APKKiller

APKKiller is a method to bypass android application integrity and signature check.

How does it work?

When an android application is loaded, it stores various information regarding current running Application like App Name, Package Name, Signature, APK Path, etc. You can’t access those information using normal code, but with Reflection you access, read and write new data to those internal classes & fields. These informations are stored in a class like AppBindData, LoadedApk, ApplicationInfo, etc.

APKKiller uses the advantage of Reflection to access hidden information of the android app such as Application Signature or Application APK Path and replace it with a new data so that the application thinks its Signature is still the original one even when the APK file is already being tampered and resigned using a new signature.

How to use it?

  1. Get the target app original Signature using APKSignReader
  2. Change apk_signatures in APKKiller.h using the resuslt of APKSignReader
  3. Build the APKKiller Project to APK
  4. Decompile both APKKiller APK and Target APK
  5. Copy smali from com/kuro to the Target APK smali
  6. Call Start function on the target app attachBaseContext (Application) or onCreate (Activity)

For example:

attachBaseContext

image

onCreate

image

  1. Copy Target original APK file to <decompile_target_app_dir>/assets/original.apk
  2. Compile Target App and test it!

GitHub

View Github