search

rednaga / APKiD

Android Application Identifier for Packers, Protectors, Obfuscators and Oddities - PEiD for Android
Other
1.95k stars 286 forks source link

[DETECTION] Add rule for Zimperium #319

Open apkunpacker opened 1 year ago

apkunpacker commented 1 year ago

File - https://virustotal.com/gui/file/2dd1f3a93b84dc5db18ee7e434c8daf9478f635e26af7840d7e6fb4b7ed7c039 https://play.google.com/store/apps/details?id=com.garanti.bonusapp

APKiD Scan :

$ apkid 'BonusFlaş_3.8.0.apks'
[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] BonusFlaş_3.8.0.apks!base.apk!classes.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, network operator name check, possible VM check, ro.kernel.qemu check
 |-> compiler : r8
[*] BonusFlaş_3.8.0.apks!base.apk!classes2.dex
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, emulator file check, possible Build.SERIAL check, possible VM check, ro.kernel.qemu check, ro.product.device check
 |-> compiler : r8
[*] BonusFlaş_3.8.0.apks!base.apk!classes3.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.TAGS check, SIM operator check
 |-> compiler : r8
[*] BonusFlaş_3.8.0.apks!base.apk!classes4.dex
 |-> compiler : r8
[*] BonusFlaş_3.8.0.apks!split_config.arm64_v8a.apk!lib/arm64-v8a/libc8d5.so
 |-> obfuscator : DexGuard 9.x

Additional Info :

doing

strings libzcloud.so | grep  -i zimperium

reveal over 13000+ strings containing zimperium

classes.dex contains 2500+ classes under com.zimperium.* package name

Official Website - https://www.zimperium.com/

enovella commented 1 year ago

Hi,

can you explain which product is this one? This company has so many SDKs.

apkunpacker commented 1 year ago

Hi,

can you explain which product is this one? This company has so many SDKs.

quick looks reveal it specific to RASP for example libzcloud have many anti frida codes.

_ZN3zdd18frida_checkSocketsE
_ZN3zdd29frida_checkSuspiciousMappingsE 
_ZN3zdd30frida_checkSuspiciousBacktraceE
frida_agent_main                                                                 
Application hooked by Frida                                                      
LIBFRIDA
enovella commented 1 year ago

Is this DexGuard 9.x (as seen in your log above) or custom code calling to this SDK? Do you have more samples?

apkunpacker commented 1 year ago

Is this DexGuard 9.x (as seen in your log above) or custom code calling to this SDK? Do you have more samples?

yeah its dexguard 9.x with additional zimperium sdk . at the moment no more sample available.

apkunpacker commented 1 year ago

another sample for zimperium https://play.google.com/store/apps/details?id=com.chase.sig.android

enovella commented 6 months ago

Hi, can you explain which product is this one? This company has so many SDKs.

quick looks reveal it specific to RASP for example libzcloud have many anti frida codes.

_ZN3zdd18frida_checkSocketsE
_ZN3zdd29frida_checkSuspiciousMappingsE 
_ZN3zdd30frida_checkSuspiciousBacktraceE
frida_agent_main                                                                 
Application hooked by Frida                                                      
LIBFRIDA

Do you have a sample with these strings?