the first analysis

An agent decompiled the apk and came to the following conclusion:

At first we were sceptical but as i saw the material i remembered a screenshot accidentally posted by an Enl agent quite a while ago.

So i had a look into it. Since i got the apk, i was able to decompile it and have a look into the functionality.So here is what i found from a brief look into the code:

  1. first thing i figured it is an xposed module
  2. Show cooldown time on hack button
  3. Show mods installed on the mod button
  4. Remind you of our sujourner hack
  5. Cach portal pictures locally and redirect requests from the scanner to the local database
  6. Sync data about unique visits and captures with a server and show it in the scaner
  7. Show portal age in the scanner for LTP hunt
  8. Show mitigation from installed shields on portal
  9. Intercept communication between scanner and nia to fetch glyph secuences and show them
  10. Suppress animations from links and fields e.g.
  11. Some design alterations like replacing the “Fire” button with “Pew pew”…
  12. more i couldn’t decipher (i have other stuff to do as POC right now)

Furthermore i got screenshots from the server side listing users. You could say there is no hard link between the list and the apk. But actually the subdomain “rana” is mentioned in the code for syncing clearly. If you go to the site you hit also systemV and g+ login, so this is clearly something used by enl.