[Bug] keystore2 crashes / TEE issue when handling OversizedCheckKey and TeeStressTestKey challenge (Garuda Defender RASP bypasses TrickyStore)

[ccyiliya]

Hello TrickyStore developers,
I encountered a critical issue where a security SDK (Garuda Defender v3.7.0) is able to bypass TrickyStore's TEE spoofing by sending abnormally large / malformed attestation challenges.
Instead of gracefully handling or rejecting these extreme challenges, keystore2 crashes, which the app catches and subsequently flags the environment as rooted (TEE issue (6)).

Environment (运行环境):
​Device (机型): [Redmi K70 Ultra]
​Android Version (安卓版本): [Android 16]
​Root Solution (Root 方案): APatch [11142]
​Modules (使用的模块): TrickyStore [1.4.1], NoHello
​Steps to Reproduce (复现步骤):
​Install TrickyStore and put the target app (com.kikyps.crackme) in the target scope.
​Install the Garuda Defender Demo APK (attached below).
​Open the app and wait for the scan.
​The app will trigger TeeStressTestKey and OversizedCheckKey requests.
​keystore2 daemon crashes, and the app displays Trusted Execution Environment issue (6).
​Logs / Error Output (错误日志):E keystore2: system/security/keystore2/src/error.rs:183 - system/security/keystore2/src/security_level.rs:680
E keystore2: 0: system/security/keystore2/src/security_level.rs:630: While generating Key Some("TeeStressTestKey") with remote provisioned attestation key and params: [KeyParameter { tag: r#KEY_SIZE, value: Integer(256) }, KeyParameter { tag: r#ALGORITHM, value: Algorithm(r#EC) } ...
E keystore2: 1: system/security/keystore2/src/security_level.rs:964: upgrade_rkpd_keyblob_if_required_with(params=[])
E keystore2: 2: system/security/keystore2/src/utils.rs:446: Calling km_op.

E keystore2: 0: system/security/keystore2/src/security_level.rs:630: While generating Key Some("OversizedCheckKey") with remote provisioned attestation key and params: ... KeyParameter { tag: r#ATTESTATION_CHALLENGE, value: Blob([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, ... 250, 251, 252, 253, 254, 0]) }

Suggestion / Expected Behavior (期望结果):
TrickyStore should intercept and properly handle (or gracefully mock/reject) these deliberately oversized or malformed ATTESTATION_CHALLENGE blobs instead of causing keystore2 to crash. This "TEE Stress Test" pattern is likely to be adopted by more banking and gaming apps in the future.

filtered_results.txt

logcat_full.txt

[ccyiliya]

Here's the GitHub link for the software:https://github.com/kikyps/GarudaDefender?tab=readme-ov-file

[aviraxp]

That log is actually normal. According to doc, attestation challenge should be smaller than 128 bytes, or keystore2 need to throw exception. The exception is just a normal keystore behavior, on the contrary, not throwing exception means the rewuest does notbgo through keystore2, which is a detection point for generation mode. So the detention is somethong else.