ANDROID STATIC ANALYSIS REPORT

 HMAL (4.1.r44)
File Name: HMAL-V4.1.r44-release.apk

Package Name: com.google.android.hmal

Scan Date: June 11, 2025, 10:03 a.m.

App Security Score: 52/100 (MEDIUM RISK)

Grade:
B
 FINDINGS SEVERITY

 HIGH  MEDIUM  INFO  SECURE  HOTSPOT

1 6 2 1 1

 FILE INFORMATION
File Name: HMAL-V4.1.r44-release.apk
Size: 2.5MB
MD5: 13c1a3fc1c103b76883891811610308e
SHA1: c98ec01a70b879ad2fa529fbe4caabcfe812a89d
SHA256: 5eae070fd6e1b1c41b22f7d7e90fedab9df7c9172f733f69e04a0ba96731d9a4

 APP INFORMATION
App Name: HMAL
Package Name: com.google.android.hmal
Main Activity: icu.nullptr.hidemyapplist.ui.activity.MainActivity
Target SDK: 35
Min SDK: 24
Max SDK:
Android Version Name: 4.1.r44
Android Version Code: 44
 APP COMPONENTS
Activities: 2
Services: 0
Receivers: 1
Providers: 2
Exported Activities: 1
Exported Services: 0
Exported Receivers: 1
Exported Providers: 1

 CERTIFICATE INFORMATION
Binary is signed
v1 signature: False
v2 signature: True
v3 signature: False
v4 signature: False
X.509 Subject: C=US, ST=Debug, L=Debug, O=Debug, OU=Debug, CN=Debug
Signature Algorithm: rsassa_pkcs1v15
Valid From: 2024-03-22 07:14:35+00:00
Valid To: 2051-08-08 07:14:35+00:00
Issuer: C=US, ST=Debug, L=Debug, O=Debug, OU=Debug, CN=Debug
Serial Number: 0x6dde76d4
Hash Algorithm: sha256
md5: 69c0dd146b416e1b87653f84aba30994
sha1: 19cb2672a27da40c2e369526ec6bfcda65794ea9
sha256: 0b0c6311d4dc7a4c28e8679bb876aeaa6ace79b421873750f79ce9beaa23c739
sha512: b5f94dac8fadb664c5dfbed1fff02772d658452f94ac1242dd8defedd2141f3e305bbbc33eca557577a8da1c0bad3f2d2cff16ca5dd5a49aeb386f43d4d3ece4
PublicKey Algorithm: rsa
Bit Size: 2048
Fingerprint: 5e3c129f790beb83653b516a15a181df9f4b04b7fd2e1e0f418475bbc3d27fe3
Found 1 unique certificates
 APPLICATION PERMISSIONS

PERMISSION STATUS INFO DESCRIPTION

enables querying any Allows query of any normal app on the

android.permission.QUERY_ALL_PACKAGES normal normal app on the device, regardless of manifest
device. declarations.

Unknown permission from android

com.google.android.hmal.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION unknown Unknown permission
reference

 APKID ANALYSIS

FILE DETAILS

FINDINGS DETAILS

classes.dex Build.FINGERPRINT check

Anti-VM Code
Build.MANUFACTURER check

Compiler r8 without marker (suspicious)

 NETWORK SECURITY
 NO SCOPE SEVERITY DESCRIPTION

 CERTIFICATE ANALYSIS
HIGH: 0 | WARNING: 0 | INFO: 1

TITLE SEVERITY DESCRIPTION

Signed Application info Application is signed with a code signing certificate

 MANIFEST ANALYSIS
HIGH: 1 | WARNING: 4 | INFO: 0 | SUPPRESSED: 0

NO ISSUE SEVERITY DESCRIPTION

This application can be installed on an older version of android that has multiple
App can be installed on a vulnerable unpatched
unfixed vulnerabilities. These devices won't receive reasonable security updates from
1 Android version high
Google. Support an Android version => 10, API 29 to receive reasonable security
Android 7.0, [minSdk=24]
updates.

Application Data can be Backed up This flag allows anyone to backup your application data via adb. It allows users who
2 warning
[android:allowBackup=true] have enabled USB debugging to copy application data off of the device.

Activity-Alias
(com.google.android.hmal.MainActivityLauncher) An Activity-Alias is found to be shared with other apps on the device therefore
3 warning
is not Protected. leaving it accessible to any other application on the device.
[android:exported=true]
 NO ISSUE SEVERITY DESCRIPTION

Content Provider
(icu.nullptr.hidemyapplist.service.ServiceProvider) A Content Provider is found to be shared with other apps on the device therefore
4 warning
is not Protected. leaving it accessible to any other application on the device.
[android:exported=true]

A Broadcast Receiver is found to be shared with other apps on the device therefore
Broadcast Receiver
leaving it accessible to any other application on the device. It is protected by a
(androidx.profileinstaller.ProfileInstallReceiver) is
permission which is not defined in the analysed application. As a result, the
Protected by a permission, but the protection
5 warning protection level of the permission should be checked where it is defined. If it is set to
level of the permission should be checked.
normal or dangerous, a malicious application can request and obtain the permission
Permission: android.permission.DUMP
and interact with the component. If it is set to signature, only applications signed with
[android:exported=true]
the same certificate can obtain the permission.

 CODE ANALYSIS
HIGH: 0 | WARNING: 2 | INFO: 2 | SECURE: 0 | SUPPRESSED: 0

NO ISSUE SEVERITY STANDARDS FILES

A/d.java
A/e.java
A/n.java
A0/c.java
A1/u.java
A2/b.java
C/b.java
C/j.java
C/q.java
D/f.java
D/g.java
D/h.java
D/i.java
D/j.java
D/k.java
 D/k.java
D/l.java
NO ISSUE SEVERITY STANDARDS FILES
E0/a.java
G0/a.java
H/j.java
I/a.java
I/b.java
J1/C0013a.java
K0/j.java
L/C0017b.java
L/C0034o.java
L/G.java
L/T.java
L/X.java
L/o0.java
L/p0.java
L/u0.java
L0/a.java
R/r.java
R0/b.java
S/d.java
U/e.java
Y/d.java
by/kirich1409/viewbindingdelegate/c.java
c0/C0117c.java
c0/C0128n.java
c0/C0130p.java
c0/H.java
com/github/kyuubiran/ezxhelper/utils/FieldUtils
Kt.java
com/github/kyuubiran/ezxhelper/utils/HookUtils
Kt.java
com/github/kyuubiran/ezxhelper/utils/Logger.ja
va
com/github/kyuubiran/ezxhelper/utils/MethodU
tilsKt.java
CWE: CWE-532: Insertion of Sensitive com/github/kyuubiran/ezxhelper/utils/UtilsKt.jav
The App logs information. Sensitive
1 info Information into Log File a
information should never be logged.
OWASP MASVS: MSTG-STORAGE-3 com/github/kyuubiran/ezxhelper/utils/parasitics
/ActivityHelper.java
com/github/kyuubiran/ezxhelper/utils/parasitics
/MyHandler.java
 /MyHandler.java
e/AbstractActivityC0163k.java
NO ISSUE SEVERITY STANDARDS FILES
e/AbstractC0168p.java
e/LayoutInflaterFactory2C0148A.java
e/w.java
e0/d.java
e0/f.java
e0/i.java
g0/D.java
g0/x.java
h0/e.java
i/C0249h.java
i/C0250i.java
j/ViewOnKeyListenerC0275g.java
j/m.java
j0/C0300w.java
j0/J.java
j0/T.java
j0/Y.java
j1/AbstractC0306c.java
k/AbstractC0340j0.java
k/C0348n0.java
k/C0362v.java
k/C0366x.java
k/C1.java
k/L0.java
k/N.java
k/R0.java
k/V.java
k/g1.java
k/j1.java
k/y1.java
l1/d.java
l2/a.java
l2/b.java
m1/AbstractC0388a.java
m2/d.java
o1/e.java
o1/h.java
q0/p.java
t1/j.java
u/C0477e.java
 u/C0477e.java
NO ISSUE SEVERITY STANDARDS v1/d.java
FILES
w/AbstractC0488c.java
w/C0492g.java
w/C0494i.java
w/m.java
w0/p.java

A2/b.java
CWE: CWE-330: Use of Insufficiently
G1/a.java
Random Values
The App uses an insecure Random Z1/a.java
2 warning OWASP Top 10: M5: Insufficient
Number Generator. Z1/b.java
Cryptography
Z1/c.java
OWASP MASVS: MSTG-CRYPTO-6
a2/C0056a.java

CWE: CWE-200: Information Exposure

3 IP Address disclosure warning w0/p.java
OWASP MASVS: MSTG-CODE-2

This App copies data to clipboard.

Sensitive data should not be copied
4 info g0/o.java
to clipboard as other applications can OWASP MASVS: MSTG-STORAGE-10
access it.

 NIAP ANALYSIS v1.3

NO IDENTIFIER REQUIREMENT FEATURE DESCRIPTION

 BEHAVIOUR ANALYSIS
RULE ID BEHAVIOUR LABEL FILES

A1/C0004e.java
D/j.java
D/k.java
E0/a.java
00013 Read file and put it into a stream file
U1/i.java
h0/C0197a.java
h0/e.java
h0/j.java

Query the list of the installed

00035 reflection F1/c.java
packages

K0/g.java
K0/i.java
Implicit intent(view a web page, make
00063 control K0/q.java
a phone call, etc.)
c0/C0115a.java
c0/C0117c.java

K0/g.java
K0/i.java
Implicit intent(view a web page, make
00051 control K0/q.java
a phone call, etc.) via setData
c0/C0115a.java
c0/C0117c.java

00191 Get messages in the SMS inbox sms k/g1.java

Get resource file from res/raw c0/C0115a.java

00036 reflection
directory k/g1.java

Open a file from given absolute path icu/nullptr/hidemyapplist/MyApp.java

00022 file
of the file y1/C0520b.java

00147 Get the time of current location collection location e/w.java

 RULE ID BEHAVIOUR LABEL FILES

00075 Get location of the device collection location e/w.java

00115 Get last known location of the device collection location e/w.java

 ABUSED PERMISSIONS

TYPE MATCHES PERMISSIONS

Malware Permissions 0/25

Other Common Permissions 0/44

Malware Permissions:
Top permissions that are widely abused by known malware.
Other Common Permissions:
Permissions that are commonly abused by known malware.

 OFAC SANCTIONED COUNTRIES

This app may communicate with the following OFAC sanctioned list of countries.

DOMAIN COUNTRY/REGION
DOMAIN COUNTRY/REGION

IP: 220.197.201.184
Country: China
www.coolapk.com
Region: Guizhou
City: Guiyang

 DOMAIN MALWARE CHECK

DOMAIN STATUS GEOLOCATION

IP: 220.197.201.184
Country: China
Region: Guizhou
www.coolapk.com ok City: Guiyang
Latitude: 26.583330
Longitude: 106.716667
View: Google Map

IP: 63.33.88.220
Country: Ireland
Region: Dublin
youtrack.jetbrains.com ok City: Dublin
Latitude: 53.343990
Longitude: -6.267190
View: Google Map

schemas.android.com ok No Geolocation information available.

DOMAIN STATUS GEOLOCATION

IP: 140.82.121.4
Country: United States of America
Region: California
github.com ok City: San Francisco
Latitude: 37.775700
Longitude: -122.395203
View: Google Map

 SCAN LOGS

Timestamp Event Error

2025-06-11 10:04:56 Generating Hashes OK

2025-06-11 10:04:56 Extracting APK OK

2025-06-11 10:04:56 Unzipping OK

2025-06-11 10:04:56 Parsing APK with androguard OK

2025-06-11 10:04:57 Extracting APK features using aapt/aapt2 OK

2025-06-11 10:04:57 Getting Hardcoded Certificates/Keystores OK

2025-06-11 10:05:01 Parsing AndroidManifest.xml OK

2025-06-11 10:05:01 Extracting Manifest Data OK

2025-06-11 10:05:01 Manifest Analysis Started OK

2025-06-11 10:05:01 Performing Static Analysis on: HMAL (com.google.android.hmal) OK

2025-06-11 10:05:01 Fetching Details from Play Store: com.google.android.hmal OK

2025-06-11 10:05:01 Checking for Malware Permissions OK

2025-06-11 10:05:01 Fetching icon path OK

2025-06-11 10:05:01 Library Binary Analysis Started OK

2025-06-11 10:05:01 Reading Code Signing Certificate OK

2025-06-11 10:05:02 Running APKiD 2.1.5 OK

2025-06-11 10:05:03 Detecting Trackers OK

2025-06-11 10:05:04 Decompiling APK to Java with JADX OK

2025-06-11 10:05:19 Converting DEX to Smali OK

2025-06-11 10:05:19 Code Analysis Started on - java_source OK

2025-06-11 10:05:20 Android SBOM Analysis Completed OK

2025-06-11 10:05:24 Android SAST Completed OK

2025-06-11 10:05:24 Android API Analysis Started OK

2025-06-11 10:05:26 Android API Analysis Completed OK

2025-06-11 10:05:26 Android Permission Mapping Started OK

2025-06-11 10:05:28 Android Permission Mapping Completed OK

 2025-06-11 10:05:28 Android Behaviour Analysis Started OK

OK
2025-06-11 10:05:31 Android Behaviour Analysis Completed

2025-06-11 10:05:31 Extracting Emails and URLs from Source Code OK

2025-06-11 10:05:32 Email and URL Extraction Completed OK

2025-06-11 10:05:32 Extracting String data from APK OK

2025-06-11 10:05:32 Extracting String data from Code OK

2025-06-11 10:05:32 Extracting String values and entropies from Code OK

2025-06-11 10:05:32 Performing Malware check on extracted domains OK

2025-06-11 10:05:34 Saving to Database OK

Report Generated by - MobSF v4.3.3

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment
framework capable of performing static and dynamic analysis.
© 2025 Mobile Security Framework - MobSF | Ajin Abraham | OpenSecurity.