PackageDetector

Abstract base class for detecting device tampering by checking for the presence of specific installed packages.

This detector works by examining the list of installed applications to identify packages that are commonly associated with rooted devices, security tools, or other potentially compromising software. Subclasses must provide the list of suspicious package names through the getPackages method.

The detector uses the Android PackageManager to query for installed applications, which provides a reliable way to detect software that might indicate device compromise. This method can detect:

• Root management applications (SuperSU, Magisk Manager, etc.)

• Security testing tools and penetration testing apps

• Emulator detection bypassing tools

• Custom recovery applications

• Developer tools that shouldn't be on production devices

Common suspicious packages include:

• eu.chainfire.supersu (SuperSU root manager)

• com.topjohnwu.magisk (Magisk root manager)

• com.koushikdutta.superuser (Superuser root app)

• com.zachspong.temprootremovejb (Root removal tools)

• com.ramdroid.appquarantine (App quarantine tools)

The scoring system returns a Double value:

• 1.0 indicates at least one suspicious package was found (high confidence of tampering)

• 0.0 indicates no suspicious packages were found

Example usage:

class RootPackageDetector : PackageDetector() {
    override fun getPackages(): List<String> {
        return listOf(
            "eu.chainfire.supersu",
            "com.topjohnwu.magisk",
            "com.koushikdutta.superuser"
        )
    }
}

See also

Inheritors