Duck Detector

DuckDetector is an Android security inspection app focused on local, device-side evidence collection for root-related tampering, runtime hooking, mount manipulation, attestation trust, and virtualized execution environments.

The project combines a Jetpack Compose UI, modular Kotlin feature packages, and native C++ / assembly probes to surface detector cards with structured findings, method coverage, and scan-state summaries.

Highlights

- Modular detector architecture with feature-specific repositories, mappers, view models, and card UIs. - Native startup preload through a transparent NativeActivity launcher for early mount and virtualization evidence collection. - Native runtime probes implemented in C++ and arm64 assembly where timing, syscall, or mount visibility matters. - Cross-process and isolated-process consistency checks for stronger runtime validation. - Dashboard aggregation with per-detector status, top findings, loading states, and detailed drill-down cards. - Mostly local, offline inspection. Network access is only used when the user allows online TEE revocation checks in Settings.

Detector Modules

The app includes these major detector areas:

- Bootloader

Checks bootloader unlock state and related security posture.

- Custom ROM

Checks ROM fingerprints, platform-file fallbacks, and ROM indicators.

- Dangerous Apps

Corroborates installed apps against known risky packages.

- Kernel Check

Looks for kernel build and runtime consistency signals.

- LSPosed

Checks for Java-side and native LSPosed or Xposed runtime evidence.

- Memory

Looks for runtime hook residue, suspicious mappings, and loader visibility.

- Mount

Inspects mount tables, mount consistency, startup preload findings, overlay signals, and namespace anomalies.

- Native Root

Checks native root-runtime traces, corroborated residue paths, and low-level system anomalies.

- Play Integrity Fix

Checks property spoofing and related runtime consistency signals.

- SELinux Checks SELinux mode, policy, audit integrity, and context consistency.

- SU

Checks root binaries and runtime root-context indicators.

- System Properties

Checks property consistency, native snapshots, and raw property-area residue.

- TEE

Checks key attestation, certificate chain analysis, revocation, StrongBox, and RKP signals.

- Virtualization

Checks emulator, guest, translation, host-app, consistency, and honeypot evidence.

- Zygisk

Checks Zygisk state, FD traps, linker residue, and cross-process evidence.

Supporting areas like dashboard, settings, and deviceinfo provide aggregation, user controls, and device context.

License

Apache 2.0