Stolen Android Anti-Piracy Software Dumped On Github

Dexguard, a tool used to protect Android software from piracy, tampering and cloning attacks, has been removed after being illegally posted on Github. A version of the tool exposed on the code repository was stolen from a customer of Guardsquare, the software's creator. TorrentFreak reports: "We develop premium software for the protection of mobile applications against reverse engineering and hacking," the [security company Guardsquare's] website reads. "Our products are used across the world in a broad range of industries, from financial services, e-commerce and the public sector to telecommunication, gaming and media." One of Guardsquare's products is Dexguard, a tool to protect Android applications from being decompiled, something that can lead to piracy, credential harvesting, tampering and cloning. Unfortunately, a version of Dexguard itself ended up on Github.

In a takedown notice filed with the Microsoft-owned code platform, Guardsquare explains that the code is unauthorized and was obtained illegally. "The listed folders... contain an older version of our commercial obfuscation software (DexGuard) for Android applications. The folder is part of a larger code base that was stolen from one of our former customers," Guardsquare writes. Guardsquare found almost 300 "forks" of the stolen software on Github and filed a request to have them all taken down.

Re:Too late to short them!

[sjames]

Such schemes have been in use since the days of Apple ][.

First, they mangle the symbol table turning meaningful names into random short strings (and patch up the relocation table to match). Then they encrypt critical code and replace the standard loader with one that first locates the key and decrypts the segments. They also encrypt the strings table so you can't get a decent hint at what a given piece of code does based on the strings it uses.

Naturally, since the code still runs, you can get everything decrypted by running in a debugger, but it makes that a pain since you have to trace your way through the loader and deal with strings being decrypted just in time.

Other tricks include adding junk into the code and adjusting jumps and brtanch inctructions to skip it. You can still figure it all out, but a simple disassembler won't give you a proper assembly listing in one go that way,

Essentially it's an advanced form of taking a nice bit of readable C source, using search and replace to change meaningful variable names like bNeedScreenUpdate with x, and removing all tab, space, and CR not actually needed by the compiler in order to make it hard to understand.

It doesn't actually stop you from decompiling the code but it does make it take a lot more time and effort.

Well, they did jack the price up to 'whatever'

Does anyone still use DexGuard after they jacked the price model up to 'however much we think your app is worth'?

Seriously, that kind of pricing scheme can basically 'fuck off' (We used to be a customer, and went to using dexprotector once guardsquares pricing scheme went that way).

We actually go out of our way to not do business with any other company either with that kind of ass-holish pricing model. I know it's fairly common in places like the US, but, seriously, put prices with actual numbers online and stick with them - none of this 'contact us and we'll look you up and decide how much to charge based on how much you seem to be worth'.

Features of Dexguard ideal for Malware

[ffkom]

The features that are advertised for Dexguard sound like exactly what Malware programmers would be looking for to obfuscate their evil intentions. Spyware, Trojans, Adware and the like are certainly right in the middle of the target audience.

Re:Features of Dexguard ideal for Malware

[thygate]

and this is why some (defunct imo) AV products have flagged executable packers for as long as i can remember. I have used a modified (header only) version of UPX for some products over the years, and time and time again, some AV will flag it as some generic virus. The reason I used it was to make it a little harder for script kiddies to clone the product, as just changing the UPX header would be enough to disable the generic unpacker scripts. It's gotten even worse in recent years, where a simple (un-obfuscated!) C# .net assembly that simply imports ReadProcessMemory from kernel32 gets flagged as a virus by the same "AV" products. I'm sick of AV products ignorantly flagging shit as malicious, resulting a a lot of extra support, while security-ignorant government mandated (very-well-obfuscated) backdoo... er i mean "bugs" are rampant.