Open enovella opened 2 years ago
Here is Apk File :
TiviMate_IPTV_Player_v4.2.0.apk.zip
Manifest-Version: 1.0
APK-Signature: yjXCY3WEeV+wmJcj6V59zBp65Ykb490dIqoT9lRQdZGkvo0V
Built-By: Signflinger
Created-By: Android Gradle 7.1.0-rc01
Protected-By: 12.3.19 DexProtector (20211214)
Protected-Notice: AV contact email - primary@licelus.com
Sample - https://play.google.com/store/apps/details?id=com.georama.marketresearch
9b80d4e484965e34dc02df018d73b46ffa7f29c7aadf420065bdf304a1cfb5fe
APKiD Scan -
$ apkid QualSights_3.1.17.apk
[+] APKiD 2.1.3 :: from RedNaga :: rednaga.io
[*] QualSights_3.1.17.apk
|-> packer : DexProtector
[*] QualSights_3.1.17.apk!classes.dex
|-> compiler : dx
[*] QualSights_3.1.17.apk!classes10.dex
|-> compiler : dx
[*] QualSights_3.1.17.apk!classes11.dex
|-> compiler : dx
[*] QualSights_3.1.17.apk!classes12.dex
|-> compiler : dx
[*] QualSights_3.1.17.apk!classes13.dex
|-> compiler : dx
[*] QualSights_3.1.17.apk!classes2.dex
|-> compiler : dx
[*] QualSights_3.1.17.apk!classes3.dex
|-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check
|-> compiler : dx
[*] QualSights_3.1.17.apk!classes4.dex
|-> compiler : dx
[*] QualSights_3.1.17.apk!classes5.dex
|-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check
|-> compiler : dx
[*] QualSights_3.1.17.apk!classes6.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.HARDWARE check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible VM check
|-> compiler : dx
[*] QualSights_3.1.17.apk!classes7.dex
|-> anti_vm : Build.MANUFACTURER check, possible VM check
|-> compiler : dx
[*] QualSights_3.1.17.apk!classes8.dex
|-> compiler : dx
[*] QualSights_3.1.17.apk!classes9.dex
|-> compiler : dx
[*] QualSights_3.1.17.apk!lib/arm64-v8a/libsdc-core.so
|-> anti_vm : possible VM check
[*] QualSights_3.1.17.apk!lib/armeabi-v7a/libsdc-core.so
|-> anti_vm : possible VM check
[*] QualSights_3.1.17.apk!lib/x86/libsdc-core.so
|-> anti_vm : possible VM check
[*] QualSights_3.1.17.apk!lib/x86_64/libsdc-core.so
|-> anti_vm : possible VM check
Manifest-Version: 1.0
APK-Signature: 4ge8LMpxy5Jz8ebQoP35dAzi9JNByHwJALKEczUbpPY0Wc1E
Built-By: Generated-by-ADT
Created-By: Android Gradle 3.5.0
Protected-By: 12.1.27 DexProtector (20211027)
Protected-Notice: AV contact email - primary@licelus.com
Sample https://play.google.com/store/apps/details?id=com.tlsvpn.tlstunnel https://virustotal.com/gui/file/2ecc202580a9f2cc032d833223d8de827cae463116b9be12fe8456e9332d579c
APKiD Scan -
$ apkid 'TLS Tunnel_4.4.6.apk'
[+] APKiD 2.1.3 :: from RedNaga :: rednaga.io
[*] TLS Tunnel_4.4.6.apk
|-> packer : DexProtector
[*] TLS Tunnel_4.4.6.apk!classes.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, network operator name check, possible VM check
|-> compiler : dx
[*] TLS Tunnel_4.4.6.apk!classes2.dex
|-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, SIM operator check, network operator name check, subscriber ID check
|-> compiler : dx
[*] TLS Tunnel_4.4.6.apk!classes3.dex
|-> anti_vm : Build.MANUFACTURER check, Build.MODEL check
|-> compiler : dx
[*] TLS Tunnel_4.4.6.apk!classes4.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, network operator name check
|-> compiler : dx
[*] TLS Tunnel_4.4.6.apk!classes5.dex
|-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.TAGS check, SIM operator check, subscriber ID check
|-> compiler : dx
[*] TLS Tunnel_4.4.6.apk!classes6.dex
|-> anti_vm : Build.MANUFACTURER check
|-> compiler : dx
[*] TLS Tunnel_4.4.6.apk!classes7.dex
|-> compiler : dx
[*] TLS Tunnel_4.4.6.apk!classes8.dex
|-> compiler : dx
[*] TLS Tunnel_4.4.6.apk!lib/arm64-v8a/libdexprotector.so
|-> obfuscator : DexProtector
[*] TLS Tunnel_4.4.6.apk!lib/arm64-v8a/libtlsvpn.so
|-> obfuscator : DexProtector
[*] TLS Tunnel_4.4.6.apk!lib/x86_64/libdexprotector.so
|-> obfuscator : DexProtector
[*] TLS Tunnel_4.4.6.apk!lib/x86_64/libtlsvpn.so
|-> obfuscator : DexProtector
Manifest-Version: 1.0
APK-Signature: AG5WfkiZijZvGEKCymCgkJLVUeWa7MieZKqBVOQYC5csnBbQ
Built-By: Signflinger
Created-By: Android Gradle 7.1.3
Protected-By: 12.5.45 DexProtector (20220228)
Protected-Notice: AV contact email - primary@licelus.com
Sample : https://play.google.com/store/apps/details?id=com.axiositalia.re.family https://virustotal.com/gui/file/e23169a5d7481f5d043a1b1cb9343abcf9bed35ac13f49749edfecbf3ae9cb7e
$ apkid 'Axios Famiglia_1.6.6.apk'
[+] APKiD 2.1.3 :: from RedNaga :: rednaga.io
[*] Axios Famiglia_1.6.6.apk
|-> packer : DexProtector
[*] Axios Famiglia_1.6.6.apk!classes.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, possible Build.SERIAL check
|-> compiler : dx
Manifest-Version: 1.0
APK-Signature: k5+fkvQEDlm0hpI6O7V1gQh4dXt/vWePn7igpj7uDmZEBhlE
Built-By: Generated-by-ADT
Created-By: Android Gradle 4.0.0
Protected-By: 12.5.45 DexProtector (20220228)
Protected-Notice: AV contact email - primary@licelus.com
The manifest file is named MANIFEST.MF and is located under the META-INF directory in the APK. It's simply a list of key and value pairs, called headers or attributes, grouped into sections.
We could define a new private rule is_manifest
, and check only in the META-INF
directory. Is anyone interested in implementing something like that?
@CalebFenton @strazzere Any thoughts on this? Or we close it?
Personally, I'd rather look at what type of protections dexprotector are introducing vs blindly trusting the manifest string (which could be removed). Though I'm more often interesting in what features would have been turned on and the version of the protector it's installed from.
If it was just pulling the version from the manifest file, then it is just as simple to do your original grep to get that info and no added value is provided, imho.