[DETECTION] Add Detection For protectt

Question

[DETECTION] Add Detection For protectt

Closed this issue 2 years ago · 3 comments

Sample - https://play.google.com/store/apps/details?id=com.rblbank.mobank
Protection - https://www.protectt.ai/

APKiD Result -

apkid 'RBL MoBank_8.0.50.apk'
[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] RBL MoBank_8.0.50.apk!classes.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible VM check, possible ro.secure check, ro.hardware check, ro.kernel.qemu check
 |-> compiler : dexlib 2.x
[*] RBL MoBank_8.0.50.apk!classes2.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.HARDWARE check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible VM check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names, unreadable method names
[*] RBL MoBank_8.0.50.apk!classes3.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, SIM operator check, possible Build.SERIAL check
 |-> compiler : dexlib 2.x
[*] RBL MoBank_8.0.50.apk!classes4.dex
 |-> anti_vm : Build.MANUFACTURER check
 |-> compiler : dexlib 2.x
[*] RBL MoBank_8.0.50.apk!lib/x86/libnative-library.so
 |-> obfuscator : DexGuard, Obfuscator-LLVM version 4.0
[*] RBL MoBank_8.0.50.apk!lib/arm64-v8a/libnative-library.so
 |-> obfuscator : DexGuard, Obfuscator-LLVM version 4.0
[*] RBL MoBank_8.0.50.apk!lib/armeabi-v7a/libnative-library.so
 |-> obfuscator : DexGuard, Obfuscator-LLVM version 4.0
[*] RBL MoBank_8.0.50.apk!lib/x86_64/libnative-library.so
 |-> obfuscator : DexGuard, Obfuscator-LLVM version 4.0

Additional Info -

/lib/arm64-v8a/libapp-protectt-native-lib.so
/lib/arm64-v8a/libprotectt-native-lib.so
/lib/arm64-v8a/libprotecttai.so
Lai/protectt/app/security/*

Answer 1 · 2023-02-21T18:56:28.000Z

It seems that my last commit 5a34c25 introduced a false positive

Answer 2 · 2023-02-22T04:28:23.000Z

It seems that my last commit 5a34c25 introduced a false positive

The rule matched with elf is dexguard not dexguard 9.x as visible in scan result.

$r2 libnative-library.so
[0x00087180]> izzq~+detection
0x3fe61d 58 57 com/guardsquare/dexguard/runtime/detection/TamperDetector
0x3fe67e 56 55 com/guardsquare/dexguard/runtime/detection/RootDetector
0x3fe6c9 57 56 com/guardsquare/dexguard/runtime/detection/DebugDetector
0x3fe724 60 59 com/guardsquare/dexguard/runtime/detection/EmulatorDetector

Answer 3 · 2023-02-22T17:43:57.000Z

Result with a quick rule:

$ apkid com.rblbank.mobank_2023-01-24.apk
[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] com.rblbank.mobank_2023-01-24.apk!classes.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible VM check, possible ro.secure check, ro.hardware check, ro.kernel.qemu check
 |-> compiler : dexlib 2.x
[*] com.rblbank.mobank_2023-01-24.apk!classes2.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.HARDWARE check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible VM check
 |-> compiler : dexlib 2.x
 |-> obfuscator : unreadable field names, unreadable method names
[*] com.rblbank.mobank_2023-01-24.apk!classes3.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, SIM operator check, possible Build.SERIAL check
 |-> compiler : dexlib 2.x
[*] com.rblbank.mobank_2023-01-24.apk!classes4.dex
 |-> anti_vm : Build.MANUFACTURER check
 |-> compiler : dexlib 2.x
[*] com.rblbank.mobank_2023-01-24.apk!lib/x86/libprotectt-native-lib.so
 |-> protector : Protectt
[*] com.rblbank.mobank_2023-01-24.apk!lib/x86/libprotecttai.so
 |-> protector : Protectt
[*] com.rblbank.mobank_2023-01-24.apk!lib/x86/libapp-protectt-native-lib.so
 |-> protector : Protectt
[*] com.rblbank.mobank_2023-01-24.apk!lib/x86/libnative-library.so
 |-> obfuscator : DexGuard, Obfuscator-LLVM version 4.0
[*] com.rblbank.mobank_2023-01-24.apk!lib/arm64-v8a/libprotectt-native-lib.so
 |-> protector : Protectt
[*] com.rblbank.mobank_2023-01-24.apk!lib/arm64-v8a/libprotecttai.so
 |-> protector : Protectt
[*] com.rblbank.mobank_2023-01-24.apk!lib/arm64-v8a/libapp-protectt-native-lib.so
 |-> protector : Protectt
[*] com.rblbank.mobank_2023-01-24.apk!lib/arm64-v8a/libnative-library.so
 |-> obfuscator : DexGuard, Obfuscator-LLVM version 4.0
[*] com.rblbank.mobank_2023-01-24.apk!lib/armeabi-v7a/libprotectt-native-lib.so
 |-> protector : Protectt
[*] com.rblbank.mobank_2023-01-24.apk!lib/armeabi-v7a/libprotecttai.so
 |-> protector : Protectt
[*] com.rblbank.mobank_2023-01-24.apk!lib/armeabi-v7a/libapp-protectt-native-lib.so
 |-> protector : Protectt
[*] com.rblbank.mobank_2023-01-24.apk!lib/armeabi-v7a/libnative-library.so
 |-> obfuscator : DexGuard, Obfuscator-LLVM version 4.0
[*] com.rblbank.mobank_2023-01-24.apk!lib/x86_64/libprotectt-native-lib.so
 |-> protector : Protectt
[*] com.rblbank.mobank_2023-01-24.apk!lib/x86_64/libprotecttai.so
 |-> protector : Protectt
[*] com.rblbank.mobank_2023-01-24.apk!lib/x86_64/libapp-protectt-native-lib.so
 |-> protector : Protectt
[*] com.rblbank.mobank_2023-01-24.apk!lib/x86_64/libnative-library.so
 |-> obfuscator : DexGuard, Obfuscator-LLVM version 4.0