Android System Hardening Chronicles: In Search of a Configuration Resilient to Targeted Attacks

⚠️ Notice! This article is a work in progress. Updates and additions are made as new data becomes available regarding the resilience of new security configurations and hacker activity.
Last content update: 22.04.2026

This material is a direct supplement to the main article:
"System Hardening Chronicles: Seeking a Configuration Resilient to Targeted Attacks".
It describes the experience with Android mobile devices, which confirms and expands upon the conclusions drawn for desktop systems.

1. Introduction: Android as a Target of Targeted Attacks

1.1 Context

The attacking party is the same as in the main article: presumably a group with at least 20 years of experience in targeted attacks, possessing both technological and socio-technical methods.

This section documents an incident involving a mobile device that occurred before the start of systematic hardening of the desktop system. Nevertheless, the nature of the breach and the level of access gained by the attacker fully correspond to the attack model described in the main document.

1.2 The Role of Mobile Devices in the Attack

The analysis suggests that a compromised Android smartphone (tablet) can be used by the attacker as:

a means of persistent audio and video surveillance;
a channel for traffic leakage (including encrypted data before transmission);
a data collection point from Google accounts and other services.

At the same time, the standard factory configuration of Android (even with up-to-date security patches) does not provide resilience against a targeted adversary.

2. Description of Device 1 (Smartphone)

2.1. Description of Device 1 (Initial Configuration)

ZTE Blade A522 smartphone running Android 7.1.1 — a device that suffered a targeted attack resulting in full remote control — **ZTE Blade A522 (Android 7.1.1).** A device that suffered a targeted attack resulting in full remote control.

2.1.1 Device Specifications

Parameter	Value
Model	ZTE Blade A522
Purchase Date	April 2019
Condition at Purchase	New device, receiving security updates
Android Version	7.1.1
Kernel Version	3.18.31-perf
Baseband Version	P817E53B01
Build Number	GEN_CIS_A511_V1.0

2.1.2. Software Environment and Network Settings

Security Software: None installed.
Application Sources: Official Google Play only.
Google Account: Connected.
SIM Card: Installed.
Internet Access: Mobile network + Wi-Fi (router under user's control).

2.1.3. User Actions

The device was used as a primary smartphone without any additional security measures (bootloader lock, custom firmware, firewall, system-level permission control, etc.).

2.2. Detected Compromise

2.2.1. Date of Detection

April 2020 (approximately 12 months after initial use).

2.2.2. Capabilities Gained by the Attacker

As a result of remote access (without physical contact with the device), the attacker gained the following capabilities:

Audio Espionage
- Real-time interception of all phone calls.
- Persistent background activation of the microphone, even when no active call is in progress or the system dialer app is not running.
- Recording of ambient sound near the smartphone at any time.
Video Espionage
Full remote access to both front and rear cameras — the ability to view the video stream from any camera at any moment.
Network Traffic Interception
Complete capability to read all internet traffic from the device (including traffic from applications using HTTPS, either before application-level encryption or after decryption).

2.2.3. Commentary

The achieved level of access indicates the exploitation of one or more zero-day vulnerabilities in the kernel (3.18.31-perf), baseband firmware, or Android 7.1.1 components that were not closed by security updates. The level of control gained is equivalent to a full remote rootkit.

2.3. Status and Limitations of Further Investigation

⚠️ Physical Damage to the Device
Subsequently, the smartphone suffered physical damage, making further forensic investigation (firmware dumping, log analysis, identification of the attack vector and traces of the attacker's presence) impossible.

Thus, the exact method of intrusion and the exploited vulnerabilities remain unidentified. However, the very fact of gaining such extensive capabilities in the absence of any protective measures fully confirms the thesis of the main article:

The standard (factory) configuration of any device, whether desktop Linux or Android, is not resilient against a targeted attack by a professional group.

3. Device 2 (Tablet)

3.1. Description of Device 2 (Tablet)

Lenovo TB-8504X tablet running Android 8.1 — a device that suffered a targeted attack — **Lenovo TB-8504X (Android 8.1).** A device that suffered a targeted attack simultaneously with the ZTE Blade A522 smartphone.

3.1.1. Device Specifications

Parameter	Value
Model	Lenovo TB-8504X
Purchase Date	April 2019 (simultaneously with ZTE Blade A522 smartphone)
Android Version	8.1.0
Software Version	TB-8504X_RF01_170520
Build Number	TB-8504X_S001031_191204_ROW
Kernel Version	3.18.71
Baseband Version	S.JO.3.0-00448-8937_GENNS_PACK-1
Last Security Update	November 5, 2019

3.1.2. Initial State and Attack Detection

At the time of purchase, the tablet was in a new configuration and received security updates (the last being November 2019). No security measures (firewalls, antivirus software, permission controls) were installed.

The hacker attack was detected in April 2020 — simultaneously with the compromise of the ZTE Blade A522 smartphone.

3.1.3. Applied Security Measures (Current Configuration)

(Between 2021 and 2024, the device was not used, remained powered off, and was periodically charged to 90% battery. Investigation of the device hacking issue began in March 2025.)

NetGuard — application-level firewall (no root required).
Always-on VPN for NetGuard — enabled (local VPN service for traffic filtering).
Block connections without VPN — disabled.
- When this parameter was enabled, internet connectivity was completely absent, including for applications whitelisted in NetGuard.
Network Access Permissions:
- All system applications visible to NetGuard have internet access denied (190 applications blocked).
- Only 6 applications are allowed:
  - VpnDialogs (required for NetGuard operation)
  - Aurora Store (alternative Google Play client)
  - F-Droid (free software repository)
  - LibreTube (video streaming client)
  - Via (fast browser)
  - Shelter (application isolation — disabled, rarely enabled)
Google Account: Not added (previous account removed).
SIM Card: Installed, but no mobile data plan is active. The tablet uses only Wi-Fi.
Network Environment: The device does not leave the home premises (within Wi-Fi router range), connecting only through a trusted home network.

3.2. Current Attacker Capabilities (With NetGuard Configuration)

Despite the applied measures, the hacker retains the following capabilities:

Reading text files created and saved in the QuickEdit editor.
Reading AI conversations (ChatGPT, DeepSeek) in the authorized web version of the interface in the Fennec browser.
Reading messages in Lumia application chats.

3.3. Changes After Installing NetGuard

Before installing NetGuard, the attacker had the ability to remotely access the microphone and camera.
After installing NetGuard, there is no data indicating access to the camera or microphone.

Presumably, NetGuard blocked the network ports or services used for capturing multimedia streams; however, vulnerabilities that allow reading files and intercepting chat text remain unaddressed.

3.4. Research Status and Priorities

⚠️ Time Constraints and Priorities
Due to limited available time, the priority remains the investigation of the attack on the primary personal computer. Analysis of the attack on the tablet is of secondary importance.

Monitoring of hacker activity targeting the tablet continues. Upon obtaining new data, the configuration will be reviewed and security measures strengthened.

Last data update: April 23, 2026

↑ Back to top

System Hardening Chronicles: In Search of a Configuration Resilient to Targeted Attacks — A real-world chronicle of defending against a targeted attack: documenting vulnerabilities, configurations, responses, and system hardening. From zero security to the search for resilient configurations. A technical report covering hardware, OS, AppArmor, nftables, OpenSnitch, Flatpak, USBGuard. For cybersecurity and InfoSec professionals.

Analysis of the Presumed Targeted Complex Attack — Description of the presumed complex targeted attack.

Psychological Suppression via the Disbelief Effect — analysis of manipulation tactics and protective strategies.

Rigidity of Expectations in Threat Analysis — The problem of rigidity of expectations in cybersecurity threat analysis: why an experienced attacker acts in non-standard (non-obvious) ways.

From Science to Worldview: Logic as a Foundation Against Delusion — an essay on rationality, awareness, and the dangers of intuition without critical grounding.

Three Types of Intellect and Their Role in Personal Stability — an analytical essay on cognitive, ethical, and emotional intelligence as components of psychological resilience.

Information and Behavioral Hygiene for Working with a PC — a foundational practical guide to digital, behavioral, and informational hygiene for personal computer users.

The Dialectical Law and the Myth of “Intuitive Insight” — philosophical analysis of the nature of inspiration and critical thinking.

Laws of Resilience: An Essay on System Survival — This essay formulates the laws of system survival: the priority of technology and logistics over ideology, competence over cultural barriers, and management and efficiency over resources and showiness. A text about moving from illusions to the harsh discipline of results.