Android’s adb shell provides powerful debugging capabilities, but its interaction with symbolic links inside /sdcard/Android/data/ poses hidden risks. This paper analyzes a novel attack vector where a malicious or repurposed privileged API (here named moeshizukuprivilegedapi ) leverages a crafted startsh link inside storage/emulated/0/Android/data/ to escalate from ADB shell permissions to access protected app data directories. We demonstrate how a simple sh script executed via this link can break Android’s scoped storage model, and propose forensic detection methods.
Android’s adb shell provides powerful debugging capabilities, but its interaction with symbolic links inside /sdcard/Android/data/ poses hidden risks. This paper analyzes a novel attack vector where a malicious or repurposed privileged API (here named moeshizukuprivilegedapi ) leverages a crafted startsh link inside storage/emulated/0/Android/data/ to escalate from ADB shell permissions to access protected app data directories. We demonstrate how a simple sh script executed via this link can break Android’s scoped storage model, and propose forensic detection methods.
