search

rednaga / APKiD

Android Application Identifier for Packers, Protectors, Obfuscators and Oddities - PEiD for Android
Other
2.06k stars 296 forks source link

[DETECTION] Add Korean app shielding products #339

Closed dustty0 closed 1 year ago

dustty0 commented 1 year ago

Below are some Korean app shielding products usually found in Korean financial apps. Most of them shares similar functionalities such as obfuscation, dex encryption, anti-root, anti-emulator, anti-debugger and anti-frida. Attached example Yara rules are categorized as packer since simillar products are found inside packers.yara (AppGuard, DxShield, AppSuit).

Secusen AppIron (http://www.secucen.com/app/view/fintech/appIron) https://apkcombo.com/jb우리캐피탈-다이렉트/com.wooricap.jbmobiledirect/ d4f4a24ce6350bc4e23e2170da5b217dd65161aba5eca775d75514e9cdac4d59

APKiD Scan

[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] apks/JB_1.3.8_apkcombo.com.apk!classes.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible Build.SERIAL check, subscriber ID check
 |-> compiler : r8

Additional Info

/lib/ARCH/libAppIron-jni-vX.Y.Z.so

package com.barun.appiron.android inside dex

Yara Rule

rule appiron : packer
{
    meta:
        description = "AppIron"
        url = "http://www.secucen.com/app/view/fintech/appIron"
        sample = "d4f4a24ce6350bc4e23e2170da5b217dd65161aba5eca775d75514e9cdac4d59"

    strings:
      $lib = /lib\/arm64-v8a\/libAppIron-jni_v(.*)/

    condition:
        is_apk and ($lib)
}

Ahope AppShield (http://www.ahope.net/sub/app-shields/) https://apkcombo.com/kb-pay/com.kbcard.cxh.appcard/ 42a4d907caf625ff73d5b6fbbf32b59ba14d6d5a72f28b81bdc76c47db516122

APKiD Scan

[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] apks/KBPay_5.2.8_apkcombo.com.apk!classes.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, possible Build.SERIAL check
 |-> compiler : dexlib 1.x
 |-> obfuscator : DexGuard
[*] apks/KBPay_5.2.8_apkcombo.com.apk!classes10.dex
 |-> compiler : dexlib 1.x
[*] apks/KBPay_5.2.8_apkcombo.com.apk!classes2.dex
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check
 |-> compiler : dexlib 1.x
 |-> obfuscator : DexGuard
[*] apks/KBPay_5.2.8_apkcombo.com.apk!classes3.dex
 |-> anti_vm : Build.BRAND check, Build.DEVICE check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check
 |-> compiler : dexlib 1.x
[*] apks/KBPay_5.2.8_apkcombo.com.apk!classes4.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, network operator name check, possible VM check
 |-> compiler : dexlib 1.x
[*] apks/KBPay_5.2.8_apkcombo.com.apk!classes5.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.HARDWARE check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible VM check
 |-> compiler : dexlib 1.x
 |-> obfuscator : unreadable field names
[*] apks/KBPay_5.2.8_apkcombo.com.apk!classes6.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, possible Build.SERIAL check, possible VM check
 |-> compiler : dexlib 1.x
[*] apks/KBPay_5.2.8_apkcombo.com.apk!classes7.dex
 |-> anti_vm : Build.MODEL check, Build.PRODUCT check, possible Build.SERIAL check, possible VM check
 |-> compiler : dexlib 1.x
 |-> obfuscator : unreadable field names, unreadable method names
[*] apks/KBPay_5.2.8_apkcombo.com.apk!classes8.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, SIM operator check, network operator name check, possible Build.SERIAL check, possible VM check, subscriber ID check
 |-> compiler : dexlib 1.x
 |-> obfuscator : unreadable field names, unreadable method names
[*] apks/KBPay_5.2.8_apkcombo.com.apk!classes9.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, possible Build.SERIAL check, possible VM check
 |-> compiler : dexlib 1.x
 |-> obfuscator : DexGuard

Additional Info

/lib/ARCH/libahop.so
/lib/ARCH/libahop_c.so
/lib/ARCH/libahop_n.so
/lib/ARCH/libahop_o.so

I didn't look into _c, _n, _o files' presence in other samples so they may vary per app.

Yara Rule

rule appshield : packer
{
    meta:
        description = "AppShield"
        url = "http://www.ahope.net/sub/app-shields/"
        sample = "42a4d907caf625ff73d5b6fbbf32b59ba14d6d5a72f28b81bdc76c47db516122"

    strings:
      $lib = /lib\/arm64-v8a\/libahope(.*)/

    condition:
        is_apk and ($lib)
}

Everspin Eversafe (https://everspin.global/products/solutions/eversafe-mobile) https://apkcombo.com/nh스마트뱅킹/nh.smart.banking/ 00dbb346f3ae0540620eb120ccf00a65af81a07baed5adfdcd2fc620a33ed298

APKiD Scan

[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] apks/NH_2.8.2_apkcombo.com.apk
 |-> anti_vm : possible VM check
[*] apks/NH_2.8.2_apkcombo.com.apk!classes3.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible Build.SERIAL check, possible VM check
 |-> compiler : dexlib 2.x
[*] apks/NH_2.8.2_apkcombo.com.apk!classes2.dex
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, SIM operator check, network operator name check, possible Build.SERIAL check
 |-> compiler : dexlib 2.x
[*] apks/NH_2.8.2_apkcombo.com.apk!classes.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, SIM operator check, network operator name check, possible VM check, subscriber ID check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names, unreadable method names
[*] apks/NH_2.8.2_apkcombo.com.apk!classes5.dex
 |-> compiler : dexlib 2.x
[*] apks/NH_2.8.2_apkcombo.com.apk!classes4.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible Build.SERIAL check, possible VM check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names, unreadable method names

Additional Info

/assets/eversafe/

Yara Rule

rule eversafe : packer
{
    meta:
        description = "EverSafe"
        url = "https://everspin.global/products/solutions/eversafe-mobile"
        sample = "00dbb346f3ae0540620eb120ccf00a65af81a07baed5adfdcd2fc620a33ed298"

    strings:
        $asset = /assets\/eversafe/

    condition:
        is_apk and ($asset)
}

AppCamo (http://appcamo.com/s2/s2_1.php) https://apkcombo.com/당신의-u-고객센터/com.lguplus.mobile.cs/ b8bf8e44eff2f4557f050d19534624dc3df5053f7793eb409b98c18c475d969b

APKiD Scan

[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] apks/유플러스고객센터_6.0.26_apkcombo.com.apk
 |-> anti_vm : emulator file check
[*] apks/유플러스고객센터_6.0.26_apkcombo.com.apk!lib/armeabi-v7a/libalib.so
 |-> anti_vm : emulator file check
[*] apks/유플러스고객센터_6.0.26_apkcombo.com.apk!lib/arm64-v8a/libalib.so
 |-> anti_vm : emulator file check
[*] apks/유플러스고객센터_6.0.26_apkcombo.com.apk!classes2.dex
 |-> anti_vm : Build.MANUFACTURER check, SIM operator check, possible VM check
 |-> compiler : unknown (please file detection issue!)
[*] apks/유플러스고객센터_6.0.26_apkcombo.com.apk!classes4.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, possible VM check
 |-> compiler : unknown (please file detection issue!)
[*] apks/유플러스고객센터_6.0.26_apkcombo.com.apk!classes.dex
 |-> anti_vm : Build.MANUFACTURER check, SIM operator check, network operator name check, subscriber ID check
 |-> compiler : unknown (please file detection issue!)
[*] apks/유플러스고객센터_6.0.26_apkcombo.com.apk!classes5.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.TAGS check, network operator name check, possible VM check
 |-> compiler : unknown (please file detection issue!)
[*] apks/유플러스고객센터_6.0.26_apkcombo.com.apk!classes3.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.TAGS check, possible Build.SERIAL check, possible VM check, possible ro.secure check
 |-> compiler : unknown (please file detection issue!)

Additional Info

/lib/ARCH/libalib.so

AppCamo logo png file is located at assets/some hex string directory/some hex string.png (hash differs per sample)

Yara Rule

rule appcamo : packer
{
    meta:
        description = "AppCamo"
        url = "http://appcamo.com/s2/s2_1.php"
        sample = "b8bf8e44eff2f4557f050d19534624dc3df5053f7793eb409b98c18c475d969b"

    strings:
        $lib = /lib\/arm64-v8a\/libalib(.*)/

    condition:
        is_apk and ($lib)
}

NSHC DxShield Sometimes DxShield applied samples lack $res file. https://apkcombo.com/미래에셋증권-m-stock/com.miraeasset.trade/

rule dxshield2 : packer
{
  meta:
    description = "DxShield"
    url = "http://www.nshc.net/wp/portfolio-item/dxshield_eng/"
    sample = "6d590770711c75b0ef5fcf7f7ef07a23efdd9fff81b95033155e021f5740ccdc"

  strings:
    $decryptlib = "libdxbase.so"

  condition:
    is_apk and ($decryptlib)
}
enovella commented 1 year ago

Hi @dustty0,

Many thanks for all the INTEL provided. It's excellent. I can see you even provided the Yara rule for every packer/protector you were naming. Would you like to open individual pull-requests for these? Or you just wanted to share it with us to integrate them in APKiD? At the moment, I am AFK for the next days so I won't be able to take a look at it.

Best, Edu

dustty0 commented 1 year ago

Hello, @enovella

I just wanted to share the info and hope to see these detected in future release of the project. Please let me know if any of the rules are wrong or additional samples are required.

Thanks in advance.

dustty0 commented 1 year ago

I accidentally (...) closed the issue and re-opening it.

enovella commented 1 year ago

Okay, we'll add them in the next release under your nickname. Thank you so much!

dustty0 commented 1 year ago

@enovella Apparently there is another variant of AppIron. https://apkcombo.com/신용회복위원회/kr.or.ccrs.cyber/ 6625c942b0434289c533e52c7baef65ffacf867c4b1d2e6acb16fe1aed09e0e3

APKiD Scan

[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] ./신용회복위원회_1.2.6_apkcombo.com.apk!classes.dex
 |-> anti_vm : Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, possible ro.secure check
 |-> compiler : r8
[*] ./신용회복위원회_1.2.6_apkcombo.com.apk!classes2.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, possible Build.SERIAL check
 |-> compiler : r8 without marker (suspicious)

Additional Info

/lib/ARCH/libAppIronExpress_vX.Y.Z.so
package com.secucen.appironexpress inside dex
enovella commented 1 year ago

The rule matched your second AppIron sample. 

$ apkid 6625c942b0434289c533e52c7baef65ffacf867c4b1d2e6acb16fe1aed09e0e3.apk
[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] 6625c942b0434289c533e52c7baef65ffacf867c4b1d2e6acb16fe1aed09e0e3.apk
 |-> packer : Secucen AppIron
[*] 6625c942b0434289c533e52c7baef65ffacf867c4b1d2e6acb16fe1aed09e0e3.apk!classes.dex
 |-> anti_vm : Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, possible ro.secure check
 |-> compiler : r8
[*] 6625c942b0434289c533e52c7baef65ffacf867c4b1d2e6acb16fe1aed09e0e3.apk!classes2.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, possible Build.SERIAL check
 |-> compiler : r8 without marker (suspicious)

Fixed a bit the DEX rule and now its looks like:

$ apkid 6625c942b0434289c533e52c7baef65ffacf867c4b1d2e6acb16fe1aed09e0e3.apk
[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] 6625c942b0434289c533e52c7baef65ffacf867c4b1d2e6acb16fe1aed09e0e3.apk
 |-> packer : Secucen AppIron
[*] 6625c942b0434289c533e52c7baef65ffacf867c4b1d2e6acb16fe1aed09e0e3.apk!classes.dex
 |-> anti_vm : Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, possible ro.secure check
 |-> compiler : r8
 |-> protector : Secucen AppIron
[*] 6625c942b0434289c533e52c7baef65ffacf867c4b1d2e6acb16fe1aed09e0e3.apk!classes2.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, possible Build.SERIAL check
 |-> compiler : r8 without marker (suspicious)
 |-> protector : Secucen AppIron
enovella commented 1 year ago

@dustty0 Why do you think that Alohe AppShield is a packer?

dustty0 commented 1 year ago

@enovella I just labeled them as a packer because similar / competing Korean products were classified as packers. (I really didn't dig deep enough to find out whether each product actually has dex encryption features.)

enovella commented 1 year ago

Here we go:

$ apkid 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk
[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, possible Build.SERIAL check
 |-> compiler : dexlib 1.x
 |-> obfuscator : DexGuard
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes10.dex
 |-> anti_vm : possible VM check
 |-> compiler : dexlib 1.x
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes2.dex
 |-> anti_vm : network operator name check
 |-> compiler : dexlib 1.x
 |-> obfuscator : DexGuard
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes3.dex
 |-> anti_vm : Build.BRAND check, Build.DEVICE check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check
 |-> compiler : dexlib 1.x
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes4.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, network operator name check, possible VM check
 |-> compiler : dexlib 1.x
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes5.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible VM check
 |-> compiler : dexlib 1.x
 |-> obfuscator : unreadable field names
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes6.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, possible Build.SERIAL check, possible VM check
 |-> compiler : dexlib 1.x
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes7.dex
 |-> anti_vm : Build.MODEL check, Build.PRODUCT check, possible Build.SERIAL check, possible VM check
 |-> compiler : dexlib 1.x
 |-> obfuscator : unreadable field names, unreadable method names
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes8.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, network operator name check, possible Build.SERIAL check, possible VM check, subscriber ID check
 |-> compiler : dexlib 1.x
 |-> obfuscator : unreadable field names, unreadable method names
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!classes9.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, possible Build.SERIAL check
 |-> compiler : dexlib 1.x
 |-> obfuscator : DexGuard
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!lib/arm64-v8a/libahope.so
 |-> anti_hook : syscalls
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!lib/arm64-v8a/libahope_c.so
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!lib/arm64-v8a/libahope_n.so
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!lib/arm64-v8a/libahope_o.so
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!lib/armeabi-v7a/libahope.so
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!lib/armeabi-v7a/libahope_c.so
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!lib/armeabi-v7a/libahope_n.so
 |-> protector : Ahope AppShield
[*] 401828f3434d8f53b8fecba7962d970c2c52f1a81d993c1f0c87e3574c3e35b3.apk!lib/armeabi-v7a/libahope_o.so
 |-> protector : Ahope AppShield
enovella commented 1 year ago 
$ apkid da1226061e519d7fd6c38876f5f3fa0ed2e51360b1af332e02fbd51e5ffae109.apk
[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] da1226061e519d7fd6c38876f5f3fa0ed2e51360b1af332e02fbd51e5ffae109.apk
 |-> anti_vm : possible VM check
 |-> packer : Eversafe
[*] da1226061e519d7fd6c38876f5f3fa0ed2e51360b1af332e02fbd51e5ffae109.apk!classes3.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible Build.SERIAL check, possible VM check
 |-> compiler : dexlib 2.x
[*] da1226061e519d7fd6c38876f5f3fa0ed2e51360b1af332e02fbd51e5ffae109.apk!classes2.dex
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, SIM operator check, network operator name check, possible Build.SERIAL check
 |-> compiler : dexlib 2.x
[*] da1226061e519d7fd6c38876f5f3fa0ed2e51360b1af332e02fbd51e5ffae109.apk!classes.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, SIM operator check, network operator name check, possible VM check, subscriber ID check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names, unreadable method names
[*] da1226061e519d7fd6c38876f5f3fa0ed2e51360b1af332e02fbd51e5ffae109.apk!lib/arm64-v8a/libeversafe.so
 |-> anti_hook : syscalls
 |-> packer : Eversafe
[*] da1226061e519d7fd6c38876f5f3fa0ed2e51360b1af332e02fbd51e5ffae109.apk!lib/arm64-v8a/lib54750013000100010000000000000016.so
 |-> anti_hook : syscalls
 |-> protector : InsideSecure Verimatrix
[*] da1226061e519d7fd6c38876f5f3fa0ed2e51360b1af332e02fbd51e5ffae109.apk!lib/armeabi/libeversafe.so
 |-> packer : Eversafe
[*] da1226061e519d7fd6c38876f5f3fa0ed2e51360b1af332e02fbd51e5ffae109.apk!classes5.dex
 |-> compiler : dexlib 2.x
[*] da1226061e519d7fd6c38876f5f3fa0ed2e51360b1af332e02fbd51e5ffae109.apk!classes4.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible Build.SERIAL check, possible VM check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names, unreadable method names
enovella commented 1 year ago

@dustty0 Do you have more AppCamo samples? Thanks in advance!

enovella commented 1 year ago 
$ apkid 7e298af83a1b8e06242519526414189e733fb071ad56d7612fefcafcea27bbef.apk
[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] 7e298af83a1b8e06242519526414189e733fb071ad56d7612fefcafcea27bbef.apk
 |-> anti_vm : emulator file check
 |-> packer : AppCamo
[*] 7e298af83a1b8e06242519526414189e733fb071ad56d7612fefcafcea27bbef.apk!lib/armeabi-v7a/libalib.so
 |-> anti_vm : emulator file check
[*] 7e298af83a1b8e06242519526414189e733fb071ad56d7612fefcafcea27bbef.apk!lib/arm64-v8a/libalib.so
 |-> anti_hook : syscalls
 |-> anti_vm : emulator file check
[*] 7e298af83a1b8e06242519526414189e733fb071ad56d7612fefcafcea27bbef.apk!classes2.dex
 |-> anti_vm : Build.MANUFACTURER check, SIM operator check, possible VM check
 |-> compiler : unknown (please file detection issue!)
[*] 7e298af83a1b8e06242519526414189e733fb071ad56d7612fefcafcea27bbef.apk!classes4.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible VM check
 |-> compiler : unknown (please file detection issue!)
[*] 7e298af83a1b8e06242519526414189e733fb071ad56d7612fefcafcea27bbef.apk!classes.dex
 |-> anti_vm : Build.MANUFACTURER check, SIM operator check, network operator name check, subscriber ID check
 |-> compiler : unknown (please file detection issue!)
[*] 7e298af83a1b8e06242519526414189e733fb071ad56d7612fefcafcea27bbef.apk!classes5.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.TAGS check, possible VM check
 |-> compiler : unknown (please file detection issue!)
[*] 7e298af83a1b8e06242519526414189e733fb071ad56d7612fefcafcea27bbef.apk!classes3.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.TAGS check, possible Build.SERIAL check, possible VM check, possible ro.secure check
 |-> compiler : unknown (please file detection issue!)
dustty0 commented 1 year ago

https://apkcombo.com/t-청소년안심팩-자녀용/kr.co.safet.sk/ 1cb90a9c2cb42949bc1666a9146ee62d17bc52575714a203927ee7df7321a84e

https://apkcombo.com/t-청소년유해차단/com.skt.thug.hazard/ 5cd428d0b326870367502ee7bff865333d07a27bf69eed57d6d82971a3e0ae55

@enovella

dustty0 commented 1 year ago

Can we consider the anti-virus solution with features like dex dynamic loading, anti-root and integrity check as a protector? (https://www.vguard.co.kr)

enovella commented 1 year ago

Can we consider the anti-virus solution with features like dex dynamic loading, anti-root and integrity check as a protector? (https://www.vguard.co.kr)

Are there more apps using the same protections? Or only this brand?

dustty0 commented 1 year ago

Are there more apps using the same protections? Or only this brand?

There are multiple apps.

https://apkcombo.com/mypds-나의금융생활/kr.or.mydatacenter.pds/ https://apkcombo.com/뱅크페이-금융기관-공동-계좌이체-결제-제로페이/com.kftc.bankpay.android/ https://apkcombo.com/어카운트인포-계좌정보통합관리/com.kftc.payinfo.android/

I tried to write complete yara rule for both apk and dex this time - may I open a PR for this one if it works fine?

rule vguard : protector
{
  meta:
    description = "VGuard"
    url         = "https://www.vguard.co.kr"
    sample      = "7024bdadb53cbec86a39de845108b182ed2f7b3f0e7c0b876a948e1532ec5b9f"
    author      = ""

  strings:
    $lib    = /lib\/(x86\_64|armeabi\-v7a|arm64\-v8a|x86)\/libedex\.so/
    $asset1 = /assets\/dexsky\.(d|e)b(a|b|x|y)/
    $asset2 = /assets\/dexsky\.ini/
    $asset3 = /assets\/dex[a-z0-9]{3}\.zip/
    $asset4 = /assets\/vguard\.(key|enginehash)/

  condition:
    is_apk and any of them
}
rule vguard : protector
{
  meta:
    description = "VGuard"
    url         = "https://www.vguard.co.kr"
    sample      = "7024bdadb53cbec86a39de845108b182ed2f7b3f0e7c0b876a948e1532ec5b9f"
    author      = ""

  strings:
    $pkg = {
           4c6b 722f 636f 2f73 646b 2f76 6775 6172 6432 // Lkr/co/sdk/vguard2
    }

  condition:
    is_dex and any of them
}
enovella commented 1 year ago

Are there more apps using the same protections? Or only this brand?

There are multiple apps.

https://apkcombo.com/mypds-나의금융생활/kr.or.mydatacenter.pds/ https://apkcombo.com/뱅크페이-금융기관-공동-계좌이체-결제-제로페이/com.kftc.bankpay.android/ https://apkcombo.com/어카운트인포-계좌정보통합관리/com.kftc.payinfo.android/

I tried to write complete yara rule for both apk and dex this time - may I open a PR for this one if it works fine?

rule vguard : protector
{
  meta:
    description = "VGuard"
    url         = "https://www.vguard.co.kr"
    sample      = "7024bdadb53cbec86a39de845108b182ed2f7b3f0e7c0b876a948e1532ec5b9f"
    author      = ""

  strings:
    $lib    = /lib\/(x86\_64|armeabi\-v7a|arm64\-v8a|x86)\/libedex\.so/
    $asset1 = /assets\/dexsky\.(d|e)b(a|b|x|y)/
    $asset2 = /assets\/dexsky\.ini/
    $asset3 = /assets\/dex[a-z0-9]{3}\.zip/
    $asset4 = /assets\/vguard\.(key|enginehash)/

  condition:
    is_apk and any of them
}
rule vguard : protector
{
  meta:
    description = "VGuard"
    url         = "https://www.vguard.co.kr"
    sample      = "7024bdadb53cbec86a39de845108b182ed2f7b3f0e7c0b876a948e1532ec5b9f"
    author      = ""

  strings:
    $pkg = {
           4c6b 722f 636f 2f73 646b 2f76 6775 6172 6432 // Lkr/co/sdk/vguard2
    }

  condition:
    is_dex and any of them
}

Could you please open a pull-request with these rules? Many thanks

enovella commented 1 year ago

@dustty0

How do you suggest fixing this DxShield rule? https://github.com/rednaga/APKiD/blob/master/apkid/rules/apk/packers.yara#L96

What about using or?


rule dxshield : packer
{
  meta:
    description = "DxShield"
    url = "http://www.nshc.net/wp/portfolio-item/dxshield_eng/"

  strings:
    $decryptlib = "libdxbase.so"
    $res = "assets/DXINFO.XML"

  condition:
    is_apk and ($decryptlib or $res)
}
enovella commented 1 year ago

https://apkcombo.com/t-청소년안심팩-자녀용/kr.co.safet.sk/ 1cb90a9c2cb42949bc1666a9146ee62d17bc52575714a203927ee7df7321a84e

https://apkcombo.com/t-청소년유해차단/com.skt.thug.hazard/ 5cd428d0b326870367502ee7bff865333d07a27bf69eed57d6d82971a3e0ae55

@enovella

Is this okay? 

$ apkid 5cd428d0b326870367502ee7bff865333d07a27bf69eed57d6d82971a3e0ae55
[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] 5cd428d0b326870367502ee7bff865333d07a27bf69eed57d6d82971a3e0ae55
 |-> packer : AppCamo
[*] 5cd428d0b326870367502ee7bff865333d07a27bf69eed57d6d82971a3e0ae55!lib/mips64/libalib.so
 |-> anti_vm : emulator file check
 |-> protector : AppCamo
[*] 5cd428d0b326870367502ee7bff865333d07a27bf69eed57d6d82971a3e0ae55!lib/x86_64/libalib.so
 |-> anti_vm : emulator file check
 |-> protector : AppCamo
[*] 5cd428d0b326870367502ee7bff865333d07a27bf69eed57d6d82971a3e0ae55!lib/x86/libalib.so
 |-> anti_vm : emulator file check
 |-> protector : AppCamo
[*] 5cd428d0b326870367502ee7bff865333d07a27bf69eed57d6d82971a3e0ae55!lib/armeabi-v7a/libalib.so
 |-> anti_vm : emulator file check
 |-> protector : AppCamo
[*] 5cd428d0b326870367502ee7bff865333d07a27bf69eed57d6d82971a3e0ae55!lib/armeabi/libalib.so
 |-> anti_vm : emulator file check
 |-> protector : AppCamo
[*] 5cd428d0b326870367502ee7bff865333d07a27bf69eed57d6d82971a3e0ae55!lib/mips/libalib.so
 |-> anti_vm : emulator file check
 |-> protector : AppCamo
[*] 5cd428d0b326870367502ee7bff865333d07a27bf69eed57d6d82971a3e0ae55!lib/arm64-v8a/libalib.so
 |-> anti_vm : emulator file check
 |-> protector : AppCamo
[*] 5cd428d0b326870367502ee7bff865333d07a27bf69eed57d6d82971a3e0ae55!classes.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible VM check
 |-> compiler : unknown (please file detection issue!)

$ apkid 1cb90a9c2cb42949bc1666a9146ee62d17bc52575714a203927ee7df7321a84e
[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] 1cb90a9c2cb42949bc1666a9146ee62d17bc52575714a203927ee7df7321a84e
 |-> anti_vm : emulator file check
 |-> packer : AppCamo
[*] 1cb90a9c2cb42949bc1666a9146ee62d17bc52575714a203927ee7df7321a84e!lib/mips64/libalib.so
 |-> anti_vm : emulator file check
 |-> protector : AppCamo
[*] 1cb90a9c2cb42949bc1666a9146ee62d17bc52575714a203927ee7df7321a84e!lib/x86_64/libalib.so
 |-> anti_vm : emulator file check
 |-> protector : AppCamo
[*] 1cb90a9c2cb42949bc1666a9146ee62d17bc52575714a203927ee7df7321a84e!lib/x86/libalib.so
 |-> anti_vm : emulator file check
 |-> protector : AppCamo
[*] 1cb90a9c2cb42949bc1666a9146ee62d17bc52575714a203927ee7df7321a84e!lib/armeabi-v7a/libalib.so
 |-> anti_vm : emulator file check
 |-> protector : AppCamo
[*] 1cb90a9c2cb42949bc1666a9146ee62d17bc52575714a203927ee7df7321a84e!lib/armeabi/libalib.so
 |-> anti_vm : emulator file check
 |-> protector : AppCamo
[*] 1cb90a9c2cb42949bc1666a9146ee62d17bc52575714a203927ee7df7321a84e!lib/mips/libalib.so
 |-> anti_vm : emulator file check
 |-> protector : AppCamo
[*] 1cb90a9c2cb42949bc1666a9146ee62d17bc52575714a203927ee7df7321a84e!lib/arm64-v8a/libalib.so
 |-> anti_vm : emulator file check
 |-> protector : AppCamo
[*] 1cb90a9c2cb42949bc1666a9146ee62d17bc52575714a203927ee7df7321a84e!classes3.dex
 |-> anti_vm : possible VM check
 |-> compiler : unknown (please file detection issue!)
[*] 1cb90a9c2cb42949bc1666a9146ee62d17bc52575714a203927ee7df7321a84e!classes2.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check
 |-> compiler : unknown (please file detection issue!)
[*] 1cb90a9c2cb42949bc1666a9146ee62d17bc52575714a203927ee7df7321a84e!classes.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, network operator name check
 |-> compiler : unknown (please file detection issue!)
dustty0 commented 1 year ago

@enovella Using or seems good for me.

enovella commented 1 year ago

@enovella Using or seems good for me.


$ apkid M-STOCK_7.2.6_apkcombo.com.apk
[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] M-STOCK_7.2.6_apkcombo.com.apk
 |-> packer : DxShield
[*] M-STOCK_7.2.6_apkcombo.com.apk!assets/.b636b13923f10a0d61c75ca1896216f1.dex
 |-> anti_disassembly : non-zero link offset, non-zero link size
 |-> compiler : unknown (please file detection issue!)
[*] M-STOCK_7.2.6_apkcombo.com.apk!classes.dex
 |-> anti_vm : Build.BOARD check, Build.BRAND check, Build.DEVICE check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, possible VM check
 |-> compiler : dexlib 2.x
[*] M-STOCK_7.2.6_apkcombo.com.apk!classes2.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible Build.SERIAL check, subscriber ID check
 |-> compiler : dexlib 2.x
[*] M-STOCK_7.2.6_apkcombo.com.apk!classes3.dex
 |-> anti_vm : Build.FINGERPRINT check, SIM operator check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable method names
enovella commented 1 year ago

Many thanks @dustty0 ! It was fantastic to include all these packers before the next release for BlackHat USA 2023 🎉 https://www.blackhat.com/us-23/arsenal/schedule/#apkid-fast-identification-of-mobile-rasp-sdks-32577

Please re-open this ticket if you encounter issues.