Bypass Record

Tamper-Protection Bypass × DANA mobile app

A publicly-reported instance of Tamper-Protection Bypass bypassing DANA mobile app, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

DANA mobile app

Technique

Tamper-Protection Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2023-10-28

Config / version noted

Not stated

Provenance

github.com
disclosed 2023-10-28 · original source · via exa

Reported as

bypass the DANA mobile payment app's root and tamper detection

Mechanism

Uses Xposed framework to hook into DANA's security check functions, bypassing root detection and tamper verification. This defeats the app's client-side integrity checks, allowing it to operate on rooted or modified devices without triggering security alerts.

Detection & mitigation

Monitor for Xposed framework artifacts (e.g., /data/data/de.robv.android.xposed.installer, XposedBridge.jar) and hooking indicators via runtime integrity checks or SafetyNet/Play Integrity API attestation failures. Mitigate by implementing server-side integrity validation and using hardware-backed attestation to detect framework injection.

Tamper-Protection Bypass has also been recorded against

AppSealing Arxan BeyondTrust Broadcom (Symantec)Byfron CrowdStrike Elastic FireEye Kemco LoGiC.NET McAfee Microsoft

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.