search

rednaga / APKiD

Android Application Identifier for Packers, Protectors, Obfuscators and Oddities - PEiD for Android
Other
1.96k stars 286 forks source link

[DETECTION] Missed Kony Packer #354

Open apkunpacker opened 10 months ago

apkunpacker commented 10 months ago

File Link - https://play.google.com/store/apps/details?id=com.fss.indus Version - 9.2.10.2 SHA256 - b607ec41ad0ee86ece745ed108137fb5733ccca7129225b6bb866d8c54dad8f8

APKiD Scan - 

$ apkid 'IndusMobile_9.2.10.2_apks.apk'
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] IndusMobile_9.2.10.2_apks.apk!classes.dex
 |-> anti_disassembly : illegal class name
 |-> anti_vm : Build.BOARD check, Build.MANUFACTURER check, emulator file check, possible VM check, subscriber ID check
 |-> compiler : dexlib 2.x
[*] IndusMobile_9.2.10.2_apks.apk!classes10.dex
 |-> anti_disassembly : illegal class name
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names, unreadable method names
[*] IndusMobile_9.2.10.2_apks.apk!classes11.dex
 |-> anti_disassembly : illegal class name
 |-> compiler : dexlib 2.x
[*] IndusMobile_9.2.10.2_apks.apk!classes2.dex
 |-> anti_disassembly : illegal class name
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, network operator name check, subscriber ID check
 |-> compiler : dexlib 2.x
[*] IndusMobile_9.2.10.2_apks.apk!classes3.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, device ID check, possible Build.SERIAL check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names
[*] IndusMobile_9.2.10.2_apks.apk!classes4.dex
 |-> anti_vm : Build.MANUFACTURER check, Build.TAGS check, network operator name check, possible ro.secure check
 |-> compiler : dexlib 2.x
[*] IndusMobile_9.2.10.2_apks.apk!classes5.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, possible Build.SERIAL check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names
[*] IndusMobile_9.2.10.2_apks.apk!classes6.dex
 |-> anti_disassembly : illegal class name
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check
 |-> compiler : dexlib 2.x
[*] IndusMobile_9.2.10.2_apks.apk!classes7.dex
 |-> anti_disassembly : illegal class name
 |-> anti_vm : Build.MANUFACTURER check, Build.TAGS check, network operator name check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names, unreadable method names
[*] IndusMobile_9.2.10.2_apks.apk!classes8.dex
 |-> anti_vm : Build.MANUFACTURER check, subscriber ID check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names, unreadable method names
[*] IndusMobile_9.2.10.2_apks.apk!classes9.dex
 |-> anti_disassembly : illegal class name
 |-> anti_vm : Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, possible Build.SERIAL check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names, unreadable method names
[*] IndusMobile_9.2.10.2_apks.apk!lib/arm64-v8a/liboofphcaofdnc.so
 |-> packer : Promon Shield

Kony Packer should be detected as

/lib/arm64-v8a/libkonyjsvm.so
/assets/application.properties

exist but 

/assets/js/startup.js

doesn't exist which break existing rule

rule kony : packer
{
  meta:
    description = "Kony"
    url = "http://www.kony.com/"

  strings:
    $lib = "libkonyjsvm.so"
    $decrypt_keys = "assets/application.properties"
    $encrypted_js = "assets/js/startup.js"

  condition:
    is_apk and $lib and $decrypt_keys and $encrypted_js
}
enovella commented 10 months ago

@apkunpacker do you think this rule would fix it? is_apk and $lib and ($decrypt_keys or $encrypted_js)?

apkunpacker commented 10 months ago

@apkunpacker do you think this rule would fix it? is_apk and $lib and ($decrypt_keys or $encrypted_js)?

yes