[SOLVED] Root Detected by IDBI GoMobile+ Bank App - Magisk

Hi,
I have Asus Zenfone Max Pro M1 with StockMod Pie with Magisk v20.3 Stable
Magisk Manager has been renamed to Manager
Safety Net Check has been successful always, both *ctsProfile & basicIntegrity"
On same, have been using an Indian Bank - IDBI Bank GoMobile+ app for last few months and things have been all fine. The app has been selected under Magisk Hide.
I do use other bank/fintech apps too like GooglePay etc and they work fine.
But since yesterday this GoMobile+ app is saying phone rooted and not working. It seems that with recent update of 30th Jul they have introduced some additional check.
Taking bit of inspiration from @rithvikvibhu message in earlier thread I tried to decompile the latest apk to jar and use jd-gui to see if can find something related to root
com.scottyab.rootbeer and within same I see following
Code:
package com.scottyab.rootbeer;
public final class b {
public static final String[] a = new String[]
{ "com.noshufou.android.su",
"com.noshufou.android.su.elite",
"eu.chainfire.supersu",
"com.koushikdutta.superuser",
"com.thirdparty.superuser",
"com.yellowes.su",
"com.topjohnwu.magisk" };
public static final String[] b = new String[]
{ "com.koushikdutta.rommanager",
"com.koushikdutta.rommanager.license",
"com.dimonvideo.luckypatcher",
"com.chelpus.lackypatch",
"com.ramdroid.appquarantine",
"com.ramdroid.appquarantinepro",
"com.android.vending.billing.InAppBillingService.COIN",
"com.chelpus.luckypatcher" };
public static final String[] c = new String[]
{ "com.devadvance.rootcloak",
"com.devadvance.rootcloakplus",
"de.robv.android.xposed.installer",
"com.saurik.substrate",
"com.zachspong.temprootremovejb",
"com.amphoras.hidemyroot",
"com.amphoras.hidemyrootadfree",
"com.formyhm.hiderootPremium",
"com.formyhm.hideroot" };
public static final String[] d = new String[]
{ "/data/local/", "/data/local/bin/", "/data/local/xbin/", "/sbin/",
"/su/bin/", "/system/bin/", "/system/bin/.ext/", "/system/bin/failsafe/",
"/system/sd/xbin/", "/system/usr/we-need-root/",
"/system/xbin/", "/cache", "/data", "/dev" };
public static final String[] e = new String[]
{ "/system", "/system/bin", "/system/sbin", "/system/xbin",
"/vendor/bin", "/sbin", "/etc" };
private b() throws InstantiationException {
throw new InstantiationException("This class is not for instantiation");
}
Now am not using any of these apps atleast. So what can be the reason here? I don't want to go with the option of signing modified apk.
Also anything else to be searched in jar file? I tried searching isrooted etc but couldn't find. Even tried searching for rootbeer but nothing came.
Pls help and suggest what can be possible solutions.
I installed Rootbeer Sample app and selected it in Magisk Hide and upon running same, it says Not Rooted. Everything passes with green except "Busybox Binary"
Also I tried analyzing logcat over adb and read following
Code:
[ 08-02 19:40:11.629 27679:27830 V/RootBeer ]
c: a() [184] - /system/xbin/busybox binary detected!
PS: I am using apk to jar and using the above tools for the first time. So may be missing few more options/search etc
SOLUTION: Read post 2, in my case there was an old remant of BusyBox which was creating the issue.
For others having issue in using IDBI GoMobile+, pls check that you don't have any of the above apps (mentioned under spoiler)

Problem Solved
Ok, so after few hours of reading and playing around with tweaks etc found that issue was following:
there was an old remnant of busybox binary - may be installed as part of ROM or some package. This BusyBox was in /system/xbin/
Seems that this was over and above the systemless busybox installed via Magisk.
Now, it seems for some reason, only in the last app update, this system busybox presence was also flagged as ROOTED
I got this idea, from @tamer7's post. Basis same, went to TWRP and flashed Busybox-CLEANER.zip by @YashdSaraf
Rebooted and openedd RootBeer Sample and got all green. I then went to the bank app and here too no nag message of "being rooted" YAY

"com.topjohnwu.magisk" is also in the list of apps to be checked. Magisk Manager uses the same package name.

BlueJeans said:
"com.topjohnwu.magisk" is also in the list of apps to be checked. Magisk Manager uses the same package name.
Click to expand...
Click to collapse
Thanks for the feedback, but as mentioned have already renamed the Magisk Manager to Manager and so the package name is changed

Solved
The issue is resolved, thanks to threads on xda, infosecinstitute, medium etc

Related

Hook cmds (PM)

I need to hook runInstall from Pm.java (android commands)
https://android.googlesource.com/pl...1/cmds/pm/src/com/android/commands/pm/Pm.java
I used
Code:
XposedHelpers.findAndHookMethod(pmCommandsClass, "runInstall",
installBackgroundHook);
public static final String PMCOMMANDS = "com.android.commands.pm.Pm";
public Class<?> pmCommandsClass = XposedHelpers.findClass(
PMCOMMANDS, null);
but I got ClassNotFoundError..
Edit: I found that there is a IXposedHookCmdInit (and I probably need it). But how to use it? @rovo89?
pyler said:
Edit: I found that there is a IXposedHookCmdInit (and I probably need it). But how to use it? @rovo89?
Click to expand...
Click to collapse
If you check further, you will see that IXposedHookCmdInit is deprecated. As the comment says, you need to create a flag file if you want to hook tools, but it's strongly discouraged (and all of your users would have to do the same). I only kept this class because I use the "am" tool for testing low-level framework changes, so I don't have to restart the whole system. So consider it a debugging feature, not meant for end-users.
There are often better places that you should hook instead. In your case, you might want to hook the PackageManagerService, as "pm" is just the frontend.
Uhm.
I wanted to block installation in the background using "pm install file.apk" and hooking runInstall from Pm.java was the best way.
In PackageManagerService#installPackage I cant find out if installations is started using "pm" :/ Any good idea for workaround?
Well, "pm" is a shell script, so you could maybe modify it directly, without Xposed.
Or you do something similar to installPackageWithVerification():
Code:
final int uid = Binder.getCallingUid();
final int filteredFlags;
if (uid == Process.SHELL_UID || uid == 0) {
if (DEBUG_INSTALL) {
Slog.v(TAG, "Install from ADB");
}
filteredFlags = flags | PackageManager.INSTALL_FROM_ADB;
} else {
filteredFlags = flags & ~PackageManager.INSTALL_FROM_ADB;
}
Instead of (or in addition to) this, you could also retrieve the PID to get more information about that process. But maybe it's enough to check for that INSTALL_FROM_ADB flag.
Yes, this way may work. Thanks now, I am going to try it.

[Q] Module Development question: Cannot hook

Sorry for the beginner question - i'm beginning Android development:
I'm trying to create a Xposed module for Chrome, but when I try to hook into onCreateOptionsMenu I get the error:
NoSuchMethodError: com.google.android.apps.chrome.ChromeActivity#onCreateOptionsMenu()#exact
My best guess is that ChromeActivity doesn't override the Activity's onCreateOptionsMenu method. Am I on the right track? Can I implement it using Xposed?
(Code is here: pastie.org/9748669)
cassiozen said:
Sorry for the beginner question - i'm beginning Android development:
I'm trying to create a Xposed module for Chrome, but when I try to hook into onCreateOptionsMenu I get the error:
NoSuchMethodError: com.google.android.apps.chrome.ChromeActivity#onCreateOptionsMenu()#exact
My best guess is that ChromeActivity doesn't override the Activity's onCreateOptionsMenu method. Am I on the right track? Can I implement it using Xposed?
(Code is here: pastie.org/9748669)
Click to expand...
Click to collapse
First, make sure you are listing correct method parameters. onCreateOptionsMenu takes a "Menu" parameter and you have to specify it in findAndHookMethod
Code:
findAndHookMethod("com.google.android.apps.chrome.ChromeActivity", classLoader,
"onCreateOptionsMenu", [COLOR="Red"]Menu.class[/COLOR], new XC_MethodHook() {
...
});
Them, if you are still not able to hook it because it's not overriden from super class (I have a feeling current official xposed framework can handle such cases but not sure).
your option is to hook on super class (e.g. activity) and check whether the instance you are currently working with is the ChromeActivity one.
Code:
if (param.thisObject.getClass().getName().equals("com.google.android.apps.chrome.ChromeActivity") {
...
}
Make sure to create your Activity hook in Chrome package context only as doing it system wide would affect all packages
which would bring too much unneeded overhead.

[SOLVED] Can't hook PhoneWindowManager.smali on Galaxy S6 running MM

I wrote a short module, to start my mods that would intercept and detect the keys being pressed.
I have done this many times before on other phones, S2, and S5. The S5 was on Lollipop, and the class PhoneWindowManager.smali was in a different spot than it is on MM.
However, I found the PhoneWindowManager.smali class in marshmallow source, added the class path to the module. Everything compiles, Xposed log says its loading my module, and everything looks great.
However, my "beforeHookedMethod" is never firing. I can tell because I put a simple XposedBridge.log() inside the method.
Is there something fishy I need to do with Marshmallow? Also, Xposed log says SE linux is enforcing, could this be the issue?
here is my code for the module:
Code:
if (loadPackageParam.packageName.equals("android")) { //Change this to android for package name, then use that packages class loader. null does not work for class loader.
Class<?> PhoneWindowMgr = XposedHelpers.findClass("com.android.server.policy.PhoneWindowManager", loadPackageParam.classLoader);
XposedHelpers.findAndHookMethod(PhoneWindowMgr, "interceptKeyBeforeQueueing", KeyEvent.class, Integer.TYPE, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
XposedBridge.log("Intercept key. Keycode: " + ((KeyEvent)param.args[0]).getKeyCode());
}
});
}
Nothing is logged when I press the buttons on my device..

Package/App not found?

I apologize in advance, because this is surely a question that has been asked and answered before but it isn't in the FAQs and I lack the vocabulary to search for it.
After installing Xposed and getting the clock demo working, I made a very simple module that just prints out package names as they are loaded.
Code:
public class Tutorial implements IXposedHookLoadPackage {
public void handleLoadPackage(final LoadPackageParam lpparam) throws Throwable {
XposedBridge.log("Loaded app: " + lpparam.packageName);
}
}
When running it on an emulated Google Nexus 5 with 5.1 (API 22) via Genymotion, it successfully logs a bunch of com.android/google things as they load, but not other applications. For instance, opening the Cyanogenmod File Manager or Final Fantasy Brave Exvius don't lead to anything being logged. When I decompile their APKs to smali, I see a lot of class names outside of the com.google/android family.
Why can't I see those apps in Xposed? Does it only hook android API functions?
Sorry, but does anyone have an idea why this might happen?
There's nothing wrong, also if your code is logging yet some applications this is a clear sign that it works. Maybe you can hook the oncreate method and log from here as an alternative.
Massi-X said:
There's nothing wrong, also if your code is logging yet some applications this is a clear sign that it works. Maybe you can hook the oncreate method and log from here as an alternative.
Click to expand...
Click to collapse
Okay, so I would use something like this code to scan the methods of loaded packages and hook onCreate methods?
github.com/rovo89/XposedBridge/issues/151
Sorry, it won't let me post a link.
Byrth said:
Okay, so I would use something like this code to scan the methods of loaded packages and hook onCreate methods?
github.com/rovo89/XposedBridge/issues/151
Sorry, it won't let me post a link.
Click to expand...
Click to collapse
I was thinking about hooking all the oncreate methods in every PKG (catching the error if not exists) and logging the PKG name. Another thing that comes to my mind: there where no errors in the log? The packages you want to log were installed before the reboot or you have installed after the module was active?

[Developing Module] Framework inserted systemlessly isnt loaded by Android

So because of dm-verify i cant just install frameworks into /system/framework anymore so
i made a magisk module that systemlessly adds com.playstation.playstationcertified.jar and playstationcertified.jar
to /system/framework
and inside PSM.apk it has the following code
Code:
public static void a(Context context) {
if (c == null) {
HashSet hashSet = new HashSet(Arrays.asList(context.getPackageManager().getSystemSharedLibraryNames()));
if (hashSet.contains("com.playstation.playstationcertified")) {
however for whatever reason that hashSet.contains() check returns false. despite the framework existing in /system/framework .
also copying the framework file into /system/framework works on older versions of android ..
any idea why it doesnt work when doing it systemlessly in Magisk?
my phone is a SM-A105G running Android 9.0

Categories

Resources