ANDROID STATIC ANALYSIS REPORT

 KernelSU Next (v1.0.3-9-g5563145)

File Name: KernelSU_Next_v1.0.3-9-g5563145_12019-release.apk

Package Name: com.rifsxd.ksunext

Scan Date: June 11, 2025, 10:31 a.m.

App Security Score: 57/100 (MEDIUM RISK)

Grade:
B

 FINDINGS SEVERITY
  HIGH  MEDIUM  INFO  SECURE  HOTSPOT

1 9 2 2 0

 FILE INFORMATION
File Name: KernelSU_Next_v1.0.3-9-g5563145_12019-release.apk
Size: 7.59MB
MD5: ec49b3535412dd03b9732e5314d8accf
SHA1: db3e7bc869245f0be0b468ffa80f93117c230d0d
SHA256: f4ab8facea0584b89b39e0a504f9e0b8e4bb7f0aae17fd761c06c5c5f1b616cf

 APP INFORMATION
App Name: KernelSU Next
Package Name: com.rifsxd.ksunext
Main Activity: com.rifsxd.ksunext.ui.MainActivity
Target SDK: 35
Min SDK: 26
Max SDK:
Android Version Name: v1.0.3-9-g5563145
Android Version Code: 12019

 APP COMPONENTS
Activities: 2
Services: 0
Receivers: 1
Providers: 2
Exported Activities: 0
Exported Services: 0
Exported Receivers: 1
Exported Providers: 0

 CERTIFICATE INFORMATION
Binary is signed
v1 signature: False
v2 signature: True
v3 signature: False
v4 signature: False
X.509 Subject: C=BD, ST=Bangladesh, L=Dhaka, O=KernelSU-Next, OU=KSU-Next, CN=Rifat Azad
Signature Algorithm: rsassa_pkcs1v15
Valid From: 2024-12-18 11:49:17+00:00
Valid To: 2034-12-16 11:49:17+00:00
Issuer: C=BD, ST=Bangladesh, L=Dhaka, O=KernelSU-Next, OU=KSU-Next, CN=Rifat Azad
Serial Number: 0xf916e622b12305d5
Hash Algorithm: sha384
md5: 4b86759ddbdff4bbadd3b652e2f4c705
sha1: d2d7288971ea3fa17bd4d7a6510baed5f23ba83f
sha256: 79e590113c4c4c0c222978e413a5faa801666957b1212a328e46c00c69821bf7
sha512: 6194a1ad3825e74907f72269eaa4ae12c02e3b40e5e7659b56f7faa231a78ec2dbb5bf0591e5e2dc1536ba3c8ac0c37bab94622be922c9132484a06b54fb7515
PublicKey Algorithm: rsa
Bit Size: 2408
Fingerprint: bf7f667fa99dfc29481f55962d9bd505e3f2b2e12d52617060073fc2efe67148
Found 1 unique certificates

 APPLICATION PERMISSIONS

PERMISSION STATUS INFO DESCRIPTION

android.permission.INTERNET normal full Internet access Allows an application to create network sockets.

com.rifsxd.ksunext.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION unknown Unknown permission Unknown permission from android reference

 APKID ANALYSIS
 FILE DETAILS

FINDINGS DETAILS

classes.dex Build.FINGERPRINT check

Anti-VM Code
Build.MANUFACTURER check

Compiler r8 without marker (suspicious)

FINDINGS DETAILS
assets/main.jar!classes.dex

Compiler r8 without marker (suspicious)

 NETWORK SECURITY
HIGH: 1 | WARNING: 0 | INFO: 0 | SECURE: 0

NO SCOPE SEVERITY DESCRIPTION

127.0.0.1
1 0.0.0.0 high Domain config is insecurely configured to permit clear text traffic to these domains in scope.
::1

 CERTIFICATE ANALYSIS
HIGH: 0 | WARNING: 0 | INFO: 1

TITLE SEVERITY DESCRIPTION

Signed Application info Application is signed with a code signing certificate

 MANIFEST ANALYSIS
HIGH: 0 | WARNING: 3 | INFO: 0 | SUPPRESSED: 0

NO ISSUE SEVERITY DESCRIPTION

This application can be installed on an older version of android that has multiple
App can be installed on a vulnerable Android version
1 warning vulnerabilities. Support an Android version => 10, API 29 to receive reasonable security
Android 8.0, minSdk=26]
updates.

The Network Security Configuration feature lets apps customize their network security
App has a Network Security Configuration
2 info settings in a safe, declarative configuration file without modifying app code. These
[android:networkSecurityConfig=@xml/network_security_config]
settings can be configured for specific domains and for a specific app.

Application Data can be Backed up This flag allows anyone to backup your application data via adb. It allows users who have
3 warning
[android:allowBackup=true] enabled USB debugging to copy application data off of the device.

A Broadcast Receiver is found to be shared with other apps on the device therefore
Broadcast Receiver
leaving it accessible to any other application on the device. It is protected by a
(androidx.profileinstaller.ProfileInstallReceiver) is Protected by a
permission which is not defined in the analysed application. As a result, the protection
permission, but the protection level of the permission should be
4 warning level of the permission should be checked where it is defined. If it is set to normal or
checked.
dangerous, a malicious application can request and obtain the permission and interact
Permission: android.permission.DUMP
with the component. If it is set to signature, only applications signed with the same
[android:exported=true]
certificate can obtain the permission.

 CODE ANALYSIS
HIGH: 0 | WARNING: 5 | INFO: 2 | SECURE: 1 | SUPPRESSED: 0

NO ISSUE SEVERITY STANDARDS FILES

A/C.java
A/C0031p0.java
A0/B.java
A0/P.java
A0/w1.java
A1/e.java
A1/g.java
B2/a.java
 B2/a.java
NO ISSUE SEVERITY STANDARDS FILES
B2/i.java
B2/j.java
C/D.java
C2/C0129m.java
C2/C0131o.java
C2/T.java
E2/AbstractC0231s.java
E2/C0179a0.java
E2/C0195f1.java
E2/C0204i1.java
E2/K.java
E2/Q1.java
E2/S0.java
E2/Z0.java
I0/D.java
I2/c.java
I2/h.java
I2/k.java
I2/q.java
I2/r.java
CWE: CWE-532: Insertion of Sensitive Information into Log I2/u.java
The App logs information. Sensitive
1 info File J2/b.java
information should never be logged.
OWASP MASVS: MSTG-STORAGE-3 L2/I.java
N3/d.java
N3/l.java
N3/n.java
O/C0500w0.java
O0/u.java
O3/d.java
R2/f.java
U0/j.java
U0/n.java
b0/e.java
b1/C0602f.java
b4/b.java
e1/b.java
f1/g.java
h1/AbstractC0722d.java
i1/AbstractC0744a.java
l1/AbstractC0845l.java
l1/F.java
l1/G.java
l1/K.java
m3/AbstractC0919a.java
r0/c.java
 r0/c.java
NO ISSUE SEVERITY STANDARDS FILES
s1/C1210b.java
s1/C1211c.java
s1/C1215g.java
u2/c.java
y1/C1512n.java
y1/D.java

App creates temp file. Sensitive CWE: CWE-276: Incorrect Default Permissions
2 information should never be written into a warning OWASP Top 10: M2: Insecure Data Storage L2/AbstractC0438f.java
temp file. OWASP MASVS: MSTG-STORAGE-2

K/C0281a1.java
Files may contain hardcoded sensitive CWE: CWE-312: Cleartext Storage of Sensitive Information
O/C0459b0.java
3 information like usernames, passwords, warning OWASP Top 10: M9: Reverse Engineering
Q1/a.java
keys etc. OWASP MASVS: MSTG-STORAGE-14
e2/C0664d.java

N3/e.java
This App uses SSL certificate pinning to
N3/h.java
4 detect or prevent MITM attacks in secure secure
OWASP MASVS: MSTG-NETWORK-4 N3/m.java
communication channel.
N3/n.java

This App copies data to clipboard.

Sensitive data should not be copied to
5 info A0/C0072h.java
clipboard as other applications can access OWASP MASVS: MSTG-STORAGE-10
it.

A0/C0076i0.java
CWE: CWE-330: Use of Insufficiently Random Values A1/h.java
The App uses an insecure Random
6 warning OWASP Top 10: M5: Insufficient Cryptography n3/AbstractC1013a.java
Number Generator.
OWASP MASVS: MSTG-CRYPTO-6 n3/C1014b.java
o3/C1102a.java

App can read/write to External Storage. CWE: CWE-276: Incorrect Default Permissions E2/C0179a0.java
7 Any App can read data written to External warning OWASP Top 10: M2: Insecure Data Storage E2/C0185c0.java
Storage. OWASP MASVS: MSTG-STORAGE-2 E2/N.java

Insecure WebView Implementation. CWE: CWE-749: Exposed Dangerous Method or Function

com/rifsxd/ksunext/ui/webui/WebUIActivity.ja
8 Execution of user controlled code in warning OWASP Top 10: M1: Improper Platform Usage
va
WebView is a critical Security Hole. OWASP MASVS: MSTG-PLATFORM-7
 SHARED LIBRARY BINARY ANALYSIS

STACK SYMBOLS
NO SHARED OBJECT NX PIE RELRO RPATH RUNPATH FORTIFY
CANARY STRIPPED

True Position False Full RELRO None None False True

info Independent high info info info warning info
The binary Executable This binary This shared The The binary The binary does not Symbols are
has NX bit (PIE) does not object has binary does not have any fortified stripped.
set. This info have a full RELRO does not have functions. Fortified
marks a The shared stack enabled. have RUNPATH functions provides
memory object is build canary RELRO run-time set. buffer overflow
page non- with -fPIC flag value ensures search checks against glibc's
executable which enables added to that the path or commons insecure
making Position the stack. GOT RPATH functions like strcpy,
attacker independent Stack cannot be set. gets etc. Use the
injected code. This canaries overwritten compiler option -
shellcode makes Return are used to in D_FORTIFY_SOURCE=2
non- Oriented detect and vulnerable to fortify functions.
executable. Programming prevent ELF This check is not
(ROP) attacks exploits binaries. In applicable for
much more from Full RELRO, Dart/Flutter libraries.
1 arm64-v8a/libksud_overlayfs.so difficult to overwriting the entire
execute return GOT (.got
reliably. address. and .got.plt
Use the both) is
option - marked as
fstack- read-only.
protector-
all to
enable
stack
canaries.
Not
applicable
for
Dart/Flutter
libraries
unless Dart
FFI is used.
 STACK SYMBOLS
NO SHARED OBJECT NX PIE RELRO RPATH RUNPATH FORTIFY
CANARY STRIPPED

True No PIE False Partial None None False True

info high high RELRO info info warning info
The binary The shared This binary warning The The binary The binary does not Symbols are
has NX bit object is built does not This shared binary does not have any fortified stripped.
set. This without have a object has does not have functions. Fortified
marks a Position stack partial have RUNPATH functions provides
memory Independent canary RELRO run-time set. buffer overflow
page non- Code flag. In value enabled. search checks against glibc's
executable order to added to RELRO path or commons insecure
making prevent an the stack. ensures RPATH functions like strcpy,
attacker attacker from Stack that the set. gets etc. Use the
injected reliably canaries GOT compiler option -
shellcode jumping to, are used to cannot be D_FORTIFY_SOURCE=2
non- for example, a detect and overwritten to fortify functions.
executable. particular prevent in This check is not
exploited exploits vulnerable applicable for
function in from ELF Dart/Flutter libraries.
memory, overwriting binaries. In
Address space return partial
layout address. RELRO, the
2 arm64-v8a/libmagiskboot.so randomization Use the non-PLT
(ASLR) option - part of the
randomly fstack- GOT
arranges the protector- section is
address space all to read only
positions of enable but .got.plt
key data areas stack is still
of a process, canaries. writeable.
including the Not Use the
base of the applicable option -
executable for z,relro,-
and the Dart/Flutter z,now to
positions of libraries enable full
the stack,heap unless Dart RELRO.
and libraries. FFI is used.
Use compiler
option -fPIC to
enable
Position
Independent
Code.
 Code.
STACK SYMBOLS
NO SHARED OBJECT NX
True
PIE
Position False
RELRO
Full RELRO
RPATH
None
RUNPATH
None
FORTIFY
False True
CANARY STRIPPED
info Independent high info info info warning info
The binary Executable This binary This shared The The binary The binary does not Symbols are
has NX bit (PIE) does not object has binary does not have any fortified stripped.
set. This info have a full RELRO does not have functions. Fortified
marks a The shared stack enabled. have RUNPATH functions provides
memory object is build canary RELRO run-time set. buffer overflow
page non- with -fPIC flag value ensures search checks against glibc's
executable which enables added to that the path or commons insecure
making Position the stack. GOT RPATH functions like strcpy,
attacker independent Stack cannot be set. gets etc. Use the
injected code. This canaries overwritten compiler option -
shellcode makes Return are used to in D_FORTIFY_SOURCE=2
non- Oriented detect and vulnerable to fortify functions.
executable. Programming prevent ELF This check is not
(ROP) attacks exploits binaries. In applicable for
much more from Full RELRO, Dart/Flutter libraries.
3 arm64-v8a/libksud_magic.so difficult to overwriting the entire
execute return GOT (.got
reliably. address. and .got.plt
Use the both) is
option - marked as
fstack- read-only.
protector-
all to
enable
stack
canaries.
Not
applicable
for
Dart/Flutter
libraries
unless Dart
FFI is used.
 STACK SYMBOLS
NO SHARED OBJECT NX PIE RELRO RPATH RUNPATH FORTIFY
CANARY STRIPPED

True Dynamic True Full RELRO None None False True

info Shared Object info info info info warning info
The binary (DSO) This binary This shared The The binary The binary does not Symbols are
has NX bit info has a stack object has binary does not have any fortified stripped.
set. This The shared canary full RELRO does not have functions. Fortified
marks a object is build value enabled. have RUNPATH functions provides
memory with -fPIC flag added to RELRO run-time set. buffer overflow
page non- which enables the stack ensures search checks against glibc's
executable Position so that it that the path or commons insecure
making independent will be GOT RPATH functions like strcpy,
attacker code. This overwritten cannot be set. gets etc. Use the
injected makes Return by a stack overwritten compiler option -
shellcode Oriented buffer that in D_FORTIFY_SOURCE=2
arm64-
4 non- Programming overflows vulnerable to fortify functions.
v8a/libandroidx.graphics.path.so
executable. (ROP) attacks the return ELF This check is not
much more address. binaries. In applicable for
difficult to This allows Full RELRO, Dart/Flutter libraries.
execute detection the entire
reliably. of GOT (.got
overflows and .got.plt
by verifying both) is
the marked as
integrity of read-only.
the canary
before
function
return.
 STACK SYMBOLS
NO SHARED OBJECT NX PIE RELRO RPATH RUNPATH FORTIFY
CANARY STRIPPED

True Dynamic False Full RELRO None None True True

info Shared Object high info info info info info
The binary (DSO) This binary This shared The The binary The binary has the Symbols are
has NX bit info does not object has binary does not following fortified stripped.
set. This The shared have a full RELRO does not have functions:
marks a object is build stack enabled. have RUNPATH ['__strcpy_chk',
memory with -fPIC flag canary RELRO run-time set. '__strlen_chk',
page non- which enables value ensures search '__vsprintf_chk']
executable Position added to that the path or
making independent the stack. GOT RPATH
attacker code. This Stack cannot be set.
injected makes Return canaries overwritten
shellcode Oriented are used to in
non- Programming detect and vulnerable
executable. (ROP) attacks prevent ELF
much more exploits binaries. In
difficult to from Full RELRO,
5 arm64-v8a/libkernelsu.so execute overwriting the entire
reliably. return GOT (.got
address. and .got.plt
Use the both) is
option - marked as
fstack- read-only.
protector-
all to
enable
stack
canaries.
Not
applicable
for
Dart/Flutter
libraries
unless Dart
FFI is used.
 STACK SYMBOLS
NO SHARED OBJECT NX PIE RELRO RPATH RUNPATH FORTIFY
CANARY STRIPPED

True Position False Full RELRO None None False True

info Independent high info info info warning info
The binary Executable This binary This shared The The binary The binary does not Symbols are
has NX bit (PIE) does not object has binary does not have any fortified stripped.
set. This info have a full RELRO does not have functions. Fortified
marks a The shared stack enabled. have RUNPATH functions provides
memory object is build canary RELRO run-time set. buffer overflow
page non- with -fPIC flag value ensures search checks against glibc's
executable which enables added to that the path or commons insecure
making Position the stack. GOT RPATH functions like strcpy,
attacker independent Stack cannot be set. gets etc. Use the
injected code. This canaries overwritten compiler option -
shellcode makes Return are used to in D_FORTIFY_SOURCE=2
non- Oriented detect and vulnerable to fortify functions.
executable. Programming prevent ELF This check is not
(ROP) attacks exploits binaries. In applicable for
much more from Full RELRO, Dart/Flutter libraries.
6 arm64-v8a/libksud_overlayfs.so difficult to overwriting the entire
execute return GOT (.got
reliably. address. and .got.plt
Use the both) is
option - marked as
fstack- read-only.
protector-
all to
enable
stack
canaries.
Not
applicable
for
Dart/Flutter
libraries
unless Dart
FFI is used.
 STACK SYMBOLS
NO SHARED OBJECT NX PIE RELRO RPATH RUNPATH FORTIFY
CANARY STRIPPED

True No PIE False Partial None None False True

info high high RELRO info info warning info
The binary The shared This binary warning The The binary The binary does not Symbols are
has NX bit object is built does not This shared binary does not have any fortified stripped.
set. This without have a object has does not have functions. Fortified
marks a Position stack partial have RUNPATH functions provides
memory Independent canary RELRO run-time set. buffer overflow
page non- Code flag. In value enabled. search checks against glibc's
executable order to added to RELRO path or commons insecure
making prevent an the stack. ensures RPATH functions like strcpy,
attacker attacker from Stack that the set. gets etc. Use the
injected reliably canaries GOT compiler option -
shellcode jumping to, are used to cannot be D_FORTIFY_SOURCE=2
non- for example, a detect and overwritten to fortify functions.
executable. particular prevent in This check is not
exploited exploits vulnerable applicable for
function in from ELF Dart/Flutter libraries.
memory, overwriting binaries. In
Address space return partial
layout address. RELRO, the
7 arm64-v8a/libmagiskboot.so randomization Use the non-PLT
(ASLR) option - part of the
randomly fstack- GOT
arranges the protector- section is
address space all to read only
positions of enable but .got.plt
key data areas stack is still
of a process, canaries. writeable.
including the Not Use the
base of the applicable option -
executable for z,relro,-
and the Dart/Flutter z,now to
positions of libraries enable full
the stack,heap unless Dart RELRO.
and libraries. FFI is used.
Use compiler
option -fPIC to
enable
Position
Independent
Code.
 Code.
STACK SYMBOLS
NO SHARED OBJECT NX
True
PIE
Position False
RELRO
Full RELRO
RPATH
None
RUNPATH
None
FORTIFY
False True
CANARY STRIPPED
info Independent high info info info warning info
The binary Executable This binary This shared The The binary The binary does not Symbols are
has NX bit (PIE) does not object has binary does not have any fortified stripped.
set. This info have a full RELRO does not have functions. Fortified
marks a The shared stack enabled. have RUNPATH functions provides
memory object is build canary RELRO run-time set. buffer overflow
page non- with -fPIC flag value ensures search checks against glibc's
executable which enables added to that the path or commons insecure
making Position the stack. GOT RPATH functions like strcpy,
attacker independent Stack cannot be set. gets etc. Use the
injected code. This canaries overwritten compiler option -
shellcode makes Return are used to in D_FORTIFY_SOURCE=2
non- Oriented detect and vulnerable to fortify functions.
executable. Programming prevent ELF This check is not
(ROP) attacks exploits binaries. In applicable for
much more from Full RELRO, Dart/Flutter libraries.
8 arm64-v8a/libksud_magic.so difficult to overwriting the entire
execute return GOT (.got
reliably. address. and .got.plt
Use the both) is
option - marked as
fstack- read-only.
protector-
all to
enable
stack
canaries.
Not
applicable
for
Dart/Flutter
libraries
unless Dart
FFI is used.
 STACK SYMBOLS
NO SHARED OBJECT NX PIE RELRO RPATH RUNPATH FORTIFY
CANARY STRIPPED

True Dynamic True Full RELRO None None False True

info Shared Object info info info info warning info
The binary (DSO) This binary This shared The The binary The binary does not Symbols are
has NX bit info has a stack object has binary does not have any fortified stripped.
set. This The shared canary full RELRO does not have functions. Fortified
marks a object is build value enabled. have RUNPATH functions provides
memory with -fPIC flag added to RELRO run-time set. buffer overflow
page non- which enables the stack ensures search checks against glibc's
executable Position so that it that the path or commons insecure
making independent will be GOT RPATH functions like strcpy,
attacker code. This overwritten cannot be set. gets etc. Use the
injected makes Return by a stack overwritten compiler option -
shellcode Oriented buffer that in D_FORTIFY_SOURCE=2
arm64-
9 non- Programming overflows vulnerable to fortify functions.
v8a/libandroidx.graphics.path.so
executable. (ROP) attacks the return ELF This check is not
much more address. binaries. In applicable for
difficult to This allows Full RELRO, Dart/Flutter libraries.
execute detection the entire
reliably. of GOT (.got
overflows and .got.plt
by verifying both) is
the marked as
integrity of read-only.
the canary
before
function
return.
 STACK SYMBOLS
NO SHARED OBJECT NX PIE RELRO RPATH RUNPATH FORTIFY
CANARY STRIPPED

True Dynamic False Full RELRO None None True True

info Shared Object high info info info info info
The binary (DSO) This binary This shared The The binary The binary has the Symbols are
has NX bit info does not object has binary does not following fortified stripped.
set. This The shared have a full RELRO does not have functions:
marks a object is build stack enabled. have RUNPATH ['__strcpy_chk',
memory with -fPIC flag canary RELRO run-time set. '__strlen_chk',
page non- which enables value ensures search '__vsprintf_chk']
executable Position added to that the path or
making independent the stack. GOT RPATH
attacker code. This Stack cannot be set.
injected makes Return canaries overwritten
shellcode Oriented are used to in
non- Programming detect and vulnerable
executable. (ROP) attacks prevent ELF
much more exploits binaries. In
difficult to from Full RELRO,
10 arm64-v8a/libkernelsu.so execute overwriting the entire
reliably. return GOT (.got
address. and .got.plt
Use the both) is
option - marked as
fstack- read-only.
protector-
all to
enable
stack
canaries.
Not
applicable
for
Dart/Flutter
libraries
unless Dart
FFI is used.

 NIAP ANALYSIS v1.3

NO IDENTIFIER REQUIREMENT FEATURE DESCRIPTION

 BEHAVIOUR ANALYSIS

RULE ID BEHAVIOUR LABEL FILES

A0/C0087n0.java
B3/b.java
Implicit intent(view a web page, make a
00063 control G2/b.java
phone call, etc.)
R2/f.java
y1/D.java

E2/C0213l1.java
00191 Get messages in the SMS inbox sms
G2/b.java

A1/b.java
A1/g.java
A1/n.java
00013 Read file and put it into a stream file E2/J1.java
L2/z.java
S3/t.java
U0/j.java

Create a secure socket connection to the

00114 network command J3/k.java
proxy address

Create InetSocketAddress object and N3/c.java

00162 socket
connecting to it N3/n.java

N3/c.java
00163 Create new Socket and connecting to it socket
N3/n.java
 RULE ID BEHAVIOUR LABEL FILES

E2/C0179a0.java
E2/C0185c0.java
E2/N.java
Open a file from given absolute path of J2/b.java
00022 file
the file K1/a.java
M2/a.java
m3/AbstractC0919a.java
r0/c.java

00004 Get filename and put it to JSON object file collection J2/i.java

P1/a.java
00036 Get resource file from res/raw directory reflection
R2/f.java

Implicit intent(view a web page, make a

00051 control B3/b.java
phone call, etc.) via setData

 ABUSED PERMISSIONS

TYPE MATCHES PERMISSIONS

Malware Permissions 1/25 android.permission.INTERNET

Other Common Permissions 0/44

Malware Permissions:
Top permissions that are widely abused by known malware.
Other Common Permissions:
Permissions that are commonly abused by known malware.

 OFAC SANCTIONED COUNTRIES

This app may communicate with the following OFAC sanctioned list of countries.

DOMAIN COUNTRY/REGION

 DOMAIN MALWARE CHECK

DOMAIN STATUS GEOLOCATION

IP: 216.58.211.238
Country: United States of America
Region: California
source.android.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map

schemas.android.com ok No Geolocation information available.

IP: 185.199.108.153
Country: United States of America
Region: Pennsylvania
kernelsu.org ok City: California
Latitude: 40.065632
Longitude: -79.891708
View: Google Map

mui.kernelsu.org ok No Geolocation information available.

IP: 140.82.121.5
Country: United States of America
Region: California
api.github.com ok City: San Francisco
Latitude: 37.775700
Longitude: -122.395203
View: Google Map
DOMAIN STATUS GEOLOCATION

IP: 140.82.121.4
Country: United States of America
Region: California
github.com ok City: San Francisco
Latitude: 37.775700
Longitude: -122.395203
View: Google Map

IP: 67.199.248.12
Country: United States of America
Region: New York
goo.gle ok City: New York City
Latitude: 40.739288
Longitude: -73.984955
View: Google Map

IP: 63.33.88.220
Country: Ireland
Region: Dublin
youtrack.jetbrains.com ok City: Dublin
Latitude: 53.343990
Longitude: -6.267190
View: Google Map

IP: 149.154.167.99
Country: United Kingdom of Great Britain and Northern Ireland
Region: England
t.me ok City: Lowestoft
Latitude: 52.475201
Longitude: 1.751590
View: Google Map

ns.adobe.com ok No Geolocation information available.

DOMAIN STATUS GEOLOCATION

IP: 216.58.210.174
Country: United States of America
Region: California
issuetracker.google.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map

 HARDCODED SECRETS

POSSIBLE SECRETS

"superuser" : " "

"module_author" : "Autor"

"superuser" : "SuperUser"

"module_author" : " "

"module_author" : " "

"module_author" : "Oleh"

"superuser" : "Superuser"

"module_author" : "Author"

"superuser" : "SuperUsuário"

"superuser" : " "

 SCAN LOGS

Timestamp Event Error

2025-06-11 10:31:53 Generating Hashes OK

2025-06-11 10:31:53 Extracting APK OK

2025-06-11 10:31:53 Unzipping OK

2025-06-11 10:31:53 Parsing APK with androguard OK

2025-06-11 10:31:53 Extracting APK features using aapt/aapt2 OK

2025-06-11 10:31:53 Getting Hardcoded Certificates/Keystores OK

2025-06-11 10:31:56 Parsing AndroidManifest.xml OK

2025-06-11 10:31:56 Extracting Manifest Data OK

2025-06-11 10:31:56 Manifest Analysis Started OK

OK
2025-06-11 10:31:56 Reading Network Security config from network_security_config.xml
2025-06-11 10:31:56 Parsing Network Security config OK

2025-06-11 10:31:56 Performing Static Analysis on: KernelSU Next (com.rifsxd.ksunext) OK

2025-06-11 10:31:56 Fetching Details from Play Store: com.rifsxd.ksunext OK

2025-06-11 10:31:56 Checking for Malware Permissions OK

2025-06-11 10:31:56 Fetching icon path OK

2025-06-11 10:31:56 Library Binary Analysis Started OK

2025-06-11 10:31:56 Analyzing apktool_out/lib/arm64-v8a/libksud_overlayfs.so OK

2025-06-11 10:31:56 Analyzing apktool_out/lib/arm64-v8a/libmagiskboot.so OK

2025-06-11 10:31:56 Analyzing apktool_out/lib/arm64-v8a/libksud_magic.so OK

2025-06-11 10:31:57 Analyzing apktool_out/lib/arm64-v8a/libandroidx.graphics.path.so OK

2025-06-11 10:31:57 Analyzing apktool_out/lib/arm64-v8a/libkernelsu.so OK

2025-06-11 10:31:57 Analyzing lib/arm64-v8a/libksud_overlayfs.so OK

2025-06-11 10:31:57 Analyzing lib/arm64-v8a/libmagiskboot.so OK

2025-06-11 10:31:57 Analyzing lib/arm64-v8a/libksud_magic.so OK

2025-06-11 10:31:57 Analyzing lib/arm64-v8a/libandroidx.graphics.path.so OK

2025-06-11 10:31:57 Analyzing lib/arm64-v8a/libkernelsu.so OK

2025-06-11 10:31:57 Reading Code Signing Certificate OK

2025-06-11 10:31:57 Running APKiD 2.1.5 OK

2025-06-11 10:32:02 Detecting Trackers OK

2025-06-11 10:32:03 Decompiling APK to Java with JADX OK

2025-06-11 10:32:22 Converting DEX to Smali OK

2025-06-11 10:32:22 Code Analysis Started on - java_source OK

2025-06-11 10:32:23 Android SBOM Analysis Completed OK

2025-06-11 10:32:28 Android SAST Completed OK

2025-06-11 10:32:28 Android API Analysis Started OK

2025-06-11 10:32:30 Android API Analysis Completed OK

2025-06-11 10:32:31 Android Permission Mapping Started OK

2025-06-11 10:32:33 Android Permission Mapping Completed OK

2025-06-11 10:32:33 Android Behaviour Analysis Started OK

2025-06-11 10:32:37 Android Behaviour Analysis Completed OK

2025-06-11 10:32:37 Extracting Emails and URLs from Source Code OK

2025-06-11 10:32:39 Email and URL Extraction Completed OK

2025-06-11 10:32:39 Extracting String data from APK OK

2025-06-11 10:32:39 Extracting String data from SO OK

2025-06-11 10:32:39 Extracting String data from Code OK

2025-06-11 10:32:39 Extracting String values and entropies from Code OK

 2025-06-11 10:32:40 Performing Malware check on extracted domains OK

2025-06-11 10:32:41 Saving to Database OK

Report Generated by - MobSF v4.3.3

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of
performing static and dynamic analysis.

© 2025 Mobile Security Framework - MobSF | Ajin Abraham | OpenSecurity.