An injector of arbitrary apps into an Android device, marking them as "system" or "platform" apps. This exploits CVE-2024-34740 and is based heavily on https://github.com/michalbednarski/AbxOverflow. Once installed, the injector runs as a part of the system_server process and awaits external commands to install APKs.
An example installation process is demonstrated in Node in /cli.
npx system-injector bootstrap will:
- Install the "normal"
com.penumbraos.systeminjector.exploitapp to the device - Copy the final
com.penumbraos.systeminjectorAPK to the device - Trigger STAGE 1 of the exploit
- Soft reboot the device (crash
system_server) - Trigger STAGE 2 of the exploit, installing
com.penumbraos.systeminjector - Soft reboot the device
At this point the System Injector installer is ready to be used.
npx system-injector install [APK PATH] will:
- Send the APK to the
systeminjectorprocess - Resign the APK with the required, shared signing identity used here (and in https://github.com/michalbednarski/AbxOverflow)
- Install the APK using the exploit path
- Soft reboot the device
- Apps cannot normally launch when installed in this way as AMS will attempt to launch them with
seinfo=_app. However, since we can patchsystem_server, we can override theseinfo - System app directories are not available due to SELinux problems as well