Missing detection for nprotect appguard

[moolakarapaiyan]

The APKid rules are missing the detection of the NProtect AppGuard.
I have reviewed the APKid rules, and based on my findings, Dex detection works, But the APK packer and ELF packer rules are unable to detect it. This is because NProtect AppGuard has changed the native library name.

1. apk/packer.yara
   Please add the following library names

libcompatible.so
libcompatible_x86.so

2. elf/packer.yara
   Add the following rule to detect their library.

strings:
    $a = { 6C 69 62 63 6F 6D 70 61 74 69 62 6C 65 2E 73 6F 00 }  // .libcomptabile.so
    $b = { 00 23 4C 63 6F 6D 2F 69 6E 63 61 2F 73 65 63 75
           72 69 74 79 2F 41 70 70 47 75 61 72 64 2F 78 43
           6C 61 73 73 3B 00 } //.#Lcom/inca/security/AppGuard/xClass;.

i have checked this, it works

you can find the sample apk in mpl.live

[enovella]

Hi @moolakarapaiyan ,

thanks for opening the detailed ticket. Would you be interested in contributing and opening a pull-request with these changes?

Best,
Edu

[moolakarapaiyan]

sure, i am interested

[enovella]

Excellent! 👍

[moolakarapaiyan]

pull reqeust created @enovella
pull request id - 443

[enovella]

@AbhiTheModder would you like to review it?

[enovella]

Done in 6ad41b1

Re-open if something requires a fix