Store. It work pass integrity.

Disclosure Just Updated To Version 1.2.1

Disclosure is a root detection program to identify detection loopholes on a wide range of Android root solutions, similar to Reveny's ND or Momo.

Changelog

• Fix false positives
• Fix edge-to-edge UI issue
• Improve SELinux context leak detection
• Misc changes and optimizations

📥 Download
🧑‍💻 @disclosureofroot

I have tested the latest version, so I will give the new update.

Version R251029 public test.

Changelog :
- added built-in PIF props spoof.

Note:

Do not enable developers option from your root manager, it for debugging.

If you have issue installing, read this post.

To pass integrity.
- make sure Tricky Store installed.
- retrieve new key from TSupport.
- use stockrom ( custom rom need pif module )

Finally, the dev clean that mess denoscription.

#updates #tsupport #hmaoss

TSupport-Advance [ R251030 ]

Changes :
- Add Compatibility for HMA-OSS

Usefull Link:
📥 Download
❗️ Install error
🚫 Bug report

Hey guys, I need some knowledge about building my own Kernel.

New Config

File Name: boot_hash
Directory: /sdcard/TSupportConfig

Just forwarding this, maybe you guys can double check it.

🚨 URGENT SECURITY ADVISORY

SUBJECT: Malicious Persistence and Covert Networking in Magisk Module "Play Integrity Pr**ium -v19.9"

DEV OF CONCERN: f***h7

ACTION REQUIRED: IMMEDIATE UNINSTALLATION AND MANDATORY FACTORY RESET

------

1. EXECUTIVE SUMMARY

A security alert's been sent out about the Magisk add-on "Play Integrity P*m -v19.9". Tests show it’s harmful, once loaded, a hidden component sticks around even after removal. Instead of shutting down, it quietly phones home to a remote attacker’s machine.

This hands over total power to the hacker. One sure way to get rid of it? Wipe the device clean using a factory reset.

------

2. DETAILED ANALYSIS

The module uses various harmful methods, this is why experts often label it a risky spyware tool or even a rootkit

- CODE OBFUSCATION: The module’s noscripts are purposely jumbled and concealed; this approach aims to keep users or security analysts from spotting its real, harmful actions.

- PERSISTENCE SETUP: This module drops a program into a main system folder (/system/bin/), one that’s separate from Magisk itself, so it sticks around even after uninstall. Because it's set to launch at startup with elevated access, it kicks in each time the device powers up - no extra steps needed.

- COVERT NETWORKING: A sneaky payload like this one's main job is phoning back to base. It works quietly behind the scenes, reaching out to a far-off server controlled by a hacker. From there, that hacker can steal info off your gadget, push fresh instructions to it, or rope your phone into a network of hijacked devices, all while you stay clueless.

------

3. EVIDENCE

The data shown here came straight from the setup files of the module.

EVIDENCE A: Code Obfuscation

The noscript hides a payload through layered encoding along with reversed instructions, so checking it by hand won't work unless it's first cleaned up.

shell

eval "$(echo "long.encoded.string..." | rev | base64 -d)"

EVIDENCE B: Persistence Command

This command grabs the harmful code from the module’s temporary spot, then moves it to a fixed system folder while setting it to run. That's what lets the malware stick around even after removal attempts.

shell

ui_print "- Installing core service..."

cp -f $MODPATH/system/payload.sh into /system/bin/sysdaemon

chmod 755 /system/bin/sysdaemon

------

4. POTENTIAL RISKS

A hacked gadget running deep malware lets the attacker:

- Snatch every bit of your info: login codes, bank stuff, personal chats, pictures.

Keep tabs on your moves by grabbing control of the camera~ also listens through the mic while tracking where you are right now.

- Keep track of what you type by saving each key pressed.

Unauthorized access to your device and malicious use.

------

5. MANDATORY ACTION PLAN

If you once put in this module, your device’s already at risk - do exactly what's next without delay.

1. BACKUP ESSENTIAL FILES ONLY:

Right away, save your private stuff - like pictures or paperwork - to a separate gadget. Don’t make a complete copy of the whole system, since that could include infected parts.

2. PERFORM A FACTORY RESET:

This’s the single method that clears the system partition while making sure malware’s gone. Head into Settings, tap System, pick Reset options, then choose Erase all data - basically a factory reset.

3. CHANGE ALL YOUR PASSWORDS

(Banks, online profiles, stuff like that) Take it as given that someone’s already got every password)

------

6. HOW TO PROTECT YOURSELF IN THE FUTURE

When code’s deliberately obscured, like being encrypted or jumbled, flag it as dangerous. Real devs show their work clearly. If something’s cloaked, it’s likely malicious; that’s the top warning sign.

- MAKE SURE IT'S SAFE WITH COMMUNITY CHECKS: When adding a fresh or unfamiliar module, hold off until reliable folks have looked it over; look up comments on solid boards such as XDA Developers or stick around till recognized group leads (for example, Cleverestech mods) break down what’s inside.

Please pass on this info to keep folks around safe.

Since the dev said there is no malicious code, so I decide to look into it.

My conclusion, I decoded the customize.sh and phantom.sh no malicious code found just root hide stuff.

However, I cant look into zygisk .so code. ( already compiled, can't decode unless I have the source code )

I can't find official latest PIF module to compare the .so sha256. ( I am lazy ).

Also I didn't found any code mentioned by trygit post from the module.

Possible :

1. That mentioned code taken from zygisk .so
2. Someone modified the module and ask trygit to check for malicious code.