Senior Security Researcher @Microsoft | Android Security Obsessed | Pwn2Own 2025 | Side projects → github.com/Ch0pin

Dalvik
Triaging a vulnerability...
5
31
458
22,933
Bypassing root detection , certificate pinning using github.com/Ch0pin/medusa anti_debug and unpinner modules @Einstais @mobilesecurity_
5
150
373
There are countless tutorials, blog posts, and workshops on how to exploit a vulnerability. What’s missing is the thought process — how you approach a target, form hypotheses, and ultimately discover a bug. That mindset can’t be fully taught; you have to develop it yourself ;)
4
20
239
13,218
!Brilliant! post by Quarkslab on fuzzing Android Native libraries using Afl++'s Frida mode: blog.quarkslab.com/android-g…
1
53
221
19,456
Gave up my weekends to prep for Pwn2Own — totally worth it! Together with the legend @Yogehi, we won the Remote/Mobile category, achieving code execution via a chain of 5 vulnerabilities. Grateful we found it before the bad guys did 😉
It's confirmed! Ken Gannon / 伊藤 剣 (@yogehi) of Mobile Hacking Lab, and Dimitrios Valsamaras (@Ch0pin) of Summoning Team (@SummoningTeam) used five different bugs to exploit the #Samsung Galaxy S25. They earn $50,000 and 5 Master of Pwn points. #Pwn2Own
8
11
148
15,528
The level of ignorance in mobile pentesting is reaching alarming levels.
9
6
139
16,801
❌ Wrong: “Victim must install a malicious app” ✅ Right: “Any 3rd-party app can exploit it” Legit apps (e.g. Chrome) can be abused as gadgets, turning complex bugs into 1-click exploits. No excuse to leave it unfixed. ndevtk.github.io/writeups/20…
29
144
12,179
(CVE-2022-47757) Two clicks to RCE for more than 1B users: cve.mitre.org/cgi-bin/cvenam…
3
17
117
16,780
1
16
114
9,104
Android IPC: Part 1 – Introduction blog.hacktivesecurity.com/in… Android IPC: Part 2 – Binder and Service Manager Perspective blog.hacktivesecurity.com/in…
23
87
8,887
Medusa 1.2.4 is out 🪼🪼: github.com/Ch0pin/medusa/rel… + Add or remove modules while on active frida session + Support for nuclei templates scan + Highlight interesting intent extras (urls, deeplinks..) + memscan can now "attach" to a running process + hook by pid + 2 Cool scripts
25
81
9,242
Heap concepts for humans: Basic concepts I: lnkd.in/d3feDwVp Basic concepts II: lnkd.in/dUJctaBA Overflows: lnkd.in/dFacMGAB Use After Free & Double Free: lnkd.in/dpYqUytN
29
78
CVE-2025-29805: My latest contribution involved discovering a vulnerability in Outlook for Android that could have allowed attackers to read and write sensitive user data. msrc.microsoft.com/update-gu…
1
14
76
5,482
A bundle of usefull presentations regarding Android Application Security medium.com/@valsamaras/andro…
20
63
4,661
Tracing JNI methods can be a pain in the ass when they are statically linked. Here is an easy way to deal with them valsamaras.medium.com/tracin…
18
70
6,463
valsamaras.medium.com/fuzzin… I guess you should read this first valsamaras.medium.com/creati… , but I am leaving it up to you
19
60
5,662
4 more great modules are available in github.com/Ch0pin/medusa: file_class.med, file_init.med, file_write.med, context[.]med, highlighting file operations and risky calls (createPackageContext, grantUriPermission).
1
7
61
8,233
How to find XSS in webviews: medusa> use webviews/hook_webviews Plus: get the js interfaces, web settings github.com/Ch0pin/medusa
7
56
4,948
apkutils, is the apk/manifest parser of the github.com/Ch0pin/medusa: @mobilesecurity_ @androidmalware2 find / trigger Activities, Services, providers, receivers, Deep links, Parse the Strings.xml, find hardcoded URLs/keys, patch the debug flag....
2
21
53
Morning coffee with friends and family 😌
2
1
44
3,085
Accessing Android's Shared Storage:
5
44
2,786
Check out Medusa's Flutter Certificate Pinning bypass modules,: verify_cert_chain_bypass_v7a.med verify_cert_chain_bypass_v8a.med verify_cert_chain_bypass_x86_64.med Working on a relevant manual bypass tutorial: @mobilesecurity_ @Einstais :) github.com/Ch0pin/medusa
19
46
Medusa is expanding to ios ⏳⏳
2
5
41
3,197
Android pen test: Set up a lab step by step !!! 👇👇👇 Folks :) Stop writing tutorials on how to set up an android pen test lab. There are countless out there 🙂 Can we finally move to the actual pen test guide ?
5
43
3,348
Surviving the external storage changes in Android (Part 1):
9
41
3,845
With github.com/Ch0pin/medusa you can now hook all the methods of a class and use distinct colors to avoid confusion: medusa> hook -a com..foo.bar.a --color (Red) medusa> hook -a com..foo.bar.b --color (Green)
1
10
41
4,960
Read about A common fileprovider vulnerability pattern affecting billions of users, exemplified by the Xiaomi File Manager case (CVE-2023-26321). The flaw was found to enable arbitrary code execution by manipulating critical files within the app's home dir microsoft.com/en-us/security…
1
11
41
4,653
I wouldn't suggest to initialise the wrapper class and method id in fuzz_one_input :))) , but still its a great guide blog.quarkslab.com/android-g…
2
4
40
3,316
Turns out there are some amazing mobile security engineers out there (not too many though). @iamsalimabdella is one of them—kudos for solving the ‘Insider’! 👏 github.com/Ch0pin/uncrackabl…
6
36
2,896
My latest contribution (CVE-2022-36928) to Zoom for Android clients before version 5.13.0 contain a path traversal vulnerability. A third party app could exploit this vulnerability to read and write to the Zoom application data directory. explore.zoom.us/en/trust/sec…
1
2
37
5,851
🪼 Medusa 3.0.0 is out! 🪼 Dynamic module config, clearer class hooking output, and new modules for Medusa. Mango gets TruffleHog integration for secret scanning & Firebase key exposure analysis. Details: github.com/Ch0pin/medusa/rel…
1
8
34
5,002
medusa>memops Is a memory inspection tool, part of Medusa's toolset It supports read (offset) /find (string, byte array) /write/dump operations during runtime on any given process: github.com/Ch0pin/medusa
6
33
My second acceptance for this year: Android Universal Overlays (CVE-2020-0416), describes a GUI confusion attack similar to 'Cloak and Dagger' but without the need of the SAW permission: insomnihack.ch/talks-2023/ See you in Lausanne Switzerland
2
5
31
3,245
The latest medusa 'hook a class' improvement simply rocks !!
1
1
29
2,163
🥹
2
5
32
3,012
Monitoring intents with MEDUSA: @B3nac @mobilesecurity_ @Einstais
1
9
31
Finding the implementation of a native calls when an app is using static linking (RegisterNatives), can be "painful". The "lazy" way on how to find them easier is described bellow: valsamaras.medium.com/tracin…
3
31
12,663
Repeat after me: Pen. Testing Mobile web APIs is not mobile pen testing is web pen testing :)
1
1
30
2,307
Can you 👀👀 the vulnerability ??? If you do, then you can probably solve this github.com/Ch0pin/uncrackabl… and get your name in the HoF... No solutions here pls, only DMs
2
5
32
3,811
Judging by how most Android developers verify URLs, a solid android[.net.Uri bypass could be the next big thing in app security 😬
1
32
1,890
Gave up some free time… but got Medusa rocking on iOS with Frida 17 🤘 Still missing a few things, but I’ll patch them up along the way
1
30
2,308
Medusa 🪼🪼 v1.1.0 is out 🎉🎉.You can now create sets of modules an save, restore or delete them, with just a single command. Plus+, many new modules and improvements.
5
29
3,350
spoiler alert: medusa will scan a process' memory for urls and check if they are blacklisted
1
2
29
8,982
Surviving the external storage changes in Android (Part 2): Shared Storage: The Media Store (owner - app access)
3
28
2,130
Here ;)
27
2,079
An excellent (and not only) intro about the java native interface: studentprojects.in/software-…
5
29
1,476
Can't resist posting a swag
25
2,037
What secrets you app leaks in its memory .... github.com/Ch0pin/medusa now supports nuclei templates to scan you app's memory for 'leaked' secrets 🪼🪼🪼 #Medusa
3
7
27
2,980
Here is a tip: The (uri).getPathSegments() returns a list with path segments , in contrast to the getLastPathSegment which returns a string. So the getPathSegments().contains('com[.]foo') can be bypassed with a simple %2f
2
2
27
2,124
How long does it usually take you to get a general understanding of a device’s most interesting application? hm... about 60 seconds :)
2
2
25
1,730
Finally an actual recording on how an Android app pentest looks like :) - you can tell by not talking for drozer and ssl pining bypass. Kudos @LiveOverflow but most of all to @_bagipro
A while ago I was able to talk with @_bagipro about Android app bug hunting - specifically about his experience with the Google VRP program. He also shows us the coolest Android app vulnerability I have ever seen! piped.video/watch?v=nxlm7pIv…
2
25
3,266
Better keep a note on this: Always check if an app runs some kind of a web service and how it is used, as it can lead to some serious backdoor shit... http://DEVICE_IP:PORT/androidroot/..%2f..%2f..%2fsdcard%2fDCIM/Camera/
2
6
25
2,680
While vendors dismiss the risk of vulnerabilities that require a third-party app to exploit, considering such scenarios unlikely to occur in practice Google bans Google Bans 158,000 Malicious Android App Developer Accounts in 2024 thehackernews.com/2025/01/go…
1
5
26
1,809
For the aspiring android malware hunters ... A day in the life :)
1
1
25
2,408