search

rednaga / APKiD

Android Application Identifier for Packers, Protectors, Obfuscators and Oddities - PEiD for Android
Other
2.08k stars 296 forks source link

[DETECTION] Add Naga Reinforcement #380

Open vanshsantoshi opened 10 months ago

vanshsantoshi commented 10 months ago

Sample:

https://data.tdx.com.cn/www/tdx-android-publish/apks/tdx_gphone_5.102_1_tdxrelease.apk

Issue:

App is protected by Naga Reinforcement ( 娜迦加固 ) https://www.nagain.com/ Original dex of app is dynamically loaded by the protector.

MT Manager reported the above protection in place, after I open the sample in it. But APKiD doesn't detect it.

APKiD Output:

vansh@Vansh:~$ apkid com.tdx.AndroidNew.apk
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] com.tdx.AndroidNew.apk!classes.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, device ID check, emulator file check, network interface name check, network operator name check, possible Build.SERIAL check, possible VM check, possible ro.secure check, ro.kernel.qemu check, ro.product.device check, subscriber ID check
 |-> compiler : dx
vansh@Vansh:~$

Additional Information and notes:

The protection library is libxloader.so The protection label on MT manager doesn't dissapear if you delete the libxloader.so from apk, but rather it dissapears when you delete the dex, suggesting that MT manager rules checks for dex rather than the library.

Probably same thing as #31

enovella commented 10 months ago

The rule name of #31 is incorrect and it should match Nagain.

image