While we were analyzing the fake Minecraft app the other day, we noticed that it was using a hacking tool called Smalihook, so we took a look at it.
The tool is for hooking Java functions and it works just like any other hooking library. After the hooked function triggers, it can return anything to the caller. In this case, the following functions were hooked:
• getInstallerPackageName(String packageName) • getPackageInfo(String packageName, int flags)
The function getInstallerPackageName does the following:
• Retrieve the package name of the application that installed a package. This identifies which market the package came from.
When this hook triggers, it returns the value "com.google.android.feedback", even though the app wasn't downloaded from the Google Play Store; it just wants to look like it came from there.
The function getPackageInfo does the following:
• Retrieve overall information about an application package that is installed on the system.
The hook monitors if the second parameter is using constant 0x00000040 (64) GET_SIGNATURES, then will return the original Mojang certificate from inside the dex file (the trojanized app itself is signed with a debug certificate). This is done because the legitimate app it was based on includes an authentication routine that causes it to fail to run if it does a certificate verification check and doesn't find the correct certificate. Mojang developers apparently didn't want their application to be spread in packages signed using a developer cert, especially since their app is not free.
Smalihook seems to be part of the AntiLVL (Android License Verification Library Subversion) cracking tool. The purpose of these tools is to break license protection systems and they are aimed at developers who wants to test their own protections against common types of attacks.
The tool is publicly available and can be downloaded from the link below: