[BUG] Tecno Spark 10 Pro (Android 13) devices are incorrectly identified as containing Lucky Patcher

[AndreyFetisov]

Bug description

Tecno Spark 10 Pro (Android 13) devices are incorrectly identified as containing Lucky Patcher

Reproduction steps

val attestation = antiPiracy.attestate(context)

[AndreyFetisov]

It seems that all Tecno and Infinix devices are incorrectly identified as containing Lucky Patcher

[cioccarellia]

That's really weird, how many devices could you test this on? Could you share your anti piracy settings?

[AndreyFetisov]

I only tested on two devices. But judging by the logs of my application, most of the devices for which kevlar detects the presence of Lucky Patcher are Tecno and Infinix of different models.

private val antiPiracy = KevlarAntipiracy { scan { // scan configuration pirate()

    }
}

[cioccarellia]

Are you 100% sure you don't have pirate software / pirate software installers on any of those two test devices? Because the check looks at the package list, and if it finds one that specifically matches a regex, then it flags it

If you are able to, could you please run this diagnostic bash script with your affected device attached to your computer? It should print out the packages that kevlar detects as related to lucky patcher, causing it to be included in the attestation. The core principle of kevlar is to have a zero false-positive rate, so if none are printed out I should investigate further on potential library detection bugs / new variations.

adb shell pm list packages | cut -f 2 -d ":" | while IFS= read -r line; do
  for regexp in "com.android.vending.licensing.ILicensingService" "com.android.vendinc" "ru\..?.?[a]{3,}.?.?.?.?.?\.installer" "com.chelpus.lackypatch" "com.android.vending.billing.InAppBillingService.*" "com.dimonvideo.luckypatcher" "com.forpda.lp"; do
    if [[ "$line" =~ $regexp ]]; then
      echo "$line"
      break
    fi
  done
done

[AndreyFetisov]

Please find in the attachment a list of all packages installed on this device. Tecno packages.txt

[cioccarellia]

Ran it myself and it doesn't flag any of them. I manually went through the list and found a few packages starting with ru.*, but that shouldn't cause detection unless you enabled collateral options.

I'll try adding more advanced logging capabilities to the library, so that when enabled, you can get a detailed summary of everything that kevlar detects. I can't run detection just with the package names because kevlar looks at the application metadata themselves, which I don't have unless queried from the package manager.

I'll get back to you, I have finals now though so this might take a while :D

[cioccarellia]

I pushed on master an update with enhanced log/traceability. Could you clone the repo and run the Showcase app on your device? This should give us insight into what is going on. (note, they're breaking changes)

[AndreyFetisov]

This is a screenshot of Tecno spark 10 pro from showcase app.

[cioccarellia]

I think it detected the label for being empty, but wrongly assigned the detection to that threat. I’ll investigate a solution, thank you for your time and effort!

[AndreyFetisov]

I'm glad I helped. I'll be looking forward to the update of kevlar.