Fix Google Wallet Root Detection
This guide assumes you have a rooted device with Magisk (v26.0+) or KernelSU installed.
Phase 1: Required Downloads
Download these files directly to your Android device. We use specific open-source forks to bypass current Play Integrity API detections.
Phase 2: The Setup
Configure Magisk Settings (Zygisk)
Open Magisk app → Settings (top right).
- Enable Zygisk
- Enable Enforce DenyList
- Go to Configure DenyList → 3-dots → Show system apps.
- Check these 4 apps completely to hide root:
- Google Play Services (all processes)
- Google Wallet
- Google Play Store
- Google Services Framework
Flash Magisk Modules
In Magisk → Modules → Install from Storage, flash in this order:
- Play Integrity Fork
- Tricky Store
- Tricky Store Addon
- Anti Bootloop (Critical for safety)
Reboot your device now.
Phase 3: The "Termux Trick"
Step 1: Open Magisk → Modules → Play Integrity Fork → Tap Action (downloads latest fingerprints).
Step 2: Open KsuWebUi → Tricky Store → Select All → Menu → Set Valid Keybox.
Step 3: Open Termux, type su, grant root, then paste this command exactly to fix the provider conflict:
su -c "sed -i 's/\"spoofProvider\": *\"1\"/\"spoofProvider\": \"0\"/' /data/adb/modules/playintegrityfix/custom.pif.json"
Phase 4: Verification
Open the SPIC app and run a check. You are looking for this Strong Integrity success result:
Final Step: The Cleanup (If needed)
If you have the checkmarks but Wallet still fails, do the "Nuclear Option" to clear Google's cache:
- Clear Data: Google Wallet
- Clear Data: Google Play Services
- Clear Data: Google Play Store
- Reboot immediately.
Troubleshooting
If your phone gets stuck at the logo, press the key combo you set for the Anti Bootloop module (usually holding Vol Up + Vol Down) to disable modules and boot safely.
Wait 24 hours. Google's servers often cache your "rooted" status. If it fails after 24h, check your DenyList again—Magisk sometimes unchecks apps after updates.
This usually means the public keyboxes used by Tricky Store are currently banned. You may need to find a private keybox.xml or wait for the module developer to update.
Understanding the Mechanism: Why "Basic Integrity" is No Longer Enough
To understand why this specific combination of modules is required, it is crucial to recognize how Google has escalated its detection methods. In the past, simply passing "Basic Integrity" via the SafetyNet API was sufficient for banking apps and Google Wallet. However, Google has aggressively migrated to the Play Integrity API, which utilizes Hardware-Backed Attestation. This system queries your device’s Trusted Execution Environment (TEE) to ensure the bootloader is locked and the software is genuine. When you unlock your bootloader to root your device, the TEE creates a cryptographic flag that marks the device as "compromised," which instantly breaks the "Strong Integrity" verdict required for contactless payments.
Standard root-hiding methods (like the old Universal SafetyNet Fix) can no longer bypass this because they cannot alter the hardware-level flags reported by the TEE. This is where the Tricky Store module and the Keybox spoofing come into play. Instead of just hiding the root process, we are essentially injecting a valid cryptographic certificate (a "Keybox") from a different, uncompromised device into your system's keystore. This tricks Google's servers into believing your device is utilizing a locked, verified bootloader. However, because Google actively bans public keyboxes once they detect high usage volumes, this method is a constant "cat-and-mouse" game. The specific Termux command and the "Play Integrity Fork" included in this guide are designed to randomize the device fingerprint and prevent the spoofing provider from conflicting with system processes, giving your setup the highest possible chance of maintaining Strong Integrity over time.