search

rednaga / APKiD

Android Application Identifier for Packers, Protectors, Obfuscators and Oddities - PEiD for Android
Other
1.96k stars 286 forks source link

[DETECTION] DexProtector version in MANIFEST.MF #280

Open enovella opened 2 years ago

enovella commented 2 years ago 
[12:41 edu@xps ar.tvplayer.tv.apk.unpack] >  egrep -iRn dexprotector
META-INF/MANIFEST.MF:5:Protected-By: 12.3.19 DexProtector (20211214)
apkunpacker commented 2 years ago

Here is Apk File :

TiviMate_IPTV_Player_v4.2.0.apk.zip

MANIFEST.MF.txt

Manifest-Version: 1.0
APK-Signature: yjXCY3WEeV+wmJcj6V59zBp65Ykb490dIqoT9lRQdZGkvo0V
Built-By: Signflinger
Created-By: Android Gradle 7.1.0-rc01
Protected-By: 12.3.19 DexProtector (20211214)
Protected-Notice: AV contact email - primary@licelus.com
apkunpacker commented 2 years ago

Sample - https://play.google.com/store/apps/details?id=com.georama.marketresearch

9b80d4e484965e34dc02df018d73b46ffa7f29c7aadf420065bdf304a1cfb5fe

APKiD Scan -

$ apkid QualSights_3.1.17.apk
[+] APKiD 2.1.3 :: from RedNaga :: rednaga.io
[*] QualSights_3.1.17.apk
 |-> packer : DexProtector
[*] QualSights_3.1.17.apk!classes.dex
 |-> compiler : dx
[*] QualSights_3.1.17.apk!classes10.dex
 |-> compiler : dx
[*] QualSights_3.1.17.apk!classes11.dex
 |-> compiler : dx
[*] QualSights_3.1.17.apk!classes12.dex
 |-> compiler : dx
[*] QualSights_3.1.17.apk!classes13.dex
 |-> compiler : dx
[*] QualSights_3.1.17.apk!classes2.dex
 |-> compiler : dx
[*] QualSights_3.1.17.apk!classes3.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check
 |-> compiler : dx
[*] QualSights_3.1.17.apk!classes4.dex
 |-> compiler : dx
[*] QualSights_3.1.17.apk!classes5.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check
 |-> compiler : dx
[*] QualSights_3.1.17.apk!classes6.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.HARDWARE check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible VM check
 |-> compiler : dx
[*] QualSights_3.1.17.apk!classes7.dex
 |-> anti_vm : Build.MANUFACTURER check, possible VM check
 |-> compiler : dx
[*] QualSights_3.1.17.apk!classes8.dex
 |-> compiler : dx
[*] QualSights_3.1.17.apk!classes9.dex
 |-> compiler : dx
[*] QualSights_3.1.17.apk!lib/arm64-v8a/libsdc-core.so
 |-> anti_vm : possible VM check
[*] QualSights_3.1.17.apk!lib/armeabi-v7a/libsdc-core.so
 |-> anti_vm : possible VM check
[*] QualSights_3.1.17.apk!lib/x86/libsdc-core.so
 |-> anti_vm : possible VM check
[*] QualSights_3.1.17.apk!lib/x86_64/libsdc-core.so
 |-> anti_vm : possible VM check
Manifest-Version: 1.0
APK-Signature: 4ge8LMpxy5Jz8ebQoP35dAzi9JNByHwJALKEczUbpPY0Wc1E
Built-By: Generated-by-ADT
Created-By: Android Gradle 3.5.0
Protected-By: 12.1.27 DexProtector (20211027)
Protected-Notice: AV contact email - primary@licelus.com
apkunpacker commented 2 years ago

Sample https://play.google.com/store/apps/details?id=com.tlsvpn.tlstunnel https://virustotal.com/gui/file/2ecc202580a9f2cc032d833223d8de827cae463116b9be12fe8456e9332d579c

APKiD Scan -

$ apkid 'TLS Tunnel_4.4.6.apk'
[+] APKiD 2.1.3 :: from RedNaga :: rednaga.io
[*] TLS Tunnel_4.4.6.apk
 |-> packer : DexProtector
[*] TLS Tunnel_4.4.6.apk!classes.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, network operator name check, possible VM check
 |-> compiler : dx
[*] TLS Tunnel_4.4.6.apk!classes2.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, SIM operator check, network operator name check, subscriber ID check
 |-> compiler : dx
[*] TLS Tunnel_4.4.6.apk!classes3.dex
 |-> anti_vm : Build.MANUFACTURER check, Build.MODEL check
 |-> compiler : dx
[*] TLS Tunnel_4.4.6.apk!classes4.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, network operator name check
 |-> compiler : dx
[*] TLS Tunnel_4.4.6.apk!classes5.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.TAGS check, SIM operator check, subscriber ID check
 |-> compiler : dx
[*] TLS Tunnel_4.4.6.apk!classes6.dex
 |-> anti_vm : Build.MANUFACTURER check
 |-> compiler : dx
[*] TLS Tunnel_4.4.6.apk!classes7.dex
 |-> compiler : dx
[*] TLS Tunnel_4.4.6.apk!classes8.dex
 |-> compiler : dx
[*] TLS Tunnel_4.4.6.apk!lib/arm64-v8a/libdexprotector.so
 |-> obfuscator : DexProtector
[*] TLS Tunnel_4.4.6.apk!lib/arm64-v8a/libtlsvpn.so
 |-> obfuscator : DexProtector
[*] TLS Tunnel_4.4.6.apk!lib/x86_64/libdexprotector.so
 |-> obfuscator : DexProtector
[*] TLS Tunnel_4.4.6.apk!lib/x86_64/libtlsvpn.so
 |-> obfuscator : DexProtector
Manifest-Version: 1.0
APK-Signature: AG5WfkiZijZvGEKCymCgkJLVUeWa7MieZKqBVOQYC5csnBbQ
Built-By: Signflinger
Created-By: Android Gradle 7.1.3
Protected-By: 12.5.45 DexProtector (20220228)
Protected-Notice: AV contact email - primary@licelus.com
apkunpacker commented 2 years ago

Sample : https://play.google.com/store/apps/details?id=com.axiositalia.re.family https://virustotal.com/gui/file/e23169a5d7481f5d043a1b1cb9343abcf9bed35ac13f49749edfecbf3ae9cb7e

$ apkid 'Axios Famiglia_1.6.6.apk'
[+] APKiD 2.1.3 :: from RedNaga :: rednaga.io
[*] Axios Famiglia_1.6.6.apk
 |-> packer : DexProtector
[*] Axios Famiglia_1.6.6.apk!classes.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, possible Build.SERIAL check
 |-> compiler : dx
Manifest-Version: 1.0
APK-Signature: k5+fkvQEDlm0hpI6O7V1gQh4dXt/vWePn7igpj7uDmZEBhlE
Built-By: Generated-by-ADT
Created-By: Android Gradle 4.0.0
Protected-By: 12.5.45 DexProtector (20220228)
Protected-Notice: AV contact email - primary@licelus.com
enovella commented 2 years ago

The manifest file is named MANIFEST.MF and is located under the META-INF directory in the APK. It's simply a list of key and value pairs, called headers or attributes, grouped into sections.

We could define a new private rule is_manifest, and check only in the META-INF directory. Is anyone interested in implementing something like that?

enovella commented 1 year ago

@CalebFenton @strazzere Any thoughts on this? Or we close it?

strazzere commented 1 year ago

Personally, I'd rather look at what type of protections dexprotector are introducing vs blindly trusting the manifest string (which could be removed). Though I'm more often interesting in what features would have been turned on and the version of the protector it's installed from.

If it was just pulling the version from the manifest file, then it is just as simple to do your original grep to get that info and no added value is provided, imho.