rootcloak
rootcloak copied to clipboard
devadvance
Deutsche Bank MyBank
https://play.google.com/store/apps/details?id=com.db.pbc.mybankbelgium&hl=en
This is a tricky one but I guess this could be working as the detection method is Java based: It gets a stack trace of current thread (Thread.currentThread().getStackTrace()) then enumerates all the StackTraceElement looking for a (looooong) list of possible mischief. At some point, it sees that Xposed framework is installed and returns an error.
Tested on v3.0-beta_20160731_2
Ok, this one was easy to fix by adding this in the initOther method:
findAndHookMethod("java.lang.StackTraceElement", lpparam.classLoader, "getClassName", new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { String classname = (String) param.getResult(); XposedBridge.log("classname after: " + classname); if (classname != null && (classname.contains("de.robv.android.xposed"))) { param.setResult("android.app.ActivityThread"); if (debugPref) { XposedBridge.log("Found and hid Xposed class name: " + classname); } } }
(sorry, I can't get the formatting working).
Now I have a more difficult issue: the application parses the /proc/ and read all cmdline files. There, it finds the xposed_service_app. This seems a more tricky one.
This gives some other techniques that could be used to detect Xposed framework ... and how to bypass them http://d3adend.org/blog/?p=589
I finally developed a complementary Xposed module when rootcloak falls short of its objective: http://repo.xposed.info/module/net.csu333.surrogate. This requires much more effort to find which method must be hooked but once it happened, the root detection is completely bypassed.
Are you sure you enabled the module (needs restart) and activated the rule (all rules are disabled by default, no need to restart) ? If you did (or are unsure), I propose you to open a ticket on my Surrogate Github page to avoid polluting this one.