Rooted phone False Positive scenario
Closed this issue · 2 comments
checkProcMaps: Suspicious file: /data/app/org.meowcat.edxposed.manager-qkLtyHZpTcGEgfFOW6B7BA==/base.apk]
is tagged as a virtual container
Pre-context:
I have Island app installed as a work profile
I have a sample app in which I tried to follow your lib checks reports its running in a container( its currently installed in my regular user space)
The checks return true when I have a virtualized guest app variant of my sample in the work profile.
is there some details on how this is calculated wrt to proc maps
given my check is from the host machine and not the virtual container it should be false
But it picks up on EdXposed installed
tried Parallel space as well , due to rooted device and xposed installed, this check as a signal is always true
any piece of advice
My goal is to detect my sensitive app when it runs in the wild running on emulators/virtual containers
The logic currently used is to go through all the files loaded in the memory in /proc/self/maps, and path to the files does not belong to the application. For example, files from your app will have pattern /data/data/your_package_name/....
The case you are pointing, the path /data/app/org.meowcat.edxposed.manager-qkLtyHZpTcGEgfFOW6B7BA==/base.apk does not belong to your app. This particular file seems not following that pattern.
So yes it is a false positive, but clearly there is something wrong with the files present in the app's memory.
I will try to address this in conbeerlib using some signature matching for common packages like Edxposed etc. This will not excluded false positives though.
Noted, thanks