CVE-2025-48543 (ART UAF → system UID):
- Works on Android 13-16 with patch < September 2025
- System UID (1000) can read any app's /data/data/ directory
- No bootloader unlock needed, no root needed
- Pushes exploit APK, executes post-exploit script at system level
- Tasks: extract_rcs, extract_app:<pkg>, disable_mdm, shell
extract_rcs_locked_device():
- Auto-selects best available exploit for the device
- Priority: CVE-2025-48543 → CVE-2024-0044 → content providers
- Extracts bugle_db + WAL + shared_prefs (key material)
- Falls back to SMS/MMS content providers if all exploits fail
CLI: [r] Extract RCS (auto), [e] CVE-2025-48543
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New exploit paths for current Android versions:
- CVE-2025-48543: ART runtime UAF → system UID (Android 13-16, pre-Sep 2025)
Public PoC available. Works from malicious app — no ADB needed.
- CVE-2025-48572/48633: Framework info leak + EoP chain (Android 13-16, pre-Dec 2025)
CISA KEV listed, confirmed in-the-wild. No public PoC yet.
- pKVM kernel bugs (CVE-2025-48623/24, CVE-2026-0027/28/37): kernel/hypervisor
escalation from system UID. Chain: ART UAF → pKVM → full kernel root.
- avbroot + KernelSU-Next/Magisk for GKI 6.1/6.6 on Android 15/16 Pixel 9
assess_vulnerabilities() now covers Android 12 through 16 with automatic
exploit path selection based on SDK version and security patch level.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Full security platform with web dashboard, 16 Flask blueprints, 26 modules,
autonomous AI agent, WebUSB hardware support, and Archon Android companion app.
Includes Hash Toolkit, debug console, anti-stalkerware shield, Metasploit/RouterSploit
integration, WireGuard VPN, OSINT reconnaissance, and multi-backend LLM support.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
