Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DETECTION] Unknown protector #362

Open
enovella opened this issue Sep 14, 2023 · 2 comments
Open

[DETECTION] Unknown protector #362

enovella opened this issue Sep 14, 2023 · 2 comments
Labels
detection-issue Bad detection or no detection

Comments

@enovella
Copy link
Collaborator

Sample

https://play.google.com/store/apps/details?id=com.einnovation.temu&hl=en&gl=US

$ apkid ~/Downloads/Temu_\ Shop\ Like\ a\ Billionaire_2.4.1_Apkpure.apk
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] ~/Downloads/Temu_ Shop Like a Billionaire_2.4.1_Apkpure.apk!classes.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, possible Build.SERIAL check
 |-> compiler : r8 without marker (suspicious)
[*] ~/Downloads/Temu_ Shop Like a Billionaire_2.4.1_Apkpure.apk!classes2.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, SIM operator check, possible Build.SERIAL check, subscriber ID check
 |-> compiler : r8 without marker (suspicious)
[*] ~/Downloads/Temu_ Shop Like a Billionaire_2.4.1_Apkpure.apk!classes3.dex
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, SIM operator check, device ID check, network operator name check, possible Build.SERIAL check
 |-> compiler : r8 without marker (suspicious)
[*] ~/Downloads/Temu_ Shop Like a Billionaire_2.4.1_Apkpure.apk!classes4.dex
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, emulator file check, possible Build.SERIAL check
 |-> compiler : r8 without marker (suspicious)
[*] ~/Downloads/Temu_ Shop Like a Billionaire_2.4.1_Apkpure.apk!classes5.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible Build.SERIAL check
 |-> compiler : r8 without marker (suspicious)
[*] ~/Downloads/Temu_ Shop Like a Billionaire_2.4.1_Apkpure.apk!classes6.dex
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check
 |-> compiler : r8 without marker (suspicious)
[*] ~/Downloads/Temu_ Shop Like a Billionaire_2.4.1_Apkpure.apk!classes7.dex
 |-> compiler : r8 without marker (suspicious)
[*] ~/Downloads/Temu_ Shop Like a Billionaire_2.4.1_Apkpure.apk!classes8.dex
 |-> compiler : r8 without marker (suspicious)
[*] ~/Downloads/Temu_ Shop Like a Billionaire_2.4.1_Apkpure.apk!lib/arm64-v8a/libUserEnv.so
 |-> anti_hook : syscalls
 |-> anti_vm : emulator file check
[*] ~/Downloads/Temu_ Shop Like a Billionaire_2.4.1_Apkpure.apk!lib/arm64-v8a/libcutils_meco.so
 |-> anti_vm : emulator file check
[*] ~/Downloads/Temu_ Shop Like a Billionaire_2.4.1_Apkpure.apk!lib/arm64-v8a/libdyncommon.so
 |-> anti_hook : syscalls
[*] ~/Downloads/Temu_ Shop Like a Billionaire_2.4.1_Apkpure.apk!lib/arm64-v8a/libsecure_lib.so
 |-> anti_hook : syscalls
[*] ~/Downloads/Temu_ Shop Like a Billionaire_2.4.1_Apkpure.apk!lib/arm64-v8a/libshook.so
 |-> anti_hook : syscalls
[*] ~/Downloads/Temu_ Shop Like a Billionaire_2.4.1_Apkpure.apk!lib/arm64-v8a/libwebviewchromiummeco.so
 |-> anti_hook : syscalls
[*] ~/Downloads/Temu_ Shop Like a Billionaire_2.4.1_Apkpure.apk!lib/arm64-v8a/libxmghm.so
 |-> anti_hook : syscalls
[*] ~/Downloads/Temu_ Shop Like a Billionaire_2.4.1_Apkpure.apk!lib/armeabi-v7a/libUserEnv.so
 |-> anti_vm : emulator file check
[*] ~/Downloads/Temu_ Shop Like a Billionaire_2.4.1_Apkpure.apk!lib/armeabi-v7a/libcutils_meco.so
 |-> anti_vm : emulator file check
@enovella enovella added the detection-issue Bad detection or no detection label Sep 14, 2023
@AbhiTheModder
Copy link
Contributor

AbhiTheModder commented Oct 27, 2024
edited
Loading

UPDATE: now it's seems to be completely undetectable by apkid:

Latest version apk results:

╰─> apkid Temu_3.8.0_apks.apk
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] Temu_3.8.0_apks.apk!classes.dex
 |-> anti_vm : Build.MANUFACTURER check, Build.MODEL check
 |-> compiler : r8 without marker (suspicious)
[*] Temu_3.8.0_apks.apk!classes2.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check
 |-> compiler : r8 without marker (suspicious)
[*] Temu_3.8.0_apks.apk!classes3.dex
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, SIM operator check, device ID check, network operator name check, possible Build.SERIAL check
 |-> compiler : r8 without marker (suspicious)
[*] Temu_3.8.0_apks.apk!classes4.dex
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, network operator name check
 |-> compiler : r8 without marker (suspicious)
[*] Temu_3.8.0_apks.apk!classes5.dex
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, SIM operator check
 |-> compiler : r8 without marker (suspicious)

However libraries are still there:

╰─> ls lib/arm64-v8a/ | grep -E "(UserEnv|secure_lib|shook|xm)"
libsecure_lib.so
libUserEnv.so
libxmgreport.so

libxmghm.so seems to be the newly libxmgreport.so renamed. Edit: No It's not

Can't seem to find the older version of it anywhere(currently, apkpure search query throws 404 maybe will try later) too to check differences

@enovella
Copy link
Collaborator Author

I believe we didn't detect it before either as long as didn't know the name behind.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
detection-issue Bad detection or no detection
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@enovella @AbhiTheModder