| FILE_PATH |
/proc/self/mem |
Access to /proc/self/mem is suspicious when initiated by untrusted applications or non-system processes attempting to read/write kernel memory space without proper SELinux contexts, particularly when combined with capability escalation syscalls (capset, prctl) or execution of unsigned kernel modules; legitimate use is restricted to debuggers (gdb, strace) with explicit user permission and proper ptrace capabilities, whereas exploitation attempts typically bypass permission checks through memory mapping techniques or exploit kernel race conditions without user interaction. |
medium |
| FILE_PATH |
/dev/kgsl-3d0 |
Suspicious when accessed by unprivileged processes without GPU driver initialization or when followed by capability escalation syscalls (prctl, execve with elevated privileges); legitimate use occurs only during GPU driver setup by system services (surfaceflinger, hwcomposer) or graphics applications with proper file descriptor inheritance, whereas exploitation attempts typically show direct device node access from user-space exploits or memory mapping operations followed by ioctl calls attempting to trigger out-of-bounds writes in kernel memory. |
medium |
| FILE_PATH |
/dev/qseecom |
Suspicious when unprivileged processes or third-party applications attempt direct ioctl calls to /dev/qseecom without corresponding qseecomd daemon initialization or when accessed outside the TEE communication stack, as legitimate use is restricted to system daemons (qseecomd, hwcomposer, vendor.qti.hardware.perf) running with CAP_SYS_ADMIN that communicate through authenticated kernel module handlers, whereas exploitation attempts originate from user-space apps, shell contexts, or processes with insufficient SELinux domain transitions to qseecom_device. Detection should flag open() or ioctl() syscalls to this device node from non-whitelisted processes, missing parent process chain validation (qseecomd ancestry), or direct device manipulation without intermediate kernel TEE driver validation. |
medium |
| FILE_PATH |
/data/local/tmp/*.so |
Suspicious when .so files are written to /data/local/tmp/ by non-system processes and subsequently loaded via dlopen() or LD_PRELOAD, as this world-writable directory is not used by legitimate Android applications for library staging; legitimate shared libraries are packaged within APKs or installed to system-protected directories (/system/lib*, /vendor/lib*). Detection should trigger on file creation in this path followed by process execution with environment variables or syscalls indicating dynamic library loading, particularly when the loading process lacks proper signature verification or runs with elevated privileges. |
medium |
| FILE_PATH |
/data/local/tmp/poc |
This is suspicious when a non-system process writes executable files to /data/local/tmp/poc and subsequently executes them with elevated privileges, as legitimate applications do not stage kernel exploit binaries in this world-writable directory. Look for file creation events followed by execve() calls with uid/gid changes or SELinux policy violations in kernel logs, which differs from normal app behavior where /data/local/tmp is used only for temporary caches that are never directly executed. |
medium |
| FILE_PATH |
/system/bin/su |
Presence of su binary at /system/bin/su is suspicious when spawned by unprivileged processes or non-interactive system daemons, as legitimate su access on Android is restricted to authorized applications and typically requires explicit user interaction; detection should flag execution without corresponding user consent prompts, unexpected parent processes, or su invocations from third-party applications in logs and EDR tools, distinguishing this from legitimate privileged operations initiated through Android's official permission framework. |
medium |
| FILE_PATH |
/sbin/su |
Root binary installation path indicating successful Android kernel privilege escalation |
medium |
| FILE_PATH |
/data/local/tmp/libexploit.so |
This file is suspicious when found in /data/local/tmp/ because world-writable staging directories are used to bypass SELinux restrictions and signature verification that would block loading from system paths, allowing unprivileged processes to dynamically load and execute kernel exploitation payloads - legitimate shared libraries are always installed in /system/lib64/, /vendor/lib64/, or app-specific directories with enforced SELinux contexts and certificate chains, never in world-writable temporary locations. Detection should focus on libexploit.so being written by non-system processes, followed by dlopen() calls from unprivileged processes, absence of valid signature chains, and SELinux policy violations attempting to load from /data/local/tmp/. |
medium |
| FILE_PATH |
/proc/kallsyms |
Reading /proc/kallsyms from unprivileged processes or non-standard applications (e.g., third-party apps, scripts, or processes without kernel development context) is suspicious because legitimate access is restricted to privileged debugging tools and kernel developers, whereas exploit chains targeting CVE-2026-21385 enumerate this file to bypass KASLR and locate kernel function addresses for privilege escalation. Look for EDR alerts on file reads of /proc/kallsyms originating from user-space processes, mobile apps, or unusual process parents, combined with subsequent attempts to write to kernel memory or execute code at elevated privileges. |
medium |
| FILE_PATH |
/proc/iomem |
Access to /proc/iomem by unprivileged processes is suspicious because it enables reconnaissance of physical memory layout required for kernel exploitation - legitimate access is restricted to privileged system utilities (e.g., kdump, systemd-boot) during boot/diagnostics, whereas CVE-2026-21385 exploitation typically involves user-space processes reading this file prior to privilege escalation attempts, detectable via EDR monitoring for non-root processes opening /proc/iomem followed by syscalls associated with memory mapping or capability escalation (capset, prctl), especially when originating from writable directories (/tmp, Downloads) or spawned by interpreters (python, perl, bash). |
medium |
| FILE_PATH |
/dev/ion |
/dev/ion access is suspicious when initiated by unprivileged processes, non-system applications, or processes spawning unexpected child processes with ioctl calls, as legitimate use is restricted to system services and hardware-accelerated media frameworks; look for CVE-2026-21385 exploitation attempts via abnormal ioctl commands (ION_IOC_ALLOC, ION_IOC_FREE) from userland processes, unusual heap allocation patterns, or failed privilege escalation attempts followed by elevated code execution, which differs from normal legitimate access patterns of system daemons (mediaserver, hwcomposer) performing routine memory allocation through expected kernel interfaces. |
medium |
| FILE_PATH |
/sys/kernel/debug/ion |
ION debugfs path that may be accessed during heap grooming for kernel exploit staging |
medium |
| REGISTRY_KEY |
N/A - Android/Linux kernel exploit; no Windows registry keys applicable |
This CVE affects Android/Linux on Qualcomm hardware; registry keys are not a relevant artifact |
medium |
| FILE_PATH |
/data/data/<malicious_app_package>/lib/libpwn.so |
Malicious application native library executing kernel exploit payload delivered via side-loaded or trojanized APK |
medium |
| FILE_PATH |
/proc/self/status |
This is suspicious when accessed by unprivileged processes spawning exploitation code that repeatedly reads /proc/self/status to verify UID transitions from non-zero to uid=0, differing from legitimate system monitoring tools which typically query this file once per sampling interval rather than in tight loops following suspicious syscalls like ioctl to Qualcomm kernel drivers. Detection should focus on sequences of rapid /proc/self/status reads preceded by CVE-2026-21385 vulnerable driver calls or followed by privilege-level execution changes within the same process context. |
medium |
| FILE_PATH |
/data/local/tmp/kpatch |
Binary artifact created in world-writable directory by unprivileged process following CVE-2026-21385 kernel exploit execution is suspicious because /data/local/tmp should never host kernel patches - legitimate patching occurs exclusively via signed OTA updates or MDM deployment. In EDR/logs, detect this by correlating file writes to /data/local/tmp/kpatch from processes lacking system certificates with subsequent process creation events executing kpatch under root uid; legitimate kernel tools are never ad-hoc staged or executed from temporary directories by user-space daemons or unprivileged processes, dropped by unauthorized or anomalous process execution. |
medium |
