Talk about Android repacking-mined area

write it in front.Details determine success or failure



affirmThis article is forbidden to reprint, thank you cooperation

minefield One: Signature

On Android, all applications installed to the system must have a digital certificate, and Android will not install an application that does not have a digital certificate. This digital certificate identifies the relationship between the author of the application and the application it develops. When a developer develops an app and publishes it, we have a digital certificate for the APK that was developed, and the key to the digital certificate is stored in the developer's hand. It is through this signature mechanism that the developer builds a trust relationship with the application he has developed. Each developer's key is different, The apps they developed are stamped with different digital certificates. This is the mechanism by which we determine who developed the app.

In general, the same digital certificate is used for different applications that develop this. This facilitates the upgrade of the program, when the new version of the program and the old version of the program number, The Android system will consider the two programs to be different versions of the same program. If the new version of the program and the old version of the program digital certificates do not want to be the same, the Android system will consider them to be different programs.

When we determine whether an app is repackaged, we need to rule out the case that if the app was developed by the original author, then we should exclude the app. For example, an app's feature upgrade, The release of the new version. This situation does not count as repackaging. How to rule out this situation, we need to make a signature verification of the app that has already identified the questionable repackaging. If their digital certificates are signed the same, we are not repackaging this app. Because in general we think that a malware maker in the re-packaging of an app, he will first decompile the app, in which to add the relevant code, this time in the anti-compilation of the app recompile, Stamp your own digital certificate. This way, the original app and the repackaged app have different digital certificates.

Therefore, it is an essential step to judge whether the signature is the same when we analyze the repackaging.

Minefield II: Reinforcementreinforcement is now a means of protection for apps. It usually uses some means such as code obfuscation, dynamic code modification, dynamic loading, and anti-debugging, which makes it much less likely to be repackaged, and makes it more difficult to reverse an app.Here are some of the more popular app-hardened services available in the country:1. Bangcle (http://bangcle.com/)2. Ijiami (http://www.ijiami.cn/)3. (http://dev.360.cn/protect/welcome) 4. Tencent (Http://jiagu.qcloud.com)
Assuming an app is hardened, a less intelligent anti-compilation tool like Apktool will definitely fail, and it will be much more difficult to determine whether these applications have been repackaged or not. Therefore, we should deal with these samples in one split before processing the collected samples. Determine if there is a reinforced sample and then shell it out. After extracting the real Dex file, it is judged. So how to tell if an app is being hardened, the simplest way to do it, and the more rude way to extract so files, Then see if there is a specific so file name. The unique shared libraries for these hardening programs are shown .



We scan the so file name and then make a simple string comparison to them, the change can be more sketchy to know that the app is not really reinforced. Of course, there are many known and unknown app Packers, encountered in these cases, when the problem of anti-compilation, we can only a little bit of manual analysis to find the reason .
the code to extract so files can refer to this article: Extract the so file from the apk file in bulk






Minefield III: Advertisingas mentioned in the previous article, adding ads to the original app is also a way to repackage. A method that cannot be perfect, always finds an optimal value under various tradeoffs. Here, we need to extract the Android resources to make judgments. Let's think about it. An Android AD, whether it's a box, inline, or a banner, runs out. You can see, these activity are resources, if an app is embedded too many ads, this will inevitably affect our judgment accuracy. So, in the process of judgment, To improve accuracy, the fate of advertising is a factor that needs careful consideration.

Talk about Android repacking-mined area