Disclaimer:

First of all this is actually a good initiative developed by CSM. Kudos tu Azizi@NullException0 for leading the development for this app. Any new innovation or tools in the local IT Security Scene is something that I really look forward.

Nontheless , since we all stuck from WFH, let's reverse the app a a bit shall we?

Screenshot from Playstore

The app id mycert.ctrc.massalite

Since we know the app id is mycert.ctrc.massalite we can dump the apk file by query the app-id at apkpure.com

Based on the result we obtained from apkpure. It appears that the app is currently utilizing split apk (XAPK) . What does a XAPK means it? In theory there will be a base apk and that particular app will require additional resources (lang, image , function) to be install/separately from the base apk. There are few reasons developer opt for this option.

This is the structure for the Massa App if we unzip it from apkpure.

List of apk files.

What happened if we install try to sideload the app on an emulator for example bluestack? This error message will be triggered.

Error Message is triggered.

The function to detect the tampered for the application is controlled by SplashScreen.java by the following class:

public void run() {
            Intent intent;
            SplashScreen splashScreen = SplashScreen.this;
            String installerPackageName = splashScreen.getApplicationContext().getPackageManager().getInstallerPackageName(splashScreen.getApplicationContext().getPackageName());
            boolean z = true;
            if (installerPackageName != null) {
                installerPackageName.contentEquals("com.android.vending");
            } else {
                z = false;
            }
            if (!Boolean.valueOf(z).booleanValue()) {
                intent = new Intent(SplashScreen.this, WarningActivity.class);
   

The string com.android.vending is usually returned if the App is installed from GooglePlay properly. This usually can be override via adb pm install -i command

The app also retrieve the current device information:

The app retrive those information via the android.os class

Snippets from ScanService.java 
L_0x003a:
                java.text.SimpleDateFormat r0 = new java.text.SimpleDateFormat
                java.lang.String r2 = "dd MMM yyyy HH:mm:ss"
                r0.(r2)
                java.util.Calendar r2 = java.util.Calendar.getInstance()
                java.util.Date r2 = r2.getTime()
                java.lang.String r0 = r0.format(r2)
                d.a.a.c r2 = mycert.ctrc.massalite.ScanService.f5577p
                java.lang.String r3 = "Scan Timestamp"
                r2.mo5174a((java.lang.String) r3, (java.lang.String) r0)
                java.lang.String r0 = "os.name"
                java.lang.String r0 = java.lang.System.getProperty(r0)
                d.a.a.c r2 = mycert.ctrc.massalite.ScanService.f5577p
                java.lang.String r3 = "Operating System"
                r2.mo5174a((java.lang.String) r3, (java.lang.String) r0)
                java.lang.String r0 = "os.version"
                java.lang.String r0 = java.lang.System.getProperty(r0)
                d.a.a.c r2 = mycert.ctrc.massalite.ScanService.f5577p
                java.lang.String r3 = "Kernel Version"
                r2.mo5174a((java.lang.String) r3, (java.lang.String) r0)
                int r0 = android.os.Build.VERSION.SDK_INT
                java.lang.String r0 = java.lang.Integer.toString(r0)
                d.a.a.c r2 = mycert.ctrc.massalite.ScanService.f5577p
                java.lang.String r3 = "OS API LEVEL"
                r2.mo5174a((java.lang.String) r3, (java.lang.String) r0)
                java.lang.String r0 = android.os.Build.DEVICE
                d.a.a.c r2 = mycert.ctrc.massalite.ScanService.f5577p
                java.lang.String r3 = "Device"
                r2.mo5174a((java.lang.String) r3, (java.lang.String) r0)
                java.lang.String r0 = android.os.Build.VERSION.RELEASE
                d.a.a.c r2 = mycert.ctrc.massalite.ScanService.f5577p
                java.lang.String r3 = "Android Version"
                r2.mo5174a((java.lang.String) r3, (java.lang.String) r0)
                java.lang.String r0 = android.os.Build.MODEL
                d.a.a.c r2 = mycert.ctrc.massalite.ScanService.f5577p
                java.lang.String r3 = "Model Name"
                r2.mo5174a((java.lang.String) r3, (java.lang.String) r0)
                java.lang.String r0 = android.os.Build.PRODUCT 

Further enquiry we found out the app is able to distinguish partially between PlayStore App and Non-Playstore App.

The trick to identified this app can be found can be seen from the following snippet in ScanService.java

public class ScanService extends Service {

    /* renamed from: p */
    public static C1470c f5577p = null;

    /* renamed from: q */
    public static String f5578q = "/system/bin/pm list packages -f -3 -i";

    /* renamed from: r */
    public static String f5579r = "/system/bin/pm list packages -f -s -i";
  • -f will list the app installed on internal flash
  • -s will list down the the apps installed on the sdcard.
  • -i will return null if the app is not installed via PlayStore properly

Example:

Last but not least is the Malware Portion. Since this is not antivirus solution as stated by the development team. Thus they probably just do an IOC checking, This can be verified by the following snippets in ScanService.java

 android.database.sqlite.SQLiteDatabase r2 = r17.getWritableDatabase()
                android.content.ContentValues r1 = new android.content.ContentValues
                r1.()
                r17 = r2
                java.lang.String r2 = "APP_NAME"
                r1.put(r2, r9)
                java.lang.String r2 = "PACK_NAME"
                r1.put(r2, r6)
                java.lang.String r2 = "PACK_DIR"
                r1.put(r2, r7)
                java.lang.String r2 = "VNAME"
                r1.put(r2, r11)
                java.lang.String r2 = "VNUM"
                r1.put(r2, r10)
                java.lang.String r2 = "SHA256"
                r1.put(r2, r8)
                java.lang.String r2 = "SHA1"
                r1.put(r2, r14)
                java.lang.String r2 = "MD5"
                r1.put(r2, r4)
                java.lang.String r2 = "INSTALLER"
                r1.put(r2, r5)
                java.lang.String r2 = "INSTALLDATE"
                r1.put(r2, r15)
                java.lang.String r2 = "UPDATEDATE"
                r1.put(r2, r3)
                java.lang.String r2 = "UID"
                r1.put(r2, r0)
                java.lang.String r0 = "MINSDK"
                r1.put(r0, r13)
                java.lang.String r0 = "TARGETSDK"
                r1.put(r0, r12)
                java.lang.String r0 = "THIRD_APP_INFO"

But hey overall this is a great app for if you didn't want to spend a dime on your phone security .