Modern Android-based consumer devices integrate layered security controls once reserved for flagship smartphones, including verified boot, SELinux enforcement and trusted execution environments. These protections assume correct instruction execution at runtime, even under hostile physical conditions.

This work examines how electromagnetic fault injection undermines that assumption by corrupting CPU instruction flow on a high-performance MediaTek System-on-Chip running Android 14. By targeting the Linux setresuid system call, the research demonstrates privilege escalation from a constrained adb environment to root without exploiting software vulnerabilities. The findings challenge prevailing trust models for consumer Android platforms and illustrate how runtime attacks can bypass hardened software defenses on commercially deployed hardware.

In this session, led by Niek Timmers, co-founder of Raelize, you will learn:

• Runtime security assumptions in Android and Linux environments;
• Electromagnetic fault injection on GHz-class CPUs;
• Limits of software-only defenses against physical attacks.