Welcome to My New Blog
What about the use of Mock Locations on Android Devices?
This is my first blog. I hope this research will provide meaningful information for the DFIR community. I am currently a student in the Masters of Digital Forensic Science program at Champlain College. Back in February of this year I was working on another class project when I became aware of the ability to set Mock Locations on Android devices.
The Skinny on FakeGPS Pro application
Faking GPS on android devices is much easier than on iOS. The user can turn on Developer Options and select “Mock Location” then select what application they wish to use to mock their location. If “Mock Location” is turned on and a fake GPS app is located on an android device, then in the words of Alexis Brignoni, “ all locations become suspect from the time the app was installed onward,” as this app can mock the location of several other applications including the location of the device itself.
Full Image artifact locations
\data\com.lexa.fakegps\databases\fakegps, Table: history
Backup Image artifact locations
I work at a college police department so you know the age group. In my area the game Pokémon Go is still a big thing. I was told by a student that he could cheat the game by faking his GPS location to be able to play the games in other locations without being in those locations.
I located a mock location application on Google Play called FakeGPS Pro. I originally was going to attempt to write a python parser for this application, but that did not happen. So, I let the project go by the wayside.
Then, in September I decided to investigate this application again. I really feel this is important to understand how this application works, stores data, and draws over other apps. While at the recent HTCIA conference in Chicago, I met for the first time Alexis Brignoni. I discussed this project with him and he said he was interested in assisting me with this project.
This project involves 2 different Samsung devices, one of the devices is rooted the other is not. Here is the device information,
Rooted (KingRoot) Samsung SM-G730A
Samsung Galaxy S3 mini, model SM-G730A, Build number: KOT49H.G730AUCUBNG4, Baseband version: G730AUCUBNG4, Kernel version: 3.4.0-1670137, running Android version: 4.4.2.
Un-rooted Samsung SM-J320VPP
Samsung Galaxy J36 (prepaid Verizon), model SM-J320VPP, Security Patch: June 1, 2017, Build number: MMB29M.J320VRS2AQF1, Baseband version: J320VPPVRS2AQF1, Kernel version: 3.10.49, Hardware version: J320F.03, Security Software version: ASKS v. 1.2_161011, Configuration version: F15.SAM.SMJ320VPP.0, Knox version: KNOX 2.6, SE for Android Status: Enforcing, running Android version: 6.0.1.
Next, both devices do not have cellular service. Both devices are connected to Wi-Fi. I went to the Google Play store and searched for “mock location app.” and located FakeGPS Pro by Lexa Tools. Here are some snips of the information about the application published on Google Play Store.
Now, if you notice this application requests some important permissions. I selected to allow the application all permissions.
I downloaded and installed the FakeGPS Pro v. 2.0.8 on both devices.
I started with the “rooted” Samsung SM-G730A device running Android v. 4.4.2. I then went to device “Developer Options” and set Mock Location application to FakeGPS. I then selected the application on the Home screen and turned it on, I selected my location in Orlando, FL. I then checked my location on the notification drop down and verifying the location.
Well, sometimes screenshot images do not come out so well. However, you can see FakeGPS the coordinates showing Orlando, FL.
Then, I selected the Google Maps application and opened it. The view which appeared showed my location in Orland, FL offering me to “Explore Orlando.”
Then, I turned off Fake GPS Pro. I verified that it was off by selecting the Notifications drop down.
Again, to make sure that my location was now correct I opened the Google Maps application. The screen which appeared was for Aurora, IL and it was showing me Explore Aurora.
I turned on Fake GPS Pro three more times using the same location of Orlando, FL. Each time I would also open the Google Maps application and verify what it showed my location as which was still in Orlando, FL. This entire time my device and I have been in Aurora, IL. I also turned off the Fake GPS Pro application three more times, and verified what location the Google Maps application showed which was Aurora, IL.
Next, I connected the Samsung SM-G730A device to my laptop; MSI, Windows 10 64 bit, build 1803, 16GB RAM, Intel I7 processor. Then I selected and opened Magnet Acquire v. 22.214.171.12484, selecting to “Run as Administrator.” My device appeared as connected. I selected it and selected “Acquire.” The program acknowledged that I had full access and acquired a full image. I zipped this image file and emailed it to Alexis Brignoni with information on actions taken.
I then opened Magnet Axiom Process v. 126.96.36.19906 and processed the raw image file. Once the processing was complete Magnet Axiom Examine v. 188.8.131.5206 opened. I first navigated the “File System” and located the FakeGPS Pro folder, com.lexa.fakegps. There was a database folder. It showed the location of Orlando, FL with the GPS coordinates. It also showed it was accessed 4 times. However, there is no associated timestamps recorded for each visit. I then opened Magnet Axiom Process v. 184.108.40.20606 and processed the raw image file. Once the processing was complete Magnet Axiom Examine v. 220.127.116.1106 opened. I first navigated the “File System” and located the FakeGPS Pro folder at \data\com.lexa.fakegps\databases\fakegps. There was a SQL database file. It showed the location of Orlando, FL in Table: favorites. In the Table: history was the GPS coordinates for Orlando, FL. It also showed it was accessed 4 times. However, there is no associated timestamps recorded for each visit. However, there was a Modified timestamp of 9/26/2019 5:25:37AM (UTC-6)
In the “shared pref” folder was an XML file, \data\com.lexa.fakegps\shared_pref\MapviewinitializerPreferences.xml, size 138 bytes. Axiom Examiner rendered the XML file as seen below. There was a Unix timestamp associated with this XML file which I used DCode to convert the timestamp to Unix Milliseconds
Next, I navigated to com.google.android.apps.maps, and selected to open gmm_sync.db. In the Table: sync_item data, there are two entries for GPS coordinates belonging to Aurora, IL. There are 4 empty GPS coordinates entries, which do have an unknown value in the client_id and string_index rows. One of the entries in the client_id row has an entry of “User Parameters.” It is not known at this time if this indicates use of the FakeGPS Pro application.
Drilling deeper into Google Maps at \data\com.google.android.app.maps\files\passive_assist\106347371795285294668_cache.data.cs file, size 64,931 Bytes, Created 09/26/2019 10:26:21AM, Accessed 09/26/2019 10:26:21AM, Modified 09/26/2019 10:26:21AM. This is the time that I last used the Google Maps application for this research. I do not know what a data.cs file is. However, Axiom Examine showed the following text in the Preview section. Notice Orlando and Aurora.
There does not appear to be any date or time associated with these locations in this .data.cs file data only the locations. More research needs to be conducted with Google Maps data.
Next, I selected \data\com.android.settings\shared_pref\com.android.settings_preferences.xml file. This was interesting I located file com.android.settings_preferences.xml, size 4,309 Bytes. In this XML file you can confirm that the flag was set to value=”true” for allow_mock_location.
This concludes the examination of the Samsung SM-G730A raw image file.
Now I will move into the actions taken with the non-rooted device, Samsung SM-J320VPP. I began by allowing Mock Location in the Developer Options. I then opened the Google Play Store application, then I downloaded the FakeGPS Pro application. From here I started the FakeGPS Pro application and set the location once again to…Orlando, FL. By the way, for those who know Alexis Brignoni he is from the Orlando area so yes, this was intentional
Next, I confirmed that the device was showing the GPS coordinates for Orlando, FL by navigating to the Notifications drop down.
Then I wanted to see what location Google Maps thought the device was at, so I opened the Google Maps application and the screen appeared offering to Explore Orlando.
Next, I turned off FakeGPS Pro, and verified that it was off by dropping down the Notification, and turning on Google Maps application which showed Explore Aurora. Aurora is the true location of this device.
Okay, so my snip did not capture the Explore Aurora at the bottom of the screen. I can confirm this is Aurora, IL. If anyone wants to check this do a Google search for Gombert Elementary School.
Now, I acquired the image of the device using my laptop and Magnet Acquire v. 18.104.22.16884. Again, this device is not rooted so I acquired a logical image or as Magnet calls it “Quick image.” Once the image was acquired, I zipped the image file and uploaded it to Google Drive to share with Alexis Brignoni.
Next, I processed the image file with Magnet Axiom Process v. 22.214.171.12406. Once the processing was complete Magnet Examine opened.
I did locate the gmm_sync.db in the com.google.android.apps.maps folder. This database may contain some items of value, but further testing needs to occur, so check back for an update. First, I selected “File System” and located adb.tar\apps\com.lexa.fakegps\db\fakegps, this is a SQL database, Table: history shows the GPS coordinates for Orlando, FL, however it is “named” Unknown place. The only timestamp associated with the file is Modified 10/11/2019 9:09:18AM (UTC-6). This timestamp is correct for the time that I turned activated the app.
The Application Activity-Android location is \LiveData\task_stats.txt\com.lexa.fakegps it shows a First Active and Last Active timestamp.
Next, I checked for artifact information in adb.tar\apps\com.google.app.maps\f\passive_assist\116031644312012780858_cache.data.cs file, size 253,056 Bytes, Modified 10/11/2019 09:29:42AM (UTC-6). Once again this file lists locations of Orlando and Aurora with what appears to be their weather conditions. I decided to check and verify if the weather conditions were correct for each location and according to timeanddate.com/weather/usa/aurora-il/historic and timeanddate.com/weather/usa/orlando-fl/historic, the weather conditions were accurate
Well, that was exciting. I hope you enjoy reading this. I hope you find it useful. Remember to watch for an update on our findings in the files listed.
Till next time!
Follow My Blog
Get new content delivered directly to your inbox.