rednaga / APKiD

Android Application Identifier for Packers, Protectors, Obfuscators and Oddities - PEiD for Android
Other
2.05k stars 296 forks source link

[DETECTION] Unknown "String2C" protection #392

Open ghost opened 2 months ago

ghost commented 2 months ago

Describe the protection I discovered a really interesting "String2C" protection, all the strings from the smali gets converted and encrypted to C++ (the liblzuvfr.so file). Possibly custom VNGGames protection

All string gets replaced with C0585.m5678([id]) which is the call to the native.

image

In the lib, all symbols are stripped from the lib and obfuscated, I barely find interesting strings, however I found the following strings that indicates that the protection might be nicknamed bshield and it was generated and compiled under Linux server

/Users/bshield/myagent/_work/1/s/crashreport/libunwindstack-ndk/Unwinder.cpp
/Users/bshield/myagent/_work/1/s/crashreport/libunwindstack-ndk/DwarfMemory.cpp
/Users/bshield/myagent/_work/1/s/crashreport/libunwindstack-ndk/

Sample Võ Hồn Đại Lục VNG 1.2.2: https://apkcombo.com/vo-hon-dai-luc-vng/vnggames.soulland.daula.reloaded/

1.1.7 did not have any protections

APKiD current results... Please provide current output from APKiD on this file. Include the APKiD header which provides the version, e.g. -

vm@vm-virtual-machine:~$ apkid '/home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk' 
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!assets/audience_network.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> compiler : unknown (please file detection issue!)
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, possible VM check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names, unreadable method names
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes2.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible VM check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes3.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes4.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.HARDWARE check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible VM check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes5.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names, unreadable method names
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes6.dex
 |-> anti_vm : network operator name check, possible Build.SERIAL check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names
[*] /home/vm/Skrivebord/Võ Hồn Đại Lục VNG_1.2.2_apkcombo.com.xapk!vnggames.soulland.daula.reloaded.apk!classes7.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names
enovella commented 2 months ago

Hi @AndroidMaster24,

thanks a lot for the detailed ticket. Appreciate it.

Do you know if this bshield belongs to this website?

ghost commented 2 months ago

Hi @AndroidMaster24,

thanks a lot for the detailed ticket. Appreciate it.

Do you know if this bshield belongs to this website?

Could be possible. Sadly, I could not find other samples with bshield yet

ghost commented 2 months ago

whats up with the spam? can't you block them @rednaga ?

strazzere commented 2 months ago

whats up with the spam? can't you block them @rednaga ?

Sadly this is a github problem with spam bots trying to spread malware using compromised accounts. Nothing we can do really outside of just deleting the comments.