Bypassing advanced root / modded framework detection



  • In the past,solutions for preventing root detection were centered around safety-net, Magisk hide or XPosed modules like Sudo hide. With Magisk 24.1 plus Magisk Hide isn't an option and modules like Sudo hide aren't being maintained anymore. All revolving around a "frontal attack" of detecting root

    The sneakier way would be to find other ways to detect the root status based on finding traces of modded framework/ Xposed modules/Lsposed framework and obviously know that device is rooted and refuse to work.Or worse, a combination of both frontal and sneaky detection!

    As I mentioned here https://android.stackexchange.com/q/245242/131553 , Shamiko seemed to be an option but the adverse comments around it discouraged me. Searching for alternatives to Shamiko, led me to the revelation that there are enough instances already of sophisticated banking/streaming/gaming using "sneaky" ways to circumvent user measures like faking safety-net etc. So, I was getting ready for the future when one of the banking apps I use would turn sneaky and be ready for it.

    This search led me to an Xposed module which looks promising and (another) self-answered question.

    Caveat: YMMV

    If you know of another solution, please add as an answer.



  • Proof that it works: I wanted to be sure that this solution works before I adopt it. There is this https://play.google.com/store/apps/details?id=vn.com.techcombank.bb.app&gclid=CjwKCAiAo4OQBhBBEiwA5KWu_6Ghky-3bU5TmrqAhQkF_wpRqKsqcOydAl-iefGhRG7TETIsgJTR-xoCjGMQAvD_BwE which I don't use being an Indian but was a test case since it evades "frontal" measures to hide root.

    On my Pixel 4a, running Android 12, all the frontal measures were successful- Safety-net passed; developer options state hidden; device shows certified in Play Store and Magisk 24.1 "hidden" with a random name and package name.

    Yet, this app detected that I was running a modded framework and on opening the app promptly sent me to it's portal (screenshot on left). With the Xposed module , it allowed me to open it (right).

    enter image description here enter image description here


    Sneakily, I didn't name the module yet; it is https://github.com/Dr-TSNG/Hide-My-Applist , which is deprecated, last update being end of last year. This module covers ways used by apps to detect modding such as:

    • API requests

    • Intent queries

    • ID detection

    • File detection

    • MAP scans (the developer says this is superfluous but hasn't removed it)

    Configuration instructions; I didn't find clear instructions on how to use this, so detailing the process below

    1. Install it through Magisk and when you open the app in LSposed manager, you get this view. Do not select/modify anything other than default (default being system framework)

    enter image description here

    1. Click on the cog wheel at bottom right to open the module interface

    enter image description here

    1. First thing is to install Magisk extension (Riru or Zygisk, it was the second one for me being on Zygisk based LSposed set-up. Ignore this step and you will be rewarded with a boot loop.

    2. Click on detection test, it will download an app Applist detector and when you run it , you would see red in most places all related to Xposed modules or LSposed framework

    enter image description here

    1. Manage Templates: You can create whitelist or blacklist templates. Select blacklist and add all Xposed module related package names like org.lsposed.manager, eu.faircode.lua etc., and com.tsng.hidemyapplist , which is the package name of this Xposed module. Save (icon at top right corner) Essentially, blacklist contains all the packages that show that the device is rooted. You can create as many templates as you want (more about that later)

    2. Select Effective Apps: This is a list of apps from which you want to hide the blacklist like your banking apps, for example vn.com.techcombank.bb.app (Vietnamese banking app). Include in this list com.vsng.applistdetector which is the package name for the app downloaded in Step 4. Configure as explained:

    • Enable hide
    • Work mode (Blacklist) -default setting
    • Enable all hide methods.
    • Copy this config to quickly pick and apply to all such apps
    • In template config, choose the blacklist template you named and saved (Step 5)
    • Save.

    Run the app list detector check, see all blue (in my case suspicious package in abnormal environment is related to Xprivacy Lua) but that was not a problem

    enter image description here

    You are good to go!

    1. Being LSposed, you would need to reboot device when a new app is added and you want to add that to this module. Changes you make within the module are real time ( don't need to reboot)

    You can use templates for purposes of detaching an app from Play Store. For example you have YouTube Vanced installed but it gets replaced because regular YouTube gets updated. You can refer to this https://forum.xda-developers.com/t/discussion-magisk-the-age-of-zygisk.4393877/page-23#post-86376291 for more examples.




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2