Frida CodeShare

Project: Android VPN detection bypass

Try this code out now by running

$ frida --codeshare poseidontor/android-vpn-detection-bypass -f YOUR_BINARY

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
/*
    Authur: Vighesh Raje (@poseidotor)
    Organization: XYSec Labs (Appknox)
*/
setTimeout( function(){
    Java.perform(function() {
        /* API level 28 or below */
        var TYPE_VPN = 0x00000011
        var connectivityManager = Java.use('android.net.ConnectivityManager')
        connectivityManager.getNetworkInfo.overload('int').implementation = function(netType) {
            if(netType && TYPE_VPN == 0x00000011) {
                var TYPE_ETHERNET = 0x00000009
                var ret = this.getNetworkInfo(TYPE_ETHERNET) 
                //This will work assuming that one is not connected to ethernet
                console.log(`[*] Called ConnectivityManager.getNetworkInfo(TYPE_VPN)`);
                console.log(`[*] Bypassing VPN detection check..`)
                return ret;
            }
            else{
                var ret = this.getNetworkInfo(netType);
                return ret;
            }
        }
        /* API level 29 and above */
        var TRANSPORT_VPN = 0x00000004
        var networkCapabilities = Java.use('android.net.NetworkCapabilities');
        networkCapabilities.hasTransport.overload('int').implementation = function(transportType) {
            if(transportType && TRANSPORT_VPN == 0x00000004){
                console.log(`[*] Called NetworkCapabilities.hasTransport(TRANSPORT_VPN)`);
                console.log(`[*] Bypassing VPN detection check..`)
                return false;
            }
            else{
                return true;
            }
        }
    });
    /* Using NetworkInterface */
    var networkIterface = Java.use('java.net.NetworkInterface');
    var interface_list = ['tun', 'tun0', 'utun0',  'utun1', 'utun2', 'utun3', 'utun4', 'ppp0', 'ppp' , 'pptp'];
    networkIterface.getByName.overload('java.lang.String').implementation = function(name) {
        if(interface_list.includes(name)){
            console.log(`[*] Called NetworkInterface.getByName(${name})`);
            console.log(`[*] Bypassing VPN detection check..`)
            var ret = this.getByName('ZZEIADONN');
            return ret;
        }
        else{
            var ret = this.getByName(name);
            return ret;
        }
    }
    networkIterface.getDisplayName.overload().implementation = function() {
        var ret = this.getDisplayName();
        if(interface_list.includes(ret)){
            console.log(`[*] Called NetworkInterface.getDisplayName()`);
            console.log(`[*] Bypassing VPN detection check..`)
            return 'ZDUABIDBWA';
        }
        else{
            return ret;
        }
    }
    networkIterface.getName.overload().implementation = function() {
        var ret = this.getDisplayName();
        if(interface_list.includes(ret)){
            console.log(`[*] Called NetworkInterface.getName()`);
            console.log(`[*] Bypassing VPN detection check..`)
            return 'ZDUABIDBWA';
        }
        else{
            return ret;
        }
    }
}, 0);
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Fingerprint: c38fe27a44a3cbab2ef67dece5cb7dbfbcc81f6f6d93a71d025a224ec75075b4