With more and more mitigations such as improving SELinux and sanitizers on Android system, the job of finding the attack surface in Android is more difficult and usually needs new inspiration. This talk reveals some new attack surfaces which are layind under touchable hidden interfaces, and cover from Android original system to manufacturer's ROMs. In Android application le
vel, we find the FOTA and "LocalSocket" vulnerabilities which can be used to elevate privilege easily. When things come to Android system, we bring the new attack surface in the implement of data transmission from Android system services to HAL, with the tricky trigger path which uses crafted "fake Binder service". This talk will make public these defects, details about how to trigger these problems, attack demos, and sum up the vulnerabilities that are found.