Anyone know how to hide them from keep getting detected

Understanding the Complexity of Mobile Device Detection and Rooting

We operate in an ecosystem where mobile applications, particularly financial and streaming services, are increasingly aggressive in their detection methods. The user query, “Anyone know how to hide them from keep getting detected,” is a common inquiry within the rooting community. It typically refers to the struggle of maintaining root access on an Android device while simultaneously using applications that refuse to run on a compromised system environment. We understand the frustration involved when standard banking applications, Google Pay, or high-end games like Pokémon GO detect root privileges and deny service. This article serves as a comprehensive technical guide to navigating these detection mechanisms, specifically focusing on the Magisk environment and the configuration of Magisk Modules designed for stealth.

The core of the issue lies in the fact that traditional rooting methods modified the system partition, leaving clear footprints that applications could easily scan. When an application detects a trace of root, such as the su binary or specific system files, it triggers a safety net response. Our goal is to eliminate these footprints entirely or mask them so effectively that the device appears unmodified to the end-user application. This requires a multi-layered approach involving kernel-level hiding, system property modification, and careful management of installed modules. We will explore how to configure your device using the Magisk Module Repository available at Magisk Modules to achieve the highest level of concealment.

We must emphasize that the landscape of detection is a constant cat-and-mouse game. As developers of banking apps and games update their detection algorithms, the tools we use must also evolve. Therefore, the strategies outlined below are current best practices, but they require vigilance and regular maintenance. We will cover the essential modules, the configuration of the MagiskHide list, and advanced techniques for hiding the Magisk app itself. Our objective is to provide a robust defense against detection that allows users to enjoy the benefits of root access without sacrificing the functionality of critical applications.

The Mechanisms of Root Detection

To effectively hide root, we must first understand how applications detect it. Detection is not a single process but a series of checks performed at different levels of the operating system. We categorize these checks into three primary areas: binary detection, system property checks, and behavioral analysis.

Binary and File System Checks

The most basic form of detection involves scanning the device’s file system for known root-related files. Applications look for the presence of the su binary, which is the standard Unix utility for switching to the superuser account. They typically check common directories where this binary is usually located, such as /system/bin/, /system/xbin/, /vendor/bin/, and /sbin/. Additionally, they look for the Magisk manager application package name and specific Magisk files, such as .magisk and magisk-hide logs.

Furthermore, detection scripts often check for the existence of specific directories associated with root management tools. For instance, the presence of a /sbin/.magisk directory is a dead giveaway. When an app scans the file system and finds these artifacts, it immediately flags the device as compromised. We counter this by ensuring that Magisk mounts its files systemlessly, meaning they are injected into the boot image rather than written to the actual system partition. However, legacy detection methods may still attempt to access these paths directly.

System Property and Build Fingerprint Checks

Advanced detection mechanisms analyze system properties. Apps read the ro.build.fingerprint and ro.build.tags properties to verify the integrity of the device’s software stack. If the device is running a custom ROM or a modified stock ROM, these properties often differ from the official manufacturer’s values. For example, a device with Magisk installed might have a user build tag instead of release-keys, or the fingerprint might not match the official OTA update string.

Moreover, apps check for the presence of specific packages related to root management. They query the package manager to see if applications like SuperSU, KingRoot, or even the Magisk Manager are installed. Even if the app is hidden, the package name might still be present in the system database, triggering a detection flag. We must modify these build properties to match the official stock values and ensure that root management apps are not visible to the package manager queries.

Root Traces in the Process List and Network Traffic

Some applications monitor the running processes for signs of root tools. They scan the /proc directory or use the ps command to look for processes like su, magiskd, or busybox. If any of these are detected running in the background, the app terminates or blocks access.

Additionally, some enterprise security solutions and games analyze network traffic or specific system calls. They may attempt to execute a harmless command via su to see if the prompt appears or if the command executes successfully without error. This is known as a “su check.” If the app can execute a superuser command, it knows root is active. We must ensure that MagiskHide (or the equivalent systemless module) is strictly blocking these apps from accessing the su binary.

Core Strategy: The MagiskHide vs. Shamiko Paradigm

The primary tool for hiding root is Magisk itself, specifically the “MagiskHide” feature. However, the standard MagiskHide is not always sufficient because the Magisk Manager app itself can be detected. When an app scans for installed packages, it may find com.topjohnwu.magisk. To counter this, we utilize advanced modules that hide the Magisk Manager app and further obscure the root environment.

Configuring Standard MagiskHide

MagiskHide is a built-in feature (in older versions; in newer versions, it is handled differently) that works by unmounting the Magisk mount points for specific processes. When you add an app to the MagiskHide list, Magisk ensures that when that app is launched, it does not see the modified system files or the Magisk binaries.

To configure this effectively:

1. Open the Magisk Manager app.
2. Navigate to Settings and ensure MagiskHide is enabled.
3. Go to the MagiskHide section in the main menu.
4. Select the applications you wish to hide root from. This typically includes banking apps (e.g., Chase, Bank of America), payment apps (Google Pay, Samsung Pay), and games (Pokémon GO, Mario Kart Tour).

We recommend hiding root from as many apps as possible to prevent side-channel detection. However, be cautious not to hide Magisk Manager itself from the list, as this can cause issues with managing modules. Instead, we use specific modules to hide the manager app.

The Role of Shamiko (The successor to MagiskHide)

With the evolution of Magisk, the traditional MagiskHide was deprecated in favor of the Zygisk module. Zygisk runs inside the Zygote process, which is the parent process for all Android apps. This allows Magisk to inject code into apps before they start, enabling a more robust hiding mechanism.

However, Zygisk alone does not provide the same granular hiding as the old MagiskHide. To regain and enhance this functionality, we rely on Shamiko. Shamiko is a module designed to work with Zygisk to provide MagiskHide-like functionality, but with greater stealth. It hides the Magisk binary, the Magisk app, and prevents apps from detecting that Zygisk is even running.

To use Shamiko:

1. Download the Shamiko module from a trusted source (often the official Magisk GitHub releases or community repositories).
2. Install it via the Magisk Manager.
3. Enable Zygisk in Magisk Settings.
4. Configure the deny list (which functions as the hide list).

Shamiko is superior because it hides the fact that Zygisk is active. Standard Zygisk detection methods used by apps to see if the Zygote process is modified will fail. We consider Shamiko an essential module for anyone serious about avoiding detection.

Essential Magisk Modules for Evasion

While Magisk provides the foundation, the ecosystem of third-party modules provides the specialized tools necessary to defeat specific detection vectors. We have curated a list of essential modules available through the Magisk Module Repository at Magisk Modules. These modules work together to build a nearly invisible root environment.

Universal SafetyNet Fix

The Universal SafetyNet Fix module is critical for passing Google’s SafetyNet Integrity API. This API checks the device’s certification status. Uncertified devices (which most rooted devices are) fail this check, causing apps that rely on it (like Google Pay) to stop working.

This module works by spoofing the device’s hardware attestation. It modifies the ctsProfile and basicIntegrity flags returned by Google’s servers. It does this by leveraging a flaw in how some devices handle attestation or by dynamically patching the response.

• How to use it: Install the module via the Magisk Manager.
• Configuration: Ensure MagiskHide or Zygisk is enabled. The module usually requires no manual configuration, but it must be updated regularly as Google patches the attestation vulnerability.

Play Integrity Fix (The Successor to SafetyNet Fix)

Google has moved from SafetyNet to Play Integrity API. The old SafetyNet Fix may not work for newer apps that use the Play Integrity API. The Play Integrity Fix module is the modern solution. It targets the Play Integrity API specifically, ensuring that the device passes the integrity checks required by the Play Store and sensitive apps.

This module often requires additional configuration, such as selecting the correct device fingerprint to spoof. It may also require the installation of specific libraries (like the liboemcrypto.so library) if the app uses hardware-backed DRM.

• Why it’s necessary: Many banking apps now exclusively use Play Integrity. Failing this check results in an immediate block.
• Installation: Available in the Magisk Module Repository. Always check the module description for specific requirements regarding your device architecture (ARM, ARM64, x86, etc.).

Hide My Applist

Hide My Applist is a specialized module designed to prevent apps from detecting the presence of other installed apps. Many root detection tools query the package manager to see if Magisk Manager, SuperSU, or other root-related apps are installed. Even if you hide the app icon, the package remains installed.

This module acts as a filter for the package manager. It intercepts queries from specific apps (those you define in the configuration) and returns a sanitized list of installed applications, excluding the ones you want to hide.

• Configuration: After installing, you need to configure the template. You create a “template” that lists the apps you want to hide (e.g., Magisk Manager) and apply this template to the target apps (e.g., your banking app).
• Effectiveness: This is highly effective against apps that perform deep system scans. It is a companion tool to Shamiko, providing an extra layer of protection against application-level detection.

Advanced Charging Control and BusyBox

While not strictly evasion modules, BusyBox and Advanced Charging Control (ACC) are foundational to a stable rooted environment. Detection often occurs when a system lacks standard binaries or behaves erratically.

• BusyBox: Ensures that standard Unix utilities are available in the system. Many detection scripts rely on these utilities to parse data. Having a proper BusyBox installation prevents these scripts from crashing or producing errors that might flag the device.
• ACC: This module manages charging limits and health. While unrelated to detection, a stable system is less likely to expose anomalies. We recommend installing a stable BusyBox version (like the one by osm0sis) to ensure system consistency.

Advanced Techniques: Kernel-Level Hiding and Systemless Hosts

Beyond modules, we must consider kernel-level detection. Some apps use kernel-based root detection methods that inspect the kernel memory or specific driver states. These methods can bypass userspace hiding tools like MagiskHide. To combat this, we utilize specific techniques that modify how the kernel interacts with the system.

The Systemless Hosts Module

One of the most overlooked aspects of root detection is the hosts file. Standard root methods often modify the /system/etc/hosts file to block ads or trackers. However, modifying this file is detectable because the file’s hash changes, or the app can simply read the file and see that it points to 127.0.0.1 for domains that should not be blocked.

Magisk provides a Systemless Hosts module. This module creates a virtual hosts file that overlays the system one without actually modifying the system partition. However, for this to work effectively, you must disable any other ad-blocking method (like AdAway directly modifying the system) and ensure the Magisk module is active.

• Impact on Detection: Some apps check if the hosts file has been tampered with to see if ad-blocking servers are being intercepted. By using the systemless method, the file system remains pristine, leaving no trace of modification.

Shifting to Zygisk and DenyList

In modern Magisk versions (v24+), the “MagiskHide” option was removed in favor of Zygisk. Zygisk runs in the Zygote process, allowing for earlier and deeper injection. To hide root effectively in this environment:

1. Go to Magisk Settings and enable Zygisk.
2. Go to Configure DenyList.
3. Select the apps you want to hide from. Check both the app itself and its “system” processes if available (though Magisk handles this automatically).

Critical Note: When using Zygisk, you must hide the Magisk app itself. Go to Magisk Settings -> Hide the Magisk App. This changes the app’s package name from com.topjohnwu.magisk to a random package (e.g., com.jv.ov.qz). This is the first step in evading package-based detection.

Managing Riru and LSPosed (Legacy vs. Modern)

For older devices or specific modules, Riru and LSPosed were standard frameworks. While Zygisk has largely replaced Riru, some modules still rely on the Riru core. If you are using an older device (Android 10 or below), you might need to install Riru and LSPosed.

• LSPosed: This is a framework for Xposed modules. It allows for fine-grained modifications of the system UI and behavior. However, it is detectable if not hidden properly.
• Hiding LSPosed: You must ensure that the LSPosed manager app is hidden using the Hide My Applist module. Furthermore, the LSPosed framework itself (which runs as a system service) can be detected. Advanced users can use specific Xposed modules designed to hide LSPosed from detection.

Troubleshooting Common Detection Issues

Even with the best configuration, detection can occur. We recommend a systematic approach to troubleshooting when an app refuses to run.

Clearing Data and Cache

Before launching an app after configuring Magisk, always clear the app’s data and cache. Detection apps often store the initial state of the device. If you have just installed Shamiko or the Play Integrity Fix, the app might be holding onto cached data that indicates root.

• Procedure: Go to Settings -> Apps -> [Target App] -> Storage -> Clear Data and Clear Cache. Launch the app immediately after. This forces the app to perform a fresh integrity check.

Checking Magisk Log and Detection Vectors

If an app detects root, check the Magisk logs.

1. Open Magisk Manager.
2. Tap the Logs button.
3. Look for entries related to the target app. If you see “denied” or “access” messages, it indicates that the app tried to access the su binary or a Magisk file. This suggests that the app is not fully hidden in the DenyList.

Additionally, use apps like YASNAC (Yet Another SafetyNet Attestation Checker) to verify if your device passes the basic integrity and CTS profile checks. If YASNAC fails, your Play Integrity Fix module is likely not configured correctly, or Zygisk is not active.

Bootloader and OEM Unlock

While not a software solution, we must address the hardware state. Many detection systems check the bootloader status. If the bootloader is unlocked, the device is flagged as insecure.

• The Reality: Magisk generally cannot hide an unlocked bootloader from the kernel level. However, for most banking apps, passing the Play Integrity check (which requires a valid fingerprint) is sufficient, even with an unlocked bootloader.
• Warning: Some high-security apps (e.g., corporate VPNs, specific government apps) may check the bootloader status via the fastboot partition or the ro.boot.verifiedbootstate property. In these cases, a locked bootloader is required, which usually prevents rooting entirely. For the vast majority of users, focusing on Play Integrity is the correct path.

Maintaining a Low Profile

To maintain a long-term successful hiding strategy, we must adopt best practices regarding updates and module management.

Selective Module Installation

We advise against installing every module available. Every additional module increases the complexity of the system and the surface area for detection. Only install modules that are absolutely necessary for your workflow. Before installing a new module, check the Magisk Module Repository documentation to ensure it is compatible with the latest Magisk version and does not interfere with existing hiding modules.

Updating Magisk and Modules Safely

Magisk updates often change the underlying mechanism of how rooting works. Updating Magisk can break Shamiko or other modules that rely on specific hooks.

• Best Practice: Wait a few days after a Magisk update to update your modules. Read the release notes. If Magisk updates the DenyList structure, you may need to reconfigure your hidden apps.
• Canary vs. Stable: Advanced users often switch to “Canary” builds of Magisk to get the latest features and fixes. However, Canary builds are less stable. If you rely on your device for critical tasks, stick to the stable release or the “Zygisk” release candidates.

Handling App Updates

App developers constantly update their detection algorithms. If an app that previously worked suddenly detects root, it is likely the app updated its detection library.

• Response: Immediately clear the app data (as described above). If that fails, check for updates to your modules (Play Integrity Fix, Hide My Applist). The community (XDA Developers, Reddit) usually reacts quickly to these changes