The SafetyNet Fix module. I believe kdrag0n is the original author, but there's a popular fork on GitHub with some fixes - if you Google it you should be able to find it.

It tricks apps into thinking your phone doesn't support hardware key attestation, forcing it to fall back to basic software attestation which can easily be spoofed.

Been using it on my OnePlus 7 Pro and aside from when I had to switch to the fork, I haven't had any times where SafetyNet has stopped passing.

I just don't use Google pay. Well, my wife hasn't completely gotten off of Google, so she pays for my Duolingo subscription as a family plan.

Only fragile ones, and those will only work until google finally flips the switch and their servers stop validating anything less than true hardware-backed attestation.

Then we'll switch to patching the check out of those apps like is already possible for some with Revanced Manager

You can't patch that out when it comes to hardware attestation. The entire bootchain is authenticated and you can't spoof it because the authentication mechanism and private key are is in the on-silicon enclave. Anything that's not authorized will fail attestation. You can't patch it out because it's an allowlist. Anything less than official signed boot + OS + apps + configuration + known good hardware private key will fail.

It's about as easy as it would be for an ISP to inject code into an HTTPS page.

The only reason anything works is because Google attestation servers still return a green light for evaluationType=BASIC. Once old devices become rare enough they'll only return a positive attestation for evaluationType=HARDWARE_BACKED.

Go find try and find a single instance of anyone achieving HARDWARE_BACKED with less than a fully stock device.

They are none. No amount of Magisk magic will make it work because it's all taken out of software's hands. Bypasses at that point look like electron microscopes and micro-electronics cleanrooms.