static void __exit ev_exit(void) printk(KERN_INFO "ev: module unloaded\n");
“A data hoarder,” Linus muttered. “You’re not stealing it. You’re saving it.” android kernel x64 ev.sys
The file referred to as (often associated with aow_drv_x64_ev.sys ) is a system driver component used by certain third-party Android emulators on Windows, most notably SmartGaGa and GameLoop (Tencent Gaming Buddy). He checked the manifest’s creation date again
He checked the manifest’s creation date again. 2038. The Year 2038 problem—the Unix timestamp overflow. Someone had built a kernel rootkit that expected the 32-bit time_t to wrap to zero. That’s when ev.sys would wake fully. That’s when the data hoard would become an auction . Someone had built a kernel rootkit that expected
He wrote a small eBPF probe to log every time ev.sys accessed the network stack. Silence. No outbound connections. Ever. Then he wrote a probe for the storage driver. Every 47 minutes, ev.sys would wake, read the last 16KB of logcat, compress it, and append it to the hidden volume. No exfiltration. No C2. Just observation .