enovella
commented
4 years ago Any sample APK to help you with the reversing?
Closed jameshilliard closed 4 years ago
enovella
commented
4 years ago Any sample APK to help you with the reversing?
jameshilliard
commented
4 years ago This app uses it.
jawz101
commented
4 years ago I imagine XPrivacyLUA could disable the ability to detect it. Or Android 11
androidacy-user
commented
4 years ago I imagine XPrivacyLUA could disable the ability to detect it. Or Android 11
Has anyone tried downloading the shell hooks and using those I'm combination with tracking and identifiers hooks? Might be a stopgap solution unless it checks for memory integrity
jawz101
commented
4 years ago there are also a few other community rules that may help as well. Some mention restricting an app from using certain cat commands
topjohnwu
commented
4 years ago Thanks for the details, but if hidden correctly, none of the files you mentioned can be detected. It might use some other known methods to detect Magisk, I'll "eventually" add them some time. Thanks for the report!
bengalih
commented
4 years ago Curious if there has been any movement on this.? Zimperium and zAnti are becoming more prevalent. I've personally been having problems with the Chase Mobile App. What is interesting is that it appears to take a few moments to perform it's checking when the app is first launched. I have about 5-8 seconds to open up a "protected" activity. After that I will get a message that the device is rooted.
bengalih
commented
3 years ago Just checking in to see if anyone else in the community is working on this? I last attempted while still on 10 using all known methods of obfuscating Magisk root (hide, repackage, etc.). I tried multiple hooks from XPrivacyLua and had no success. I believe some of my tests were skewed because of the delay that Zimperium has when launching an app on first run. There appears to be approximately 10 seconds (give or take) before it can detect and block and therefore all protected activities will be available until it has initialized. My testing app was Chase Mobile - and it is possible (even likely) that other apps delay startup until full scanning is done. With Chase however you can access the protected activities before scanning is complete. Due to this I believe I had some false positives when trying to bypass Zimperium. However I don't believe I found any method of hiding/obfuscating root, or blocking access via hooks that worked to foil the detection. We can only hope that Zimperium is too cost prohibitive for more vendors to start implementing, otherwise soon no apps will work with root. Additionally, methods that create a secure system like Work Profiles, Samsung Folder, Island, etc also fail to block the detection from Zimperium.
dimm0k
commented
3 years ago why is this closed??
ReanimationXP
commented
3 years ago @topjohnwu Why was this closed if it's something to be implemented eventually? Researching rooting and I hear popular apps like Chase are encountering this issue.
ugurbor
commented
3 years ago This bank app also has Zimperium and I couldn't get around the root detection. Tried latest canary + riru + riru-unshare and also with LSPosed and XPrivacyLUA.
This app directly says that the phone is rooted so it seems to be better to test with than the Chase one.
soredake
commented
2 years ago Anyone tried this with new denylist?
paresh996
commented
10 months ago Unable to get away with Zimperium detecting root. Disassembled the library it uses to detect root but the machine language goes above my head.
enovella
commented
10 months ago Unable to get away with Zimperium detecting root. Disassembled the library it uses to detect root but the machine language goes above my head.
which package name?
enovella
commented
10 months ago This bank app also has Zimperium and I couldn't get around the root detection. Tried latest canary + riru + riru-unshare and also with LSPosed and XPrivacyLUA.
This app directly says that the phone is rooted so it seems to be better to test with than the Chase one.
The official Magisk is not intended to be hidden. Use the Magisk Module Shamiko.
paresh996
commented
10 months ago Unable to get away with Zimperium detecting root. Disassembled the library it uses to detect root but the machine language goes above my head.
which package name?
Developed by Chase but privately shared with me. The experience is exactly same as people describe for the Chase Mobile app. The app opens, uses the internet for a couple of seconds and then it says the device is rooted. MagiskHide is enabled, HideMyApplist is hiding other apps and Universal SafetyNet FIx is in place. All other apps work. More details
enovella
commented
10 months ago Unable to get away with Zimperium detecting root. Disassembled the library it uses to detect root but the machine language goes above my head.
which package name?
Developed by Chase but privately shared with me. The experience is exactly same as people describe for the Chase Mobile app. The app opens, uses the internet for a couple of seconds and then it says the device is rooted. MagiskHide is enabled, HideMyApplist is hiding other apps and Universal SafetyNet FIx is in place. All other apps work. More details
Probably this app has more layers of protection. Did you run APKiD against the app?
paresh996
commented
10 months ago Probably this app has more layers of protection. Did you run APKiD against the app?
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] P0.apk
|-> anti_vm : possible VM check
[*] P0.apk!classes.dex
|-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, network operator name check, possible VM check
|-> compiler : dexlib 2.x
[*] P0.apk!classes2.dex
|-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, SIM operator check, network operator name check
|-> compiler : dexlib 2.x
[*] P0.apk!classes3.dex
|-> compiler : dexlib 2.x
[*] P0.apk!lib/arm64-v8a/libz9.so
|-> anti_vm : possible VM check
[*] P0.apk!lib/armeabi-v7a/libz9.so
|-> anti_vm : possible VM checkProbably this app has more layers of protection. Did you run APKiD against the app?
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io [*] P0.apk |-> anti_vm : possible VM check [*] P0.apk!classes.dex |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, network operator name check, possible VM check |-> compiler : dexlib 2.x [*] P0.apk!classes2.dex |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, SIM operator check, network operator name check |-> compiler : dexlib 2.x [*] P0.apk!classes3.dex |-> compiler : dexlib 2.x [*] P0.apk!lib/arm64-v8a/libz9.so |-> anti_vm : possible VM check [*] P0.apk!lib/armeabi-v7a/libz9.so |-> anti_vm : possible VM check
Can you list the native libraries? Just run: unzip -l apk
paresh996
commented
10 months ago Can you list the native libraries? Just run:
unzip -l apk
libzcloud.so libz9.so libscp.so libmodpng.so libmodpdfium.so libmodft2.so libjniPdfium.so libc++_shared.so
This is a root detection framework used by some banking apps and employs a number of heuristics and appears to detect magisk on my android 10 device running lineageos which passes safetynet.
I've done some analysis and have identified some more info on how it appears to detect root.
This method is specifically designed to detect magisk:
__system_property_find_nth()__system_property_read()for each property"init.svc.""init.svc."prefix is7isalnum()"stopped"The zimperium detector also appears to run analysis on many filepaths, I haven't done much analysis on these yet but there might be some obvious info leaks that magisk doesn't cover.
I've identified the following proc paths so far as being read by zimperium for analysis:
It seems to use the following data paths for analysis:
and the following system paths:
It looks at these sbin paths:
and the following dev paths:
I've identified the following paths being watched using
inotify_add_watch():