Bangcle (SecNeo)¶
One of the earliest Chinese packers. The vendor evolved into SecNeo, and the technology later evolved into SecShell (Kiwisec), a significantly more sophisticated packer that retains the Bangcle anti-tamper marker. Older Bangcle versions are still encountered in legacy malware samples. The protection is basic by modern standards and straightforward to unpack.
Overview¶
| Property | Value |
|---|---|
| Vendor | Bangcle / SecNeo |
| Free Tier | Yes |
| APKiD Signature | packer : Bangcle |
| Unpacking Difficulty | Easy |
Identification¶
| Artifact | Description |
|---|---|
| Native library | libsecexe.so, libsecmain.so, libSecShell.so |
| DEX stub | Minimal loader calling native initialization |
| Asset files | classes.jar or encrypted DEX in assets/ |
Protection¶
- DEX encryption and dynamic loading
- Anti-debugging via ptrace
- Root detection
- Basic emulator detection
Unpacking¶
Older Bangcle versions use straightforward DEX-in-assets encryption. The native library decrypts and writes a temporary DEX file. Hook file operations or dump from /proc/<pid>/maps.
frida-dexdump handles Bangcle without special configuration.
Malware Usage¶
| Family | Notes |
|---|---|
| BankBot | Older variants |
| Older banking trojans | Common on 2015-2018 era samples |