An example of android multi switch analysis and detection implementation method
- 2021-12-13 16:58:56
- OfStack
Multiple theoretical foundations
app is often used to do some illegal things, such as high wool, black and gray production, and even damage the functions of app. Therefore, multi-opening is harmful in the actual application of app, so it is very important to identify the multi-opening environment, which is beneficial to make app safer.
At present, the principle of multi-opening App in the market is similar, all of which run the multi-opening App with a new process, and all kinds of system functions of hook make the multi-opening App think that it is a normal App running.
Formally speaking, there are two forms of App, One is to directly load the multi-opened App from the multi-opened App, such as parallel space, VirtualApp, etc. The other is to let the user install a new App, but this App is essentially a shell for loading the multi-opened App, and its principle is the same as that of the previous one. This App with multi-opened doppelganger in the market uses this form, and the user needs to install a new package named dkmodel. xxx. xxx for each doppelganger.
Analysis of Multi-opening Implementation Principle
There are many kinds of app multi-open implementation principles, such as using multi-user mode (mumu simulator multi-open implementation), by creating different process names (multi-open doppelganger, double-open assistant) to run.
We know that every app has its own private directory, and 1 is generally "/data/data/package name/" or "/data/user/user number/package name", and the multi-opening mode is also based on these, so we can read the information directory under the private directory by calling the system getFilesDir () method. In the multi-open environment, the obtained directory will become "/data/data/multi-open package name/xxxxxxxx" or "/data/user/user number/multi-open App package name".
Based on the above principle analysis, we can realize the judgment and identification of multi-open environment through the following code.
Code implementation: Multiple package names
// Used to collect multi-open app Package name, which has been collected from most of the latest market, is more open app
private String[] packagename = {
"com.bly.dkplat",// Open more bag names of the doppelganger itself
"com.by.chaos",//chaos Engine
"com.lbe.parallel",// Parallel space
"com.excelliance.dualaid",// Double opening assistant
"com.lody.virtual",//VirtualXposed , VirtualApp
"com.qihoo.magic",//360 Master doppelganger
"com.dual.dualgenius", //DualGenius/ Double-opening spirit
"com.jiubang.commerce.gomultiple" //GO Multiple/Go Double opening
};
Compare by reading the file package
public boolean checkPrivateFilePath(Context context)
{
String path = context.getFilesDir().getPath();
for(String vtpkg: packagename)
{
if(path.contains(vtpkg))
{
return true;
}
}
return false;
}
Compare by reading the file package
public boolean checkPrivateFilePath(Context context)
{
String path = context.getFilesDir().getPath();
for(String vtpkg: packagename)
{
if(path.contains(vtpkg))
{
return true;
}
}
return false;
}
Code implementation: multi-user
private String GetMulData()
{
// It is realized by reading the command line.
String filter = exec("cat /proc/self/cgroup");
if(null == filter || (filter.length() == 0))
{
return null;
}
int uidStartIndex = filter.lastIndexOf("uid");
int uidEndIndex = filter.lastIndexOf("/pid");
if(0 > uidStartIndex)
{
return null;
}
if( 0 >= uidEndIndex)
{
uidEndIndex = filter.length();
}
filter = filter.substring(uidStartIndex + 4, uidEndIndex);
try {
String strUid = filter.replaceAll("\n", "");
if(isNumeriToUid(strUid))
{
int uid = Integer.valueOf(strUid);
filter = String.format("u0_a%d", uid -10000);
return filter;
}
}catch (Exception e)
{
return null;
}
return null;
}