APKiD icon indicating copy to clipboard operation
APKiD copied to clipboard
verified publisher icon rednaga

[DETECTION] "AndroidRepublic VIP" obfuscator should be detected as OLLVM version unknown

Open AndroidMaster25 opened this issue 8 months ago • 5 comments

Provide the file Re-uploaded files: https://mega.nz/folder/cr1ykJYL#M6ygS0-88be5004Ugj_W0w

Sources https://whatsapp.com/channel/0029VamOj7nGpLHKcirsIU3f https://t.me/KingModsUpdates https://t.me/KingModsOfficial

Describe the detection issue Currently, VIP mods from Android Republic are detected as AndroidRepublic VIP. However, I came across a mod called Kingmods, created by Uncle Bob, the owner of Android Republic. Both Android Republic and Kingmods use a similar OLLVM obfuscator and include bloated CURL and SSL libraries for their licensing systems.

Kingmods from 2023 gave me a hint that they used OLLVM 9.0.1 https://github.com/o2e/OLLVM-9.0.1.git and Android r21e:

Image

Image

Starting in 2024, VIP mods from Android Republic have been using Android NDK r23c and no longer include OLLVM information or replacing it with their own URL - similar to Kingmods. In older mods from 2023, they used the Android NDK r17c and replaced identifying strings with their own URL, which suggests they may have also removed the OLLVM information.

Image

It will make more sense to label it as OLLVM version unknown

Kingmods added files: assets/__tpcfinfo.tsb = lib file assets/__tpcfinfo.tsc = orig APK for redirection

Android Republic added files: lib/(arch)/libteteetet.so or assets/androidrepublic.org/dragon.png

APKiD current results...

File sample: com.blb.aos.siegerumble_1.0.0022_04042025_043038_modded.apk ``` apkid "F:\xxxx\AR mods\2025 VIP\com.blb.aos.siegerumble_1.0.0022_04042025_043038_modded.apk" [+] APKiD 3.0.0 :: from RedNaga :: rednaga.io [*] F:\xxxx\AR mods\2025 VIP\com.blb.aos.siegerumble_1.0.0022_04042025_043038_modded.apk |-> obfuscator : AndroidRepublic VIP |-> packer : LIAPP [*] F:\xxxx\AR mods\2025 VIP\com.blb.aos.siegerumble_1.0.0022_04042025_043038_modded.apk!assets/androidrepublic.org/dragon.png |-> obfuscator : AndroidRepublic VIP [*] F:\xxxx\AR mods\2025 VIP\com.blb.aos.siegerumble_1.0.0022_04042025_043038_modded.apk!classes.dex |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, SIM operator check, network operator name check, possible VM check, ro.kernel.qemu check |-> compiler : dexlib 2.x [*] F:\xxxx\AR mods\2025 VIP\com.blb.aos.siegerumble_1.0.0022_04042025_043038_modded.apk!classes2.dex |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.TAGS check |-> compiler : dexlib 2.x [*] F:\xxxx\AR mods\2025 VIP\com.blb.aos.siegerumble_1.0.0022_04042025_043038_modded.apk!classes3.dex |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, SIM operator check, network operator name check, possible Build.SERIAL check |-> compiler : dexlib 2.x |-> obfuscator : unreadable field names, unreadable method names [*] F:\xxxx\AR mods\2025 VIP\com.blb.aos.siegerumble_1.0.0022_04042025_043038_modded.apk!classes4.dex |-> compiler : dexlib 2.x [*] F:\xxxx\AR mods\2025 VIP\com.blb.aos.siegerumble_1.0.0022_04042025_043038_modded.apk!lib/arm64-v8a/libvuwtxxdvf.so |-> packer : LIAPP [*] F:\xxxx\AR mods\2025 VIP\com.blb.aos.siegerumble_1.0.0022_04042025_043038_modded.apk!classes5.dex |-> compiler : dexlib 2.x |-> obfuscator : unreadable field names, unreadable method names ```
File sample: pubg_bgmi64_370_update_02a.apk ``` [+] APKiD 3.0.0 :: from RedNaga :: rednaga.io [*] F:\xxxx\AR mods\Kingmods\pubg_bgmi64_370_update_02a.apk!classes.dex |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible Build.SERIAL check, possible VM check |-> compiler : dexlib 2.x [*] F:\xxxx\AR mods\Kingmods\pubg_bgmi64_370_update_02a.apk!classes2.dex |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, device ID check, network operator name check, possible Build.SERIAL check, possible VM check |-> compiler : dexlib 2.x [*] F:\xxxx\AR mods\Kingmods\pubg_bgmi64_370_update_02a.apk!classes3.dex |-> anti_vm : Build.MANUFACTURER check |-> compiler : dexlib 2.x [*] F:\xxxx\AR mods\Kingmods\pubg_bgmi64_370_update_02a.apk!lib/arm64-v8a/libUE4.so |-> protector : InsideSecure Verimatrix [*] F:\xxxx\AR mods\Kingmods\pubg_bgmi64_370_update_02a.apk!assets/audience_network.dex |-> anti_debug : Debug.isDebuggerConnected() check |-> compiler : unknown (please file detection issue!) [*] F:\xxxx\AR mods\Kingmods\pubg_bgmi64_370_update_02a.apk!assets/__tpcfinfo.tsc!classes.dex |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible Build.SERIAL check, possible VM check |-> compiler : dexlib 2.x [*] F:\xxxx\AR mods\Kingmods\pubg_bgmi64_370_update_02a.apk!assets/__tpcfinfo.tsc!classes2.dex |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, device ID check, network operator name check, possible Build.SERIAL check, possible VM check |-> compiler : dexlib 2.x [*] F:\xxxx\AR mods\Kingmods\pubg_bgmi64_370_update_02a.apk!assets/__tpcfinfo.tsc!classes3.dex |-> anti_vm : Build.MANUFACTURER check |-> compiler : dexlib 2.x [*] F:\xxxx\AR mods\Kingmods\pubg_bgmi64_370_update_02a.apk!assets/__tpcfinfo.tsc!lib/arm64-v8a/libUE4.so |-> protector : InsideSecure Verimatrix [*] F:\xxxx\AR mods\Kingmods\pubg_bgmi64_370_update_02a.apk!assets/__tpcfinfo.tsc!assets/audience_network.dex |-> anti_debug : Debug.isDebuggerConnected() check |-> compiler : unknown (please file detection issue!) [*] F:\xxxx\AR mods\Kingmods\pubg_bgmi64_370_update_02a.apk!classes4.dex |-> compiler : dexlib 2.x |-> obfuscator : unreadable field names, unreadable method names ```
File sample: Battlegrounds India [2.7.0].apk (Ollvm 9.0.1) ``` [+] APKiD 3.0.0 :: from RedNaga :: rednaga.io [*] F:\xxxx\AR mods\Legit FPS Red Powder\Battlegrounds India 2.7.0\Battlegrounds India [2.7.0].apk!classes.dex |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check |-> compiler : dexlib 2.x [*] F:\xxxx\AR mods\Legit FPS Red Powder\Battlegrounds India 2.7.0\Battlegrounds India [2.7.0].apk!classes2.dex |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, device ID check, emulator file check, network operator name check, possible Build.SERIAL check, possible VM check |-> compiler : dexlib 2.x |-> obfuscator : unreadable field names, unreadable method names [*] F:\xxxx\AR mods\Legit FPS Red Powder\Battlegrounds India 2.7.0\Battlegrounds India [2.7.0].apk!lib/arm64-v8a/libUE4.so |-> protector : InsideSecure Verimatrix [*] F:\xxxx\AR mods\Legit FPS Red Powder\Battlegrounds India 2.7.0\Battlegrounds India [2.7.0].apk!assets/__tpcfinfo.tsc!classes.dex |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check |-> compiler : dexlib 2.x [*] F:\xxxx\AR mods\Legit FPS Red Powder\Battlegrounds India 2.7.0\Battlegrounds India [2.7.0].apk!assets/__tpcfinfo.tsc!lib/arm64-v8a/libUE4.so |-> protector : InsideSecure Verimatrix [*] F:\xxxx\AR mods\Legit FPS Red Powder\Battlegrounds India 2.7.0\Battlegrounds India [2.7.0].apk!assets/__tpcfinfo.tsc!classes2.dex |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, device ID check, emulator file check, network operator name check, possible Build.SERIAL check, possible VM check |-> compiler : dexlib 2.x ```

Why is Android Republic associated with Kingmods? Because both Android Republic VIP and Kingmods VIP use the same smali class names, connect to the Kingmods server, and leave behind similar traces. legit-source.net, api.phantasm.tech and androidrepublic.org, all have the header: x-powered-by androidrepublic, confirming the owner.

Image

Image

Virustotal: https://www.virustotal.com/gui/url/7f5aea50026287a3533a4ac42e8debb5b5a579b8cdcfd664863d10f203f63d53/details https://www.virustotal.com/gui/url/2e431d3b3bc4f222b4921eed0b88d5d9f8a7b5808ffff60249b315b06e079cdc/details https://www.virustotal.com/gui/url/fb1cc65dce5f869f4d36a56899cf10aab010320a8cdb06300b50c621f1429e72/details

I made my own graph on Virustotal as well https://www.virustotal.com/graph/embed/g64a6ac8b35424051928113dda1c068db2b5091818a2d46959afe283c7a202d59?theme=dark

AndroidMaster25 avatar Apr 29 '25 07:04 AndroidMaster25

@AndroidMaster25 Could you please gimme more intel about Kingsmods and AR? I mean, which strings you are thinking of using in the rules. Thanks.

The OLLVM 9.0.1 rule should be matching and there was a false positive with Verimatrix InsideSecure in libUE4.so that was also fixed.

enovella avatar May 05 '25 12:05 enovella

@AndroidMaster25 I'd assume that this AndroidRepublic VIP protector uses OLLVM obfuscation underneath. Do you have a better rule to tackle on? I could write a general opcodes-based OLLVM rule, but at the moment I do have other priorities.

$ apkid assets/androidrepublic.org/dragon.png
[+] APKiD 3.0.0 :: from RedNaga :: rednaga.io
[*] assets/androidrepublic.org/dragon.png
 |-> anti_hook : syscalls
 |-> obfuscator : AndroidRepublic VIP

$ apkid lib/armeabi-v7a/libteteetet.so
[+] APKiD 3.0.0 :: from RedNaga :: rednaga.io
[*] lib/armeabi-v7a/libteteetet.so
 |-> obfuscator : AndroidRepublic VIP

enovella avatar May 05 '25 13:05 enovella

@AndroidMaster25 Could you please gimme more intel about Kingsmods and AR? I mean, which strings you are thinking of using in the rules. Thanks.

If you mean to detect Kingmods and AR, maybe use this string from dex file com/bob/arteam

I'd assume that this AndroidRepublic VIP protector uses OLLVM obfuscation underneath. Do you have a better rule to tackle on? I could write a general opcodes-based OLLVM rule, but at the moment I do have other priorities.

It's hard since the obfuscator don't left any useful strings or patterns. I could be wrong because I don't have much knowledge on the lib side. For older obfuscator version, you can temporary use https://www.androidrepublic.org

I have another samples from Kingmods I saved last year. This one is the installer app and it uses same obfuscator with Android r23c, but smaller file size: lib/arm64-v8a/libking.so

https://mega.nz/file/s2cAwQCB#CUEDh2K5JQZhIIw1F2cT96INGtv11mAKmaSMkuXLLxY

This one as well: assets/__tpcfinfo.tsb

https://mega.nz/file/QucS2LLZ#-2acmGMRGSNzkh0YUM4YlRWsbnmYiBctOiM5WOyYHmE

AndroidMaster25 avatar May 06 '25 07:05 AndroidMaster25

Also, take a look at Netmarble's report about AR. It's very old but still can be useful to learn about how the VIP mod works. The report is in korean

Link: https://www.slideshare.net/ssuser052dd11/igc2018-arandroid-republic#20

Backup: 1-181023024706.pdf

There is a mention about OLLVM from page 20 to 24 and page 31.

Image

I don't understand Korean so I used Google translate

AndroidMaster25 avatar May 06 '25 08:05 AndroidMaster25

Added more Kingmods samples in the same mega link and added more details about owner of AR

AndroidMaster25 avatar May 26 '25 14:05 AndroidMaster25