Application Details

• Application Name: AF Unlocker

• Package Identifier: bx.rahat.afpro

• Version: 1.8.4

• APK File Name: AndroidFaker1.84_unl.apk

• File Size: 0.02 MB

• Target Android SDK: 33

• Minimum Android SDK: 28 (Android 9)

• Digital Signature: Present (Signed with a valid RSA 2048-bit certificate)

• Certificate Issuer: Ratul Hasan, Dhaka, Bangladesh

• Certificate Validity: April 2023 – April 2048

Summary Evaluation

• Overall Security Risk: Low

• Risk Category: Suspicious but not conclusively malicious

• Evidence of Data Theft: None found in static analysis

Positive Observations

• The app does not request dangerous or invasive permissions commonly used to
access sensitive data such as contacts, SMS, location, or microphone.
 • No network endpoints, trackers, or communication patterns associated with
known malware or suspicious behavior were detected.

• No active Android components (activities, services, receivers) were exposed,

reducing the risk of external triggering or hijacking.

Potential Concerns

1. Backup Enabled

o The app allows user data to be backed up via USB debugging. This
could enable data extraction if the device is physically accessed.

2. Support for Vulnerable Android Versions

o The app supports Android 9 (API 28), which is outdated and contains
known security issues.

3. Very Small APK Size

o At only 0.02 MB, the application is unusually small. This may indicate
the use of a minimal loader, encrypted payload, or remote resource
fetching.

4. Unrecognized Build Environment

o The APK was packaged in a way that did not match known compiler
signatures, potentially suggesting obfuscation or custom modification.

Based on the available static data:

• No direct evidence of data exfiltration or spyware behavior was identified.

• The app is not inherently malicious, but its structure raises mild suspicion due
to its minimal size and potential obfuscation.

• The app appears safe under controlled conditions, but should be treated with
caution, especially if it was not obtained from a trusted source.
Application Details

• Application Name: App Cloner Premium+

• Package Identifier: com.applisto.appcloner.premium

• Version: 1.5.14

• APK File Name: AppCloner1.5.14.apk

• File Size: 9.78 MB

• Target SDK: 22 (Android 5.1)

• Minimum SDK: 15 (Android 4.0.3)

• Code Signature: Present (signed with SHA-1/RSA)

• Signature Validity: 2008 – 2035

Summary Evaluation

• Overall Security Risk: Medium

• Risk Category: Potentially Risky with Obfuscation and Broad Capabilities

• Evidence of Data Theft: None definitively proven, but potential exists due to
permissions, components, and exposed capabilities

Key Findings

Positive Observations

• No confirmed connections to malicious domains or known threat actors.

• No high-confidence indicators of active spyware or data exfiltration.

 • Network traffic endpoints appear mostly legitimate (Google, Firebase,
Amazon).

Key Risks and Concerns

1. Sensitive Permissions Granted

o The app requests read/write access to external storage, which allows

access to user files.

o It uses the INTERNET and NETWORK_STATE permissions, enabling

data transfer over networks.

2. Obfuscation and Anti-Reverse Engineering Techniques

o App employs advanced obfuscation via LLVM and DexProtector.

o Includes anti-debugging and anti-virtualization features.

o These methods are common in both privacy-focused apps and those

attempting to hide malicious behavior.

3. Exported Components

o Several activities, receivers, and content providers are accessible by other

apps, which can be exploited if not properly protected.

o This exposes the application to intent hijacking or data leakage.

4. Use of Weak or Deprecated Cryptographic Algorithms

o App uses MD5, SHA-1, and ECB encryption — all known to be

vulnerable.

o It also includes insecure random number generation, which could

weaken data protection features.

5. Data Handling and Logging

 o Logging of sensitive data and interaction with the device clipboard were
detected.

o Clipboard listening and copying may expose user data to other apps on
the device.

6. Root Access Capabilities

o Presence of RootTools and root check libraries suggests the app can
detect or request elevated privileges.

o If combined with other capabilities, this could enable unauthorized data

access.

7. Hardcoded Keys and Secrets

o Keys, Firebase endpoints, and configuration data are stored directly in

the app, which could be exploited by an attacker to tamper with
functionality or extract information.

The application shows no direct evidence of data exfiltration in static analysis.

However, its combination of:

• Obfuscation

• Root and system-level capabilities

• Access to external storage

• Weak cryptographic implementations

• Exposed components

suggests it should be treated with high caution

1. Application Overview

Attribute Value

App Name HMAL

Package ID com.google.android.hmal

Version 4.1.r44

APK Filename HMAL-V4.1.r44-release.apk

File Size 2.5 MB

Target SDK 35

Minimum SDK 24 (Android 7.0)

Signature Present (v2, signed with debug certificate)

Certificate Validity March 2024 – August 2051

2. Risk Summary

• Overall Security Risk: Medium

• Risk Classification: Potentially risky (obfuscation and insecure data practices)

• Evidence of Data Theft: None confirmed via static analysis

• Security Score: 52/100

• Grade: B

3. Positive Security Attributes

• No connections to known malicious domains.

 • No use of dangerous or high-risk permissions (e.g., camera, SMS, contacts).

• No root access libraries or system-level exploits detected.

• Signed using a recognized scheme (v2 signature).

4. Key Risks and Technical Concerns

1. Outdated Platform Support

• Minimum SDK set to Android 7.0 (API 24), a version with known security
flaws.

2. Backup Enabled

• The allowBackup=true flag allows data extraction via ADB on rooted or debug-
enabled devices.

3. Exported Components

• Exported activity alias, content provider, and broadcast receiver lack

permission restrictions, posing a risk of unauthorized access or intent
hijacking.

4. Sensitive Logging

• Source files such as Logger.java and MyHandler.java indicate insecure logging

of potentially sensitive data.

5. Weak Cryptography

• Insecure random number generation detected, which could compromise

cryptographic operations or authentication logic.

6. Clipboard Monitoring

• App writes sensitive data to the clipboard, potentially exposing it to other apps
on the device.
7. Anti-Reverse Engineering Features

• Uses anti-VM checks (e.g., fingerprint and manufacturer detection).

• No identifiable compiler signature; potential indication of code obfuscation or

packing.

8. Privacy-Related Behaviors

• App queries installed packages, reads SMS inbox, and accesses location—
behaviors that may be intrusive depending on context.

9. Communication with OFAC-Sanctioned Region

• Connects to www.coolapk.com (China). While not inherently malicious, this

may have compliance implications for use in regulated jurisdictions (e.g., U.S.
federal environments).

5. Conclusion

The HMAL app is not explicitly malicious but demonstrates multiple red flags related
to:

• Data handling,

• Component exposure,

• Cryptographic weakness,

• Potential for user data leakage.

GPS Setter (v1.2.8)

1. Application Overview

Attribute Value

App Name GPS Setter

Package ID com.android1500.gpssetter

Version 1.2.8

APK Filename GPS-setter.apk

File Size 6.02 MB

Target SDK 33

Minimum SDK 27 (Android 8.1)

Digital Signature Present (2048-bit RSA)

Certificate Issuer Android1500

Certificate Validity August 2022 – August 2047

2. Security Summary

• Overall Risk Level: Low

• Risk Category: Moderately Safe (Minor Privacy & Obfuscation Flags)

• Evidence of Data Theft: None identified in static analysis

• Security Score: 64/100

• Grade: A
3. Positive Security Attributes

• No high-risk or malware-linked permissions detected.

• No exported components — minimizes exposure to external triggers.

• No suspicious domain connections or malware indicators found.

• Targets a modern SDK (33), enhancing platform-level security.

• Application is properly signed with a valid certificate.

4. Key Concerns and Risk Factors

1. Use of Sensitive Permissions

• Accesses precise and approximate location, internet, and package installation.

• Requests read access to external storage.

• Common in GPS tools, but still poses privacy exposure if misused.

2. Backup Capability Enabled

• allowBackup=true may allow extraction of app data via USB debug access.

• Increases physical access risk if the device is compromised.

3. External Storage Access

• Read/write access to external storage may expose user data to other apps.

4. Clipboard Interaction

• Clipboard usage detected; could unintentionally expose sensitive content.

5. Logging Practices

• Logging of operational or sensitive data was observed in several files.

• Should be restricted or removed for production-grade deployment.

6. Anti-Reverse Engineering Features

• Anti-VM detection and obscure compiler patterns (e.g., R8 without signature)

suggest intentional reverse engineering resistance.

• While not inherently dangerous, it obscures transparency.

7. Potential Hardcoded Secrets

• Static analysis identified hardcoded values that may include tokens or

credentials.

• These should be verified and moved to secure runtime configuration.

8. OFAC Compliance

• No suspicious or sanctioned domain connections detected.

• Observed domains (e.g., GitHub) are benign.

5. Conclusion

The GPS Setter application does not demonstrate malicious intent or known data
theft behaviors, but incorporates a range of privacy-relevant features and technical
flags:

• Sensitive permissions and backup settings

• Logging and clipboard access

• Minor obfuscation and analysis resistance techniques

KernelSU Next (v1.0.3-9-g5563145)

1. Application Overview

Attribute Value

App Name KernelSU Next

Package ID com.rifsxd.ksunext

Version v1.0.3-9-g5563145

APK Filename KernelSU_Next_v1.0.3-9-g5563145_12019-release.apk

File Size 7.59 MB

Target SDK 35

Minimum SDK 26 (Android 8.0)

Digital Signature Present (RSA 2048-bit)

Certificate Issuer Rifat Azad, Bangladesh

Certificate Validity December 2024 – December 2034

2. Security Summary

• Overall Risk Level: Medium

• Risk Category: System-Level Utility with Exposure Risks

• Evidence of Data Theft: None detected via static analysis

• Security Score: 57/100

• Grade: B
3. Positive Security Attributes

• Digitally signed with a valid, verifiable certificate.

• Implements SSL pinning, improving resistance to man-in-the-middle (MITM)

attacks.

• No dangerous system-level permissions or known malware indicators detected.

• Native libraries exhibit partial hardening (RELRO, NX, symbol stripping).

4. Key Risks and Technical Concerns

1. Local Network Exposure

• Permits cleartext traffic to loopback addresses (127.0.0.1, 0.0.0.0, ::1).

• While local, this should be restricted to avoid unintended exposure.

2. Backup Capability Enabled

• allowBackup=true allows app data extraction via ADB on debug-enabled

devices.

3. Exported Broadcast Receiver

• A broadcast receiver is marked as exported and secured with an undefined

permission (android.permission.DUMP), potentially leaving it accessible.

4. Logging of Sensitive Events

• Logging of potentially sensitive information detected across multiple classes.

5. Clipboard Usage

• The app interacts with the clipboard, which can result in unintentional data
sharing with other apps.

6. Weak Random Number Generation

 • Insecure RNG practices identified; may impact cryptographic or session-related
functions.

7. External Storage Access

• Use of external storage introduces risk of data leakage or unauthorized access

by other applications.

8. Hardcoded Secrets

• Detected static identifiers and strings (e.g., SuperUser), which could pose a
security concern if reused for access control or verification.

9. WebView Security Gaps

• A WebView component is improperly secured and may allow JavaScript

injection or content manipulation.

10. Native Code Security Deficiencies

• Several .so libraries lack standard mitigations:

o No stack canaries

o No Position Independent Execution (PIE)

o Absence of fortified libc functions

• Affected libraries include:

o libmagiskboot.so

o libksud_overlayfs.so

o libksud_magic.so

• Some libraries (e.g., libkernelsu.so) show stronger hardening.

5. Conclusion
KernelSU Next functions as a system-level tool likely intended for use on rooted or
development devices. While not exhibiting signs of malicious activity, it introduces
moderate security risks due to:

• Exported components

• Logging and clipboard behavior

• Weak protection in native libraries

• Unsecured WebView and local traffic settings

MT Manager (v2.16.7)

1. Application Overview

Attribute Value

App Name MT Manager

Package ID bin.mt.plus

Version 2.16.7

APK Filename MT2.16.7.apk

File Size 19.56 MB

Target SDK 30

Minimum SDK 21 (Android 5.0)

Digital Signature Present (RSA, v1 & v2 schemes)

Certificate Issuer CN=bin

Certificate Validity June 2013 – October 3012

2. Security Summary

• Overall Risk Level: Medium

• Risk Category: Potentially Risky with Obfuscation and Elevated Capabilities

• Evidence of Data Theft: No confirmed exfiltration; several behaviors require

scrutiny.
3. Positive Security Attributes

• Implements binary hardening features (NX, PIE, RELRO, stack canaries).

• Supports certificate pinning in some components.

• Proper code signing ensures installation integrity across Android versions.

4. Key Security Concerns

1. Dangerous and Sensitive Permissions

• Requests permissions such as:

o REQUEST_INSTALL_PACKAGES

o SYSTEM_ALERT_WINDOW

o MANAGE_EXTERNAL_STORAGE

o Full read/write access to external storage

o ACCESS_SUPERUSER (suggests root interaction)

• Includes clipboard access, increasing data exposure risk.

2. Exported Components

• Numerous activities, services, receivers, and providers are exported without

restriction.

• These may be accessible by other apps, potentially allowing intent hijacking or

unauthorized use.

3. Obfuscation and Anti-Analysis

• DEX files use heavy obfuscation; class/method names are unreadable.

• Native libraries implement:

 o LLVM string encryption

o Anti-debugging, anti-emulator, and anti-VM detection

4. Cryptographic Weaknesses

• Use of outdated or insecure algorithms: MD5, SHA-1, AES-ECB/CBC

• Weak randomness sources and hardcoded secrets identified.

5. Unsecured Data Storage and Logging

• Uses external storage without isolation, creating a data leakage vector.

• Logs sensitive data, which may be visible to other apps or during debugging.

6. Signature Scheme Limitation

• Signed with v1 and v2 schemes only.

• Devices on Android 5.0 to 8.0 may be vulnerable to the Janus vulnerability,

allowing APK modification without breaking signature.

7. Insecure Network Configuration

• Allows cleartext HTTP traffic.

• One component disables SSL certificate validation, opening the door for
MITM attacks.

8. Potential SQL Injection

• Raw SQL statements using untrusted inputs were detected.

• Indicates a risk of SQL injection if inputs are not properly sanitized.

5. Conclusion
MT Manager (v2.16.7) is a technically advanced application with powerful system-
level capabilities. It is not overtly malicious, but presents multiple security risks due
to:

• Obfuscation and anti-analysis techniques

• Insecure cryptographic and storage practices

• Exported components and weak network safeguards

Island (v6.2.1)

1. Application Overview

Attribute Value

App Name Island

Package ID com.oasisfeng.island

Version 6.2.1

APK Filename Island.apk

File Size 3.34 MB

Target SDK 31

Minimum SDK 24 (Android 7.0)

Digital Signature Present (RSA)

Certificate Issuer Oasis Feng

Certificate Validity 2016 – 2041

2. Security Summary

• Overall Risk Level: Medium

• Risk Category: Privacy-Impacting, with Exposed Components

• Evidence of Data Theft: None detected in static analysis

3. Positive Security Attributes

• No direct associations with known malicious entities.

 • Network communications target trusted domains (Firebase, Google).

• Signed with a valid RSA certificate offering long-term validity.

4. Key Risks and Technical Concerns

1. Exported Components

• 9 activities, 2 services, 4 broadcast receivers, and 1 content provider are

exported without full protection.

2. Dangerous Permissions

• Requests permissions such as SYSTEM_ALERT_WINDOW,

WRITE_SECURE_SETTINGS, and PACKAGE_USAGE_STATS.

3. Clipboard Access

• Sensitive data copied to the clipboard may be accessible by other apps.

4. Sensitive Logging

• Logs internal data in components like IslandSettingsActivity, CondomCore,

and others.

5. Weak Random Number Generation

• Could reduce cryptographic strength or token reliability.

6. Unsecured External Storage

• Use of external storage introduces potential for unintentional data leakage.

7. Hardcoded Secrets

• Firebase keys, API tokens, and feature flags found in source code.

8. Backward Compatibility

• Minimum SDK is 24 (Android 7.0), which is no longer considered fully secure.

9. Anti-Analysis Measures

• Uses anti-debugging and anti-virtual machine detection to hinder inspection.

10. Dynamic Behavior via Firebase

• Firebase Remote Config enabled; allows runtime logic changes without app
update.

Core Patch (v4.6)

1. Application Overview

Attribute Value

App Name Core Patch

Attribute Value

Package ID com.coderstory.toolkit

Version 4.6

APK Filename core-patch-4.6.apk

File Size 0.05 MB

Target SDK 35

Minimum SDK 28 (Android 9)

Digital Signature Present (RSA 2048-bit, v2)

Certificate Issuer coderstory (blog.coderstory.cn, China)

Certificate Validity 2016 – 2041

2. Security Summary

• Overall Risk Level: Low

• Risk Category: Minimal Functionality, with Obfuscation Indicators

• Evidence of Data Theft: None detected

3. Positive Security Attributes

• Signed with a valid 2048-bit RSA certificate (v2 scheme).

• No dangerous permissions or malware-linked indicators.

• No exported components reduce external attack surface.

4. Key Risks and Technical Concerns

1. Outdated Platform Support

• Minimum SDK is Android 9 (API 28), which is considered vulnerable

compared to newer baselines.

2. Extremely Small APK Size

• At 0.05 MB, the APK may function as a shell, stub, or code loader. Limited
static visibility raises questions about runtime behavior.

3. Nonstandard Build Environment

• Compiler and build patterns are inconsistent with mainstream tools, suggesting
obfuscation or a custom build system.

5. Conclusion

Core Patch exhibits no clear indicators of malicious activity

Key Attestation (v1.8.4)

1. Application Overview

Attribute Value

App Name Key Attestation

Package ID io.github.vvb2060.keyattestation

Version 1.8.4

APK Filename Key_Attestation.apk

File Size 1.42 MB

Target SDK 35

Minimum SDK 24 (Android 7.0)

Digital Signature Present (RSA, v2 scheme)

Certificate Issuer chiteroman, Oviedo, Asturias, ES

Certificate Validity June 2023 – June 2048

2. Security Summary

• Overall Risk Level: Medium

• Risk Category: Lightweight Utility with Minor Privacy Concerns

• Evidence of Data Theft: None detected

3. Positive Security Attributes

• No dangerous permissions or sensitive signature-level access requested.

 • No exported components, reducing the external attack surface.

• Signed with a valid v2 RSA certificate.

• Network connections limited to trusted sources (GitHub, Google).

4. Key Risks and Technical Concerns

1. Outdated Minimum SDK

• Minimum SDK is Android 7.0 (API 24), which lacks modern security features.

2. Backup Flag Not Disabled

• Absence of android:allowBackup="false" may allow data extraction via ADB.

3. Clipboard Access

• App copies information to the clipboard, potentially exposing data to other

apps.

4. Weak Random Number Generation

• Non-cryptographically secure RNG could affect key management or token

integrity.

5. Verbose Logging

• Sensitive or identifying information is logged across multiple components.

6. IP and Debug String Exposure

• References to IMEI, device model/brand, and hardcoded endpoints present in

code.

5. Conclusion
Key Attestation is a focused, low-footprint utility. While not malicious, it introduces
minor risks around clipboard use, logging, and RNG security.

Static Security Assessment Summary: Native Test ++ (Mean Minotaur)

1. Application Overview

Attribute Value

App Name Native Test ++

Package ID icu.nullptr.nativetest

Version Mean Minotaur

APK Filename NativeTest-v31-1b29f92-betaa_QQ_.APK

File Size 4.3 MB

Target SDK 35

Minimum SDK 27 (Android 8.1)

Digital Signature Present (RSA, v2 scheme)

Certificate Issuer Youhu Team, Hainan

Certificate Validity January 2025 – January 2050

2. Security Summary

• Overall Risk Level: Medium

• Risk Category: Obfuscated Utility with WebView and Network Risks

• Evidence of Data Theft: None detected in static analysis

3. Positive Security Attributes

• Implements SSL pinning in some network paths.

• Signed with a valid RSA certificate.

• Relatively small tracker footprint (2/432 recognized trackers).

4. Key Risks and Technical Concerns

1. Improper WebView Handling

• Risk of user-controlled code execution due to weak WebView implementation.

2. Obfuscation and Evasion Techniques

• Includes anti-VM, anti-debug, and anti-emulator checks.

3. Outdated Minimum SDK

• Android 8.1 (API 27) support allows operation on less secure devices.

4. Exported Components

• A service and two receivers are exported with insufficient permission

enforcement.

5. SQL Injection Exposure

• Raw SQL queries detected without confirmed input sanitization.

6. Insecure RNG

• Insecure random generation methods used for potentially sensitive functions.

7. External Storage Usage

• Reads/writes to external storage — creates data exposure risk.

8. Ad Tracking Integration
• Requests ad ID and includes permissions for user profiling.