Awesome-Android-Vulnerability-Research
July 2, 2026 · View on GitHub
Resources for Android/IOS vulnerability research. All resource credits go to the respectful authors.
Books
Youtube Videos
- maddiestone channel
- Billy Ellis
- Android Kernel Exploitation | Payatu Workshop
- Android Kernel Exploitation with Binder Use-After-Free (CVE-2019-2215)
- Android kernel exploitation series
- Android / Linux SLUB aliasing for general- and special-purpose caches
- Building a CUSTOM 2G GSM Cellular Base Station
Blogs
- 8ksec blogs
- Mobilehackinglab blogs
- Android Kernel Exploitation
- TASZK Security Labs
- The Fuzzing Guide to the Galaxy: An Attempt with Android System Services
- Rooting the FiiO M6 - Part 1 - Using the "World's Worst Fuzzer" To Find A Kernel Bug
- Rooting the FiiO M6 - Part 2 - Writing an LPE Exploit For Our Overflow Bug
- Android SELinux Internals Part I
- DYNAMICALLY INJECT A SHARED LIBRARY INTO A RUNNING PROCESS ON ANDROID/ARM
- ANDROID NATIVE API HOOKING WITH LIBRARY INJECTION AND ELF INTROSPECTION
- Fuzzing Android Native libraries with libFuzzer + QEMU
- AFL++ on Android with QEMU support
- MMS Exploit Part 1: Introduction to the Samsung Qmage Codec and Remote Attack Surface
- Tailoring CVE-2019-2215 to Achieve Root
- Build Android Kernel of Pixel 6 for Fuzzing
- Fuzzing a Pixel 3a Kernel with Syzkaller
- Bypassing SELinux with init_module
- Android greybox fuzzing with AFL++ Frida mode
- Reverse Engineering Samsung S6 SBOOT - Part I
- Reverse Engineering Samsung S6 SBOOT - Part II
- Extending Emuroot: support for Android 10 & 11
- Dumb Android Kernel Fuzzing
- Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)
- Fuzzing Android binaries under Qemu - part 1
- Android kernel emulation with QEMU
- Build Android Kernel and Run on QEMU with Minimal Environment: Step by Step
- Android Internals IPC: Introduction
- Android Internals IPC: Binder and Service Manager Perspective
- BYPASS SELINUX ON ANDROID
- Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938
- Code injection on Android without ptrace
- Make a KGDB debug cable for pixel3
- Exploiting a Single Instruction Race Condition in Binder
- Driving forward in Android drivers
- Effectively bypassing kptr_restrict on Android
- Hypervisor Necromancy; Reanimating Kernel Protectors
- Scudo, the Allocator (Part 1)
- Timing Attack Experiments against Scudo (Part 2)
- Uncovering a 0-Click RCE in the SuperNote Nomad E-ink Tablet
- Android: Scudo
- Reversing Samsung's H-Arx Hypervisor Framework
- Alfie CG - blogs
- Building a Mali GPU Debug Environment
- Dissecting a MediaTek BootROM exploit
- How to recover and decompress a Linux kernel dumped MTD partition
- Accessing UART ports on Android devices
- Building Android kernel modules for Cuttlefish with Bazel
- Building and using Cuttlefish
- Android AOSP kernel build, module build, and misc
- Hacking a 2014 tablet... in 2024
- MediaTek details: SoC startup
- MediaTek details: Partitions and Preloader
- exynos8890-bootrom-dump : dump Exynos 8890 bootROM from Samsung Galaxy S7
- Reverse engineer USB stack of Exynos BootROM
- exynos-usbdl : unsigned code loader for Exynos BootROM
- Kinibi TEE: Trusted Application exploitation
- SELinux bypasses
- Build a Custom Kernel for Android on Debian-based Linux
- Samsung S10+/S9 kernel 4.14 (Android 10) Kernel Function Address (.text) and Heap Address Information Leak
- Breaking Samsung Galaxy Secure Boot through Download mode
- How to lock the samsung download mode using an undocumented feature of aboot
- Reverse Engineering Android's Aboot
- Android bootloader analysis -- Aboot
- PCBite, my new best friend for getting UART logs
- Exploiting Android S-Boot: Getting Arbitrary Code Exec in the Samsung Bootloader (1/2)
- KASAN in Android Kernel
- CVE-2019-2215 Bad Binder Writeup
- Analysis on Kernel Self-Protection: Understanding Security and Performance Implication
- Google Pixel 4XL KASAN
- CVE-2020-0069: Autopsy of the Most Stable MediaTek Rootkit
- Lifting the (Hyper) Visor: Bypassing Samsung’s Real-Time Kernel Protection
- Google Pixel UART kernel debug cable
- Building iBoot
- Shannon Baseband: Pixel 9 Reverse Engineering Shenanigans
- Shannon in a nutshell
- Baseband fuzzing on budget pt.1
- Baseband fuzzing on budget pt.2
- Baseband fuzzing on budget pt.3
- Debugging the Samsung Android Kernel part 1
- Debugging the Samsung Android Kernel part 2
- Debugging the Samsung Android Kernel part 3
- Practical Android Debugging Via KGDB
- The hidden JTAG in your Qualcomm/Snapdragon device’s USB port
- Bring Light To The Darkness
- Android Debugging Crash Course
- Introducing usbliter8
- Building AOSP & Setting Up a Native Debugging Environment
- Debugging the Pixel 8 kernel via KGDB
- How To Make Your Own Pixel 2, Pixel 3 or Pixel 4 Debugging Cable
- iBoot SMMU Bypass and Kernelcache Structure Forgery
- iBoot address space
- Boot Newer iOS with QEMU Step by Step
Mobile Malware Analysis Resources
- LaurieWired - youtube channel
- The Android Malware Handbook
- Android App Reverse Engineering 101
- N Ways to Unpack Mobile Malware
- Deep Analysis of Anubis Banking Malware
Conference Talks
- Natalie Silvanovich - How to Hack Shannon Baseband (from a Phone)
- Amat Cama - ASN.1 and Done: A Journey of Exploiting ASN.1 Parsers in the Baseband
- Moshe Kol - Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel
- Federico Menarini and Martijn Bogaard - Bug Hunting S21’s 10ADAB1E FW
- Eneko Cruz Elejalde- Building a DIY Baseband Debugger from Scratch
- Aristeidis Thallas - Emulating Hypervisors: A Samsung RKP Case Study
- Eloi Sanfelix - A Bug Collision Tale
- Maddie Stone - Bad Binder: Finding an Android In The Wild 0day
- Marco Grassi and Kira - Exploring the MediaTek Baseband
- Jonathan Afek - Simplifying iOS Research
- Samuel Gross No Clicks Required: Exploiting Memory Corruption Vulns in Messenger Apps
- A walk with Shannon: A walkthrough of a pwn2own baseband exploit - Amat Cama
- Exploitation of a Modern Smartphone Baseband
- Over the Air Baseband Exploit: Gaining Remote Code Execution on 5G Smartphones
- Attack on Titan M, Reloaded: Vulnerability Research on a Modern Security Chip
- Advanced Hexagon DIAG
- Emulating Samsung's Baseband for Security Testing
- Hara-Kirin: Dissecting Huawei Mobile Devices by Maxime Peterlin & Alexandre Adamski
- Life and death of an iOS attacker by Luca Todesco
- Putting it all together: building an iOS jailbreak from scratch | Umang Raghuvanshi | NULLCON 2020
- Reverse engineering the Pixel TitanM2 firmware
- Build a Fake Phone, Find Real Bugs: Qualcomm GPU Emulation and Fuzzing with LibAFL QEMU
- Atlan Pinabel - Navigating the MTE Landscape: iOS Memory Protection Deep Dive