Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DETECTION] DexGuard Java rule can produce false positives #352

Open
enovella opened this issue Aug 1, 2023 · 1 comment
Open

[DETECTION] DexGuard Java rule can produce false positives #352

enovella opened this issue Aug 1, 2023 · 1 comment
Labels
detection-issue Bad detection or no detection

Comments

@enovella
Copy link
Collaborator

enovella commented Aug 1, 2023 

> apkid 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, possible Build.SERIAL check
 |-> compiler : dexlib 1.x
 |-> obfuscator : DexGuard
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes10.dex
 |-> anti_vm : possible VM check
 |-> compiler : dexlib 1.x
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes2.dex
 |-> anti_vm : network operator name check
 |-> compiler : dexlib 1.x
 |-> obfuscator : DexGuard
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes3.dex
 |-> anti_vm : Build.BRAND check, Build.DEVICE check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check
 |-> compiler : dexlib 1.x
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes4.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, network operator name check, possible VM check
 |-> compiler : dexlib 1.x
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes5.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible VM check
 |-> compiler : dexlib 1.x
 |-> obfuscator : unreadable field names
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes6.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, possible Build.SERIAL check, possible VM check
 |-> compiler : dexlib 1.x
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes7.dex
 |-> anti_vm : Build.MODEL check, Build.PRODUCT check, possible Build.SERIAL check, possible VM check
 |-> compiler : dexlib 1.x
 |-> obfuscator : unreadable field names, unreadable method names
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes8.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, network operator name check, possible Build.SERIAL check, possible VM check, subscriber ID check
 |-> compiler : dexlib 1.x
 |-> obfuscator : unreadable field names, unreadable method names
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes9.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, possible Build.SERIAL check
 |-> compiler : dexlib 1.x
 |-> obfuscator : DexGuard
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!lib/arm64-v8a/libahope.so
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!lib/arm64-v8a/libahope_c.so
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!lib/arm64-v8a/libahope_n.so
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!lib/arm64-v8a/libahope_o.so
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!lib/armeabi-v7a/libahope.so
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!lib/armeabi-v7a/libahope_c.so
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!lib/armeabi-v7a/libahope_n.so
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!lib/armeabi-v7a/libahope_o.so
 |-> protector : Ahope AppShield
 ~/apks/ahope-Appshield
@enovella enovella added the detection-issue Bad detection or no detection label Aug 1, 2023
@enovella
Copy link
Collaborator Author

enovella commented Aug 1, 2023

c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75 com.rblbank.mobank_2023-01-24.apk

> apkid *.apk
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] 066129b30349efb16da189a292fc9c7e9ee4c43f82f65868f94f22c758c715c7.apk!classes.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, SIM operator check, network operator name check, possible Build.SERIAL check, ro.kernel.qemu check
 |-> compiler : unknown (please file detection issue!)
[*] 066129b30349efb16da189a292fc9c7e9ee4c43f82f65868f94f22c758c715c7.apk!classes2.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, network operator name check, possible VM check
 |-> compiler : dx
[*] 066129b30349efb16da189a292fc9c7e9ee4c43f82f65868f94f22c758c715c7.apk!classes3.dex
 |-> anti_vm : Build.BOARD check, Build.MANUFACTURER check, SIM operator check, network operator name check, possible Build.SERIAL check, possible VM check
 |-> compiler : dx
[*] 066129b30349efb16da189a292fc9c7e9ee4c43f82f65868f94f22c758c715c7.apk!lib/arm64-v8a/libTMXProfiling-6.3-77-jni.so
 |-> obfuscator : Arxan
[*] 066129b30349efb16da189a292fc9c7e9ee4c43f82f65868f94f22c758c715c7.apk!lib/arm64-v8a/libz9.so
 |-> anti_vm : possible VM check
[*] 1e3f445793a91c292a6c6b92032677990a1e7bd32ca20db8cb73f3b9e96219fa.apk!classes.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check
 |-> compiler : r8
[*] 1e3f445793a91c292a6c6b92032677990a1e7bd32ca20db8cb73f3b9e96219fa.apk!classes2.dex
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, SIM operator check, network operator name check, ro.kernel.qemu check
 |-> compiler : r8 without marker (suspicious)
[*] 1e3f445793a91c292a6c6b92032677990a1e7bd32ca20db8cb73f3b9e96219fa.apk!classes3.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.TAGS check
 |-> compiler : r8 without marker (suspicious)
[*] 1e3f445793a91c292a6c6b92032677990a1e7bd32ca20db8cb73f3b9e96219fa.apk!classes4.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.HARDWARE check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, network operator name check, possible VM check
 |-> compiler : r8 without marker (suspicious)
[*] 1e3f445793a91c292a6c6b92032677990a1e7bd32ca20db8cb73f3b9e96219fa.apk!classes5.dex
 |-> compiler : r8 without marker (suspicious)
[*] 1e3f445793a91c292a6c6b92032677990a1e7bd32ca20db8cb73f3b9e96219fa.apk!classes6.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, emulator file check, network operator name check
 |-> compiler : r8 without marker (suspicious)
[*] 1e3f445793a91c292a6c6b92032677990a1e7bd32ca20db8cb73f3b9e96219fa.apk!classes7.dex
 |-> anti_vm : Build.MANUFACTURER check
 |-> compiler : r8 without marker (suspicious)
[*] 1e3f445793a91c292a6c6b92032677990a1e7bd32ca20db8cb73f3b9e96219fa.apk!classes8.dex
 |-> anti_vm : Build.HARDWARE check, Build.MANUFACTURER check
 |-> compiler : r8 without marker (suspicious)
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!classes.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible VM check, possible ro.secure check, ro.hardware check, ro.kernel.qemu check
 |-> compiler : dexlib 2.x
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!classes2.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.HARDWARE check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible VM check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names, unreadable method names
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!classes3.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, SIM operator check, possible Build.SERIAL check
 |-> compiler : dexlib 2.x
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!classes4.dex
 |-> anti_vm : Build.MANUFACTURER check
 |-> compiler : dexlib 2.x
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!lib/x86/libprotectt-native-lib.so
 |-> protector : Protectt
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!lib/x86/libprotecttai.so
 |-> protector : Protectt
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!lib/x86/libapp-protectt-native-lib.so
 |-> protector : Protectt
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!lib/x86/libnative-library.so
 |-> obfuscator : DexGuard, Obfuscator-LLVM version 4.0
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!lib/arm64-v8a/libprotectt-native-lib.so
 |-> protector : Protectt
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!lib/arm64-v8a/libprotecttai.so
 |-> protector : Protectt
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!lib/arm64-v8a/libapp-protectt-native-lib.so
 |-> protector : Protectt
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!lib/arm64-v8a/libnative-library.so
 |-> obfuscator : DexGuard, Obfuscator-LLVM version 4.0
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!lib/armeabi-v7a/libprotectt-native-lib.so
 |-> protector : Protectt
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!lib/armeabi-v7a/libprotecttai.so
 |-> protector : Protectt
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!lib/armeabi-v7a/libapp-protectt-native-lib.so
 |-> protector : Protectt
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!lib/armeabi-v7a/libnative-library.so
 |-> obfuscator : DexGuard, Obfuscator-LLVM version 4.0
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!lib/x86_64/libprotectt-native-lib.so
 |-> protector : Protectt
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!lib/x86_64/libprotecttai.so
 |-> protector : Protectt
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!lib/x86_64/libapp-protectt-native-lib.so
 |-> protector : Protectt
[*] c246d85560599f91e9c3ed7e59df2dd4e21aaf667f3f2965c28c43d9842f5e75.apk!lib/x86_64/libnative-library.so
 |-> obfuscator : DexGuard, Obfuscator-LLVM version 4.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
detection-issue Bad detection or no detection
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@enovella