v2.1.5 - BlackHat USA 2023 Edition

The following SDK got improvements, rules and fixes:

• Packers:
  • AppSealing
  • BlackMod (modder)
  • 5Play.ru (modder)
  • Aegis - AndroidRepublic (modder)
  • KangaPack
  • LIAPP
• Protectors:
  • DexGuard v9.x (Aarch64)
  • DexProtector telemetry (Alice)
  • Verimatrix / InsideSecure
  • Protectt.ai
  • Google Play Integrity protection
  • Secucen AppIron
  • Ahope AppShield
  • AppCamo
  • EverSafe
  • VGuard
  • DxShield
• Obfuscators:
  • LSPosed (seen in Momo, Shamiko and so on)
  • Android Republic VIP (modder)

Thanks to everyone who contributed! @cryptax @FrenchYeti @dustty0 @Yehh22 @CalebFenton @enovella

v2.1.4

The following products got improvements, rules and fixes:

• Packers:
  • Multidex inline implementation
  • EpicVM (ex-ULTIMA protector)
  • Jiagu ELF packer
  • DexProtector
  • LIAPP
• Protectors:
  • DexGuard v9.x (Aarch64)
  • DexProtector telemetry (Alice), native (ARM32) and APK files
  • FreeRASP
• Obfuscators:
  • OLLVM v5, v8, v9 (with and without string encryption)
  • ADVObfuscator (in PGSharp)

Additionally,

• Update to Python 3.9
• Update yara-python-dex dependency

Thanks to everyone who contributed! @cryptax @apkunpacker @enovella @CalebFenton @strazzere @Fare9

v2.1.3

We've had a good number of rule changes since the last release so we wanted to cut a new version. Thanks to everyone who contributed! We hope you find the tool useful.

Add or improve detections for:

• AliPay
• ApkEncryptor
• APKProtect
• AppGuard
• CrackProof
• DexGuard
• DexProtector
• Hikari
• JsonPacker
• Ollvm
• Promon Shield
• Tencent Legu

v2.1.2

For APKiD:

• Use yara-python-dex to greatly simplify installation (yay!)
• Print some errors to stderr

No significant changes were made to rules.

v2.1.1

For APKiD itself:

• Fixed bug with `--output-dir- not working with absolute paths within docker container (#171) - thanks @iantruslove
• Reduce docker layers and sizes - thanks @superpoussin22
• Add scan_file_obj API
• Fixed some error handling
• Add --include-types option
• Fix rule identifier counting
• Improve rule hash stability
• Improve file type detection for ELFs
• If using filename for typing, consider .jar files as zips.

For the rules:

• Beefed up DexGuard detection
• Correct dexlib1 detection
• Add AppSuit detection - thanks @enovella
• Add SafeEngine detection - thanks @horsicq
• Several other fixes and improvements

v2.0.3

• Add check for zip entry types before trying to scan them
• Handle duplicate zip entries via ZipFile.infolist()
• Make OutputFormatter.build_json_output public
• Change default typing behavior to magic

The zip entry type check is a minor optimization. The previous behavior was to assume all zip entries should be scanned. Here's a quick benchmark to show that using filename typing (which is faster than magic bytes), you can save a bunch of time. Of course, you'll miss "hidden" files that aren't named with the correct extension. If you use APKiD forensically or with malware, you should either use the default option. If you have some weird custom rules, you might even want to use --typing none.

Here's some benchmarking data:

apkid test-data --typing filename  23.96s user 1.49s system 98% cpu 25.844 total
apkid test-data --typing magic  41.05s user 2.37s system 98% cpu 43.922 total
apkid test-data --typing none  41.66s user 2.19s system 98% cpu 44.640 total

v2.0.0 - Now with a screenshot in the README!

Lots of good changes here. Many thanks to people who contributed rules and put up with my review process -- @enovella, @P0r0, @ZeroLoad, @ulexec.

• Rewrite core code -- cleaner API, Python 3.6+ compatible, type hints
• New rules -- Arxan GuardIT, SecNeo, SecEnh, AppSealing, AliPay, GaoXor, Kiwi, Gemalto
• Updated yara-python dependency to 3.10.0 (removed dependency on our custom fork!)
• General rule cleanup and refactoring
• 14.7% more cool
• Readme now includes a screenshot because the marketing department demanded one

v1.2.1

This release has a lot of changes both in the code and in the rules.

Thanks to @enovella who has really stepped up and added a lot of rules, and thanks to everyone else in the community who's contributed!

Core Changes

• Update to yara-python 3.7.0.999 (with the new official DEX module)
• Added TravisCI integration & some tests for rules
• Rules need to compile or the test will fail
• Warnings are given if rules don't have tags, description, or a sample
• Add colorized output

New native obfuscators

• Obfuscator-LLVM
  • v3.4
  • v3.5
  • v3.6.1
  • v4.0
  • v6.0 (unofficial fork)
  • v6.0 with string encryption (unofficial fork)
  • version-less
• Firehash
• AVDobfuscator

New DEX obfuscators

• Allatori demo
• Arxan
  • Multidex support
• DexProtector (bugfixes)
• AMMO (thanks @P0r0!)

New native packers

• Promon Shield
• UPX
  • v3.93
  • v3.94
• Bangcle SecShell (secneo-like)
• AppGuard (secneo-like)

New DEX packers

• ApkPacker (Custom packer)
• CryptoShell
• ApkGuard
• DexProtector (more versions)
• Jiagu (ApkToolPlus)
• Custom Chinese "ChornClickers" (Ch-ina PornClickers)

v1.0.0

Changes:

• Add --output-dir option which writes individual JSON to a target directory
• Add rules for Jack compiler (https://calebfenton.github.io/2016/12/01/building-with-and-detecting-jack/)
• Add rules for anti-vm detection
• Add rules for SecNeo and DxShield (thanks @circleous!)
• Improve accuracy and specificity for dex compiler fingerprints
• Update dex module & yara dependency to 3.5.0

v0.9.4

Changes:

• Fixed segfaults for badly formed DEX files (thanks @cryptax!)
• Added PangXie packer rules (thanks @cryptax!)
• Added DexProtector obfuscator rules (thanks @Jasi2169!)
• Updated Yara from 3.4.0 to 3.5.0 (thanks ME!)
• Fixed some typos, cleaned up code, the usual