The Threat
Advanced rooting tools like Zygisk and Magisk that hide malicious activity.
The Impact
RASP agents are bypassed, allowing automated fraud to go undetected.
Legacy Failure
RASP lives in the same untrusted environment as the attacker.
The Solution
Deterministic hardware attestation via physical silicon signals.
Zygisk is a feature of Magisk that allows modules to run in the Zygote process, enabling them to inject code and hide from security checks before the application even starts.
RASP operates within the application runtime. If an attacker controls the underlying operating system, they can manipulate the environment to feed false data to the RASP agent, effectively blinding it.
TrustSig uses hardware-level attestation. By analyzing physical silicon signals that cannot be easily spoofed by software modules, we can determine the true state of the device regardless of what the OS reports.
The Anatomy of the Bypass
Runtime Application Self-protection (RASP) has long been the standard for mobile app security. By embedding protection directly into the application, developers aim to detect hooking, injection, and debugging in real time. However, the rise of advanced rooting frameworks like Magisk and its Zygisk component has fundamentally changed the landscape.
In our opinion, these tools have created a bypass problem that traditional RASP solutions are ill-equipped to handle. Because Zygisk injects modules directly into the Zygote process—the parent of all Android applications—it can intercept and modify system calls before the application or its security agents are even aware of them.
Why RASP Agents Fail
The core issue with RASP is its location. RASP agents live in the same untrusted environment as the attacker. When a device is rooted, the attacker gains elevated privileges that allow them to manipulate the very environment the RASP agent relies on for its telemetry.
We think that if an attacker can control the kernel or the Zygote process, they can effectively "gaslight" the RASP agent. They can present a clean environment to the security checks while simultaneously running malicious hooks, debuggers, or automation frameworks in the background. Because the RASP agent is a software-based observer, it is inherently limited by the integrity of the OS it is running on.
Deterministic Bot Mitigation
At TrustSig, we believe that the only way to solve this is to move the defense out of the untrusted application environment.
Instead of relying on software-based checks that can be hooked or bypassed, we utilize hardware attestation. By extracting signals directly from the device's physical silicon, we can identify the true hardware layout and state of the client. These signals are significantly harder to spoof because they are tied to the physical characteristics of the device rather than the software configuration.
When a request hits our edge, we perform a deterministic validation of these hardware signatures. If a device is using Zygisk to hide its root status, the underlying hardware telemetry will still reveal the discrepancy. This allows us to block automated fraud and compromised devices without relying on the integrity of the mobile OS, providing a robust, privacy-first defense that remains effective even when the device environment is fully compromised.
References
Secure your endpoints today
Deploy hardware-level attestation in minutes. Eradicate bot traffic with zero user friction and absolute GDPR compliance.
Start protecting free