search

rednaga / APKiD

Android Application Identifier for Packers, Protectors, Obfuscators and Oddities - PEiD for Android
Other
2.08k stars 296 forks source link

[DETECTION] Missed Detection for Few Packer/Protector #288

Open apkunpacker opened 2 years ago

apkunpacker commented 2 years ago

Samples.zip From https://github.com/obpo-project/samples

libcompatible.so in all 4 arch supposed to be packed with https://appguard.nprotect.com/ but apkid detect it as

[*] libcompatible.so
 |-> obfuscator : Obfuscator-LLVM version 4.0

libdexvmp.so in arm & arm64 is supposed to be Secneo and result is apkid not detect anything

$ apkid libdexvmp.so
[+] APKiD 2.1.2 :: from RedNaga :: rednaga.io

libnative-lib.so in arm is Possible new detection sample for https://github.com/GoSSIP-SJTU/Armariris

enovella commented 2 years ago

Can you tell us if this PR detects this sample? https://github.com/rednaga/APKiD/pull/189

enovella commented 2 years ago

Is this right?

[12:52 edu@xps samples-main] >  cd arm64/
[12:52 edu@xps arm64] >  ll
total 4.3M
-rw-rw-r-- 1 edu edu  26K Apr  1 10:00 cff-arm64-v8a.elf
-rw-rw-r-- 1 edu edu 1.9M Apr  1 10:00 libcompatible.so
-rw-rw-r-- 1 edu edu 370K Apr  1 10:00 libnative-lib.so
-rw-rw-r-- 1 edu edu 2.1M Apr  1 10:00 libvdog.so
[12:52 edu@xps arm64] >  apkid .
[+] APKiD 2.1.2 :: from RedNaga :: rednaga.io
[*] ./cff-arm64-v8a.elf
 |-> obfuscator : Obfuscator-LLVM version 3.5
[*] ./libnative-lib.so
 |-> obfuscator : Obfuscator-LLVM version unknown
[*] ./libcompatible.so
 |-> obfuscator : Obfuscator-LLVM version 4.0
apkunpacker commented 2 years ago

Is this right?

[12:52 edu@xps samples-main] >  cd arm64/
[12:52 edu@xps arm64] >  ll
total 4.3M
-rw-rw-r-- 1 edu edu  26K Apr  1 10:00 cff-arm64-v8a.elf
-rw-rw-r-- 1 edu edu 1.9M Apr  1 10:00 libcompatible.so
-rw-rw-r-- 1 edu edu 370K Apr  1 10:00 libnative-lib.so
-rw-rw-r-- 1 edu edu 2.1M Apr  1 10:00 libvdog.so
[12:52 edu@xps arm64] >  apkid .
[+] APKiD 2.1.2 :: from RedNaga :: rednaga.io
[*] ./cff-arm64-v8a.elf
 |-> obfuscator : Obfuscator-LLVM version 3.5
[*] ./libnative-lib.so
 |-> obfuscator : Obfuscator-LLVM version unknown
[*] ./libcompatible.so
 |-> obfuscator : Obfuscator-LLVM version 4.0

yeah fine but how to mark specific file to specific packer ? like libcompatible.so is from appguard

enovella commented 2 years ago

Is this right?

[12:52 edu@xps samples-main] >  cd arm64/
[12:52 edu@xps arm64] >  ll
total 4.3M
-rw-rw-r-- 1 edu edu  26K Apr  1 10:00 cff-arm64-v8a.elf
-rw-rw-r-- 1 edu edu 1.9M Apr  1 10:00 libcompatible.so
-rw-rw-r-- 1 edu edu 370K Apr  1 10:00 libnative-lib.so
-rw-rw-r-- 1 edu edu 2.1M Apr  1 10:00 libvdog.so
[12:52 edu@xps arm64] >  apkid .
[+] APKiD 2.1.2 :: from RedNaga :: rednaga.io
[*] ./cff-arm64-v8a.elf
 |-> obfuscator : Obfuscator-LLVM version 3.5
[*] ./libnative-lib.so
 |-> obfuscator : Obfuscator-LLVM version unknown
[*] ./libcompatible.so
 |-> obfuscator : Obfuscator-LLVM version 4.0

yeah fine but how to mark specific file to specific packer ? like libcompatible.so is from appguard

Packer rules are normally at APK level, so we need to have the sample with all the files to detect that.

apkunpacker commented 2 years ago

Is this right?

[12:52 edu@xps samples-main] >  cd arm64/
[12:52 edu@xps arm64] >  ll
total 4.3M
-rw-rw-r-- 1 edu edu  26K Apr  1 10:00 cff-arm64-v8a.elf
-rw-rw-r-- 1 edu edu 1.9M Apr  1 10:00 libcompatible.so
-rw-rw-r-- 1 edu edu 370K Apr  1 10:00 libnative-lib.so
-rw-rw-r-- 1 edu edu 2.1M Apr  1 10:00 libvdog.so
[12:52 edu@xps arm64] >  apkid .
[+] APKiD 2.1.2 :: from RedNaga :: rednaga.io
[*] ./cff-arm64-v8a.elf
 |-> obfuscator : Obfuscator-LLVM version 3.5
[*] ./libnative-lib.so
 |-> obfuscator : Obfuscator-LLVM version unknown
[*] ./libcompatible.so
 |-> obfuscator : Obfuscator-LLVM version 4.0

yeah fine but how to mark specific file to specific packer ? like libcompatible.so is from appguard

Packer rules are normally at APK level, so we need to have the sample with all the files to detect that.

This looks False Positive Detection for libcms.so

$ apkid arm/*.*
[+] APKiD 2.1.3 :: from RedNaga :: rednaga.io
[*] arm/libcms.so
 |-> obfuscator : ByteGuard unknown version, Obfuscator-LLVM version 6.0, Obfuscator-LLVM version unknown (string encryption)
[*] arm/libcompatible.so
 |-> obfuscator : Obfuscator-LLVM version 4.0
[*] arm/libdu.so
 |-> packer : UPX (unknown, modified)

at a same time it showing ollvm 6.0 and ollvm unknown version and byteguard. ByteGuard and ollvm can be possible at same time but how ollvm 6.0 and ollvm unknown version at a same time . is it mean it using 2 different ollvm version, 1 for string encryption and 2nd for other purpose ?

apkunpacker commented 2 years ago

Missed AppGuard :

Sample - https://virustotal.com/gui/file/3149e592632e23612029c9919951154b4415e4ce1fc7a24996fa287be54de0fc

APKiD Scan : -

$ apkid 'mpl-pro-v172.apk'
[+] APKiD 2.1.3 :: from RedNaga :: rednaga.io
[*] mpl-pro-v172.apk!lib/armeabi-v7a/libstub.so
 |-> obfuscator : Obfuscator-LLVM version 4.0
[*] mpl-pro-v172.apk!lib/armeabi-v7a/libcompatible_x86.so
 |-> obfuscator : Obfuscator-LLVM version 4.0
[*] mpl-pro-v172.apk!lib/armeabi-v7a/libcompatible.so
 |-> obfuscator : Obfuscator-LLVM version 4.0
[*] mpl-pro-v172.apk!classes6.dex
 |-> compiler : dexlib 2.x
[*] mpl-pro-v172.apk!classes8.dex
 |-> anti_vm : Build.FINGERPRINT check
 |-> compiler : dexlib 2.x
[*] mpl-pro-v172.apk!classes3.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, SIM operator check, network operator name check
 |-> compiler : dexlib 2.x
[*] mpl-pro-v172.apk!classes7.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible VM check
 |-> compiler : dexlib 2.x
[*] mpl-pro-v172.apk!classes4.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, network operator name check, possible Build.SERIAL check, possible VM check
 |-> compiler : dexlib 2.x
[*] mpl-pro-v172.apk!classes5.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, emulator file check, possible Build.SERIAL check, possible VM check, subscriber ID check
 |-> compiler : dexlib 2.x
[*] mpl-pro-v172.apk!classes.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, network operator name check, ro.kernel.qemu check
 |-> compiler : dexlib 2.x
[*] mpl-pro-v172.apk!classes2.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible Build.SERIAL check, possible VM check
 |-> compiler : dexlib 2.x

as many of "appguard" strings are visible in dex/so files

enovella commented 2 years ago

@apkunpacker Can you please share the VT samples with me over here? Any idea if this ticket got resolved with latest commits in master? Otherwise, please detail what's missing and provide useful info. Many thanks!

apkunpacker commented 2 years ago

@apkunpacker Can you please share the VT samples with me over here? Any idea if this ticket got resolved with latest commits in master? Otherwise, please detail what's missing and provide useful info. Many thanks!

apk is available on https://www.mpl.live/ for download.