False Positive with Process Maps?
blundell opened this issue · 2 comments
blundell commented
Getting what I think is a false positive with the checkProcMaps method.
It states:
/**
* /proc/self/maps should not have libraries or APK from other /data/app and /data/data folders,
* other than the one of the app's.
* Example:
* Dr.Clone: /data/app/com.trendmicro.tmas-nX-nxxGWSIQ3FOKGnz-Xbg==/lib/arm/libnativehook.so
* /data/app/com.trendmicro.tmas-nX-nxxGWSIQ3FOKGnz-Xbg==/lib/arm/libsubstrate.so
* Parallel Space:
* /data/app/com.lbe.parallel.intl-bp5H8cQ_sHHz72STgLNWfg==/lib/arm/libdaclient_64.so
*
* @return True, if virtual container detected
*/
I added this log:
// Check paths does not contain files from other /data/data and /data/app locations
for (String p : paths) {
if (p.startsWith("/data/app") || p.startsWith("/data/data")) {
if (!p.contains(packageName)) {
Log.d("MK", "XXX PROC: " + p);
isContainer = true;
break;
}
}
}
However when I run the check at startup for our app, its saying its running in a container because this file exists:
2021-06-15 08:58:01.258 D/MK: XXX PROC: /data/app/com.google.android.gms-prf32SOG9-vEd5NdflrfHA==/split_config.en.apk
Interestingly it only seems to happen every other app load as well, not every time.
We use the AAB format and have a split APK, so it looks like that's not supported perhaps?
blundell commented
For now I am working around if with:
if (!p.contains(packageName) && !p.contains("com.google.android")) {
whilst not infallible as anyone can have any package name, I have to trust com.google for now.