To pass integrity.
- make sure Tricky Store installed.
- retrieve new key from TSupport.
- use stockrom ( custom rom need pif module )

Finally, the dev clean that mess denoscription.

#updates #tsupport #hmaoss

TSupport-Advance [ R251030 ]

Changes :
- Add Compatibility for HMA-OSS

Usefull Link:
📥 Download
❗️ Install error
🚫 Bug report

Hey guys, I need some knowledge about building my own Kernel.

New Config

File Name: boot_hash
Directory: /sdcard/TSupportConfig

Just forwarding this, maybe you guys can double check it.

🚨 URGENT SECURITY ADVISORY

SUBJECT: Malicious Persistence and Covert Networking in Magisk Module "Play Integrity Pr**ium -v19.9"

DEV OF CONCERN: f***h7

ACTION REQUIRED: IMMEDIATE UNINSTALLATION AND MANDATORY FACTORY RESET

------

1. EXECUTIVE SUMMARY

A security alert's been sent out about the Magisk add-on "Play Integrity P*m -v19.9". Tests show it’s harmful, once loaded, a hidden component sticks around even after removal. Instead of shutting down, it quietly phones home to a remote attacker’s machine.

This hands over total power to the hacker. One sure way to get rid of it? Wipe the device clean using a factory reset.

------

2. DETAILED ANALYSIS

The module uses various harmful methods, this is why experts often label it a risky spyware tool or even a rootkit

- CODE OBFUSCATION: The module’s noscripts are purposely jumbled and concealed; this approach aims to keep users or security analysts from spotting its real, harmful actions.

- PERSISTENCE SETUP: This module drops a program into a main system folder (/system/bin/), one that’s separate from Magisk itself, so it sticks around even after uninstall. Because it's set to launch at startup with elevated access, it kicks in each time the device powers up - no extra steps needed.

- COVERT NETWORKING: A sneaky payload like this one's main job is phoning back to base. It works quietly behind the scenes, reaching out to a far-off server controlled by a hacker. From there, that hacker can steal info off your gadget, push fresh instructions to it, or rope your phone into a network of hijacked devices, all while you stay clueless.

------

3. EVIDENCE

The data shown here came straight from the setup files of the module.

EVIDENCE A: Code Obfuscation

The noscript hides a payload through layered encoding along with reversed instructions, so checking it by hand won't work unless it's first cleaned up.

shell

eval "$(echo "long.encoded.string..." | rev | base64 -d)"

EVIDENCE B: Persistence Command

This command grabs the harmful code from the module’s temporary spot, then moves it to a fixed system folder while setting it to run. That's what lets the malware stick around even after removal attempts.

shell

ui_print "- Installing core service..."

cp -f $MODPATH/system/payload.sh into /system/bin/sysdaemon

chmod 755 /system/bin/sysdaemon

------

4. POTENTIAL RISKS

A hacked gadget running deep malware lets the attacker:

- Snatch every bit of your info: login codes, bank stuff, personal chats, pictures.

Keep tabs on your moves by grabbing control of the camera~ also listens through the mic while tracking where you are right now.

- Keep track of what you type by saving each key pressed.

Unauthorized access to your device and malicious use.

------

5. MANDATORY ACTION PLAN

If you once put in this module, your device’s already at risk - do exactly what's next without delay.

1. BACKUP ESSENTIAL FILES ONLY:

Right away, save your private stuff - like pictures or paperwork - to a separate gadget. Don’t make a complete copy of the whole system, since that could include infected parts.

2. PERFORM A FACTORY RESET:

This’s the single method that clears the system partition while making sure malware’s gone. Head into Settings, tap System, pick Reset options, then choose Erase all data - basically a factory reset.

3. CHANGE ALL YOUR PASSWORDS

(Banks, online profiles, stuff like that) Take it as given that someone’s already got every password)

------

6. HOW TO PROTECT YOURSELF IN THE FUTURE

When code’s deliberately obscured, like being encrypted or jumbled, flag it as dangerous. Real devs show their work clearly. If something’s cloaked, it’s likely malicious; that’s the top warning sign.

- MAKE SURE IT'S SAFE WITH COMMUNITY CHECKS: When adding a fresh or unfamiliar module, hold off until reliable folks have looked it over; look up comments on solid boards such as XDA Developers or stick around till recognized group leads (for example, Cleverestech mods) break down what’s inside.

Please pass on this info to keep folks around safe.

Since the dev said there is no malicious code, so I decide to look into it.

My conclusion, I decoded the customize.sh and phantom.sh no malicious code found just root hide stuff.

However, I cant look into zygisk .so code. ( already compiled, can't decode unless I have the source code )

I can't find official latest PIF module to compare the .so sha256. ( I am lazy ).

Also I didn't found any code mentioned by trygit post from the module.

Possible :

1. That mentioned code taken from zygisk .so
2. Someone modified the module and ask trygit to check for malicious code.

Be careful guys only install module from official source. Do not flash module shared by others, ask for the source.

TSupport HMA tips:

Would it be possible for the mod to check whether any existing template / config in HMA already covers what this mod wants to do? I already have templates that do everything, so TSA recreating a new template on every flash is kinda unnecessary for me.

Answering this, you can edit hma.txt from /sdcard/TSupportConfig. Do not add any package name there or simply delete the hma.txt file.

Important step :
Open HMA, uncheck app that using TSupport-Advance templates.

Then click TSupport action or just reboot your device.

HMA version supported:
- HMA ( GitHub )
- HMA-OSS ( GitHub )
- HMAL ( GitHub )

My phone stuck on ROM boot animation.

I am using KSU Next, giving root access to KSU ( Official ) Manager. Then I click installation "Direct Installation" phone booted successfully. Then I install modules, normal module. Then it happens.

Is rezygisk work on KSU.

Result: RZ not working on KSU2.0

How you check integrity status on A13+ without requesting API Check.

1. Open Playstore > About > Play Protect Certification.
- Certified mean Integrity Strong else revoked/not strong

2. Download ChatGPT, try sending a prompt.
- If an popup showed saying detected something wrong with your device means revoked/not strong.

You dont need this modified module, unless you use TSupport older than this version R251029.

Why doesn't anyone make a magisk module, with a function to lower the temperature of the device when it overheats?