[DETECTION] Appdome protection

[AndroidMaster25]

Provide the file
Invincible: Guarding the Globe 2.1.12
https://apkcombo.app/invincible-guarding-the-globe/com.ubisoft.invincible.guardians.globe.idle.superhero.rpg.battle.afk/download/apk

Describe the detection issue
This game is calling to a lib with randomized lib name IKJyYOQQpVxkK. My friend claims it has signature check that can to prevent login and it connects to a remote server that the developer can enable certain security features remotely. I don't know much inside the lib because it is obfuscated

In smali, it's making some calls to the lib

APKiD current results...
Please provide current output from APKiD on this file. Include the APKiD header which provides the version, e.g. -

[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] H:\Downloads\Invincible- Guarding the Globe_2.1.12_apkcombo.app.xapk!com.ubisoft.invincible.guardians.globe.idle.superhero.rpg.battle.afk.apk!classes.dex
 |-> anti_vm : Build.BRAND check, Build.DEVICE check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, ro.kernel.qemu check
 |-> compiler : dexlib 2.x
[*] H:\Downloads\Invincible- Guarding the Globe_2.1.12_apkcombo.app.xapk!com.ubisoft.invincible.guardians.globe.idle.superhero.rpg.battle.afk.apk!classes2.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible VM check
 |-> compiler : dexlib 2.x
[*] H:\Downloads\Invincible- Guarding the Globe_2.1.12_apkcombo.app.xapk!com.ubisoft.invincible.guardians.globe.idle.superhero.rpg.battle.afk.apk!classes3.dex
 |-> compiler : dexlib 2.x

[enovella]

appdome?

$ apkid Invincible_\ Guarding\ the\ Globe_1.3.10_apkcombo.app.apk
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] Invincible_ Guarding the Globe_1.3.10_apkcombo.app.apk!classes.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible VM check, ro.hardware check, ro.kernel.qemu check
 |-> compiler : dexlib 2.x
[*] Invincible_ Guarding the Globe_1.3.10_apkcombo.app.apk!classes2.dex
 |-> compiler : r8 without marker (suspicious)
[*] Invincible_ Guarding the Globe_1.3.10_apkcombo.app.apk!classes3.dex
 |-> compiler : dexlib 2.x
[*] Invincible_ Guarding the Globe_1.3.10_apkcombo.app.apk!lib/arm64-v8a/libcrashlytics-common.so
 |-> anti_hook : syscalls
[*] Invincible_ Guarding the Globe_1.3.10_apkcombo.app.apk!lib/armeabi-v7a/libgrpc_csharp_ext.so
 |-> protector : Appdome

[enovella]

Checking the other APK:

$ unzip -l config.arm64_v8a.apk
Archive:  config.arm64_v8a.apk
  Length      Date    Time    Name
---------  ---------- -----   ----
     1132  1981-01-01 01:01   AndroidManifest.xml
  9211536  1981-01-01 01:01   lib/arm64-v8a/libCysharp.Net.Http.YetAnotherHttpHandler.Native.so
    82912  1981-01-01 01:01   lib/arm64-v8a/libFirebaseCppAnalytics.so
  6062992  1981-01-01 01:01   lib/arm64-v8a/libFirebaseCppApp-12_2_0.so
    42832  1981-01-01 01:01   lib/arm64-v8a/libFirebaseCppCrashlytics.so
  1855136  1981-01-01 01:01   lib/arm64-v8a/libIKJyYOQQpVxkK.so   // CHECKING THIS
  1669624  1981-01-01 01:01   lib/arm64-v8a/libMxPrivacyCore.so
    59328  1981-01-01 01:01   lib/arm64-v8a/lib_burst_generated.so
   755864  1981-01-01 01:01   lib/arm64-v8a/libcrashlytics-common.so
   185960  1981-01-01 01:01   lib/arm64-v8a/libcrashlytics-handler.so
     9584  1981-01-01 01:01   lib/arm64-v8a/libcrashlytics-trampoline.so
   195568  1981-01-01 01:01   lib/arm64-v8a/libcrashlytics.so
 93363272  1981-01-01 01:01   lib/arm64-v8a/libil2cpp.so
     6728  1981-01-01 01:01   lib/arm64-v8a/libmain.so
  6177840  1981-01-01 01:01   lib/arm64-v8a/libubiservices.so
 20288208  1981-01-01 01:01   lib/arm64-v8a/libunity.so
       32  1981-01-01 01:01   stamp-cert-sha256
     1619  1981-01-01 01:01   META-INF/BNDLTOOL.SF
     1396  1981-01-01 01:01   META-INF/BNDLTOOL.RSA
     1511  1981-01-01 01:01   META-INF/MANIFEST.MF
---------                     -------
139973074                     20 files

[AndroidMaster25]

appdome?

That could be it. i just checked the old version and it uses the same code but the lib file is larger (6 MB)

[enovella]

I am afraid that the appdome match got wrongly triggered with this regex: (keyword hook matched twice)

    is_elf and not appdome_elf and
      // Match at least 2 section names from hook,.hookname,adinit,.adi,ipcent,ipcsel
      for 2 i in (0..elf.number_of_sections):
        (elf.sections[i].name matches /(hook|\.hookname|adinit|\.adi|ipcent|ipcsel)/)

[enovella]

@AndroidMaster25 can you find another app with the same protection?

[AndroidMaster25]

@AndroidMaster25 can you find another app with the same protection?

Sure but it will take long time until I discover another one. However you can check older versions of this game https://apkcombo.app/invincible-guarding-the-globe/com.ubisoft.invincible.guardians.globe.idle.superhero.rpg.battle.afk/old-versions/