An Xposed/LSPosed module that unlocks all VIP features in Android Faker v2 beta (com.android1500.androidfaker) for educational/practice purposes.
com.android1500.androidfaker (should auto-select) and any other app that you want to spoof (the target apps for Android Faker)This module hooks into Android Faker’s app process and bypasses all VIP/premium feature gates:
| Feature | Gate | Hook |
|---|---|---|
| Profile creation | ms6.b() VIP check |
→ returns true |
| Profile switching | ms6.b() VIP check |
→ returns true |
| Randomize All | ms6.b() VIP check |
→ returns true |
| VIP-only hook fields (MediaDRM, GSF ID, App Set ID, +1) | ms6.b() + tg2.w() |
→ VIP check true + param override |
| SIM country lock | ms6.b() VIP check |
→ returns true |
| Export to file | ms6.b() VIP check |
→ returns true |
| Device model VIP properties | tg2.j() isVipUser param |
→ forced true |
| Account screen VIP badge | ms6$a.d() + d6.c() |
→ returns 1 (VIP) |
| Account screen expiry date | ms6$a.c() + d6.a() |
→ returns year 2100 |
| APK signature verification | ep5.d(Context) |
→ returns true |
Hook Layer 1 — Source of Truth
ms6.b() → true Core isVip check (cascades to all ViewModels)
ms6$a.d() → 1 Account vipStatus
ms6$a.c() → year 2100 Account vipDueDate
Hook Layer 2 — Native Stability & DEX Spoofing in Target Apps
Runtime.loadLibrary0 → Blocks "af_native" to prevent anti-tamper kill thread
Native.doInit → returns true (anti-tamper bypass)
Native.getDex → serves XOR-decrypted payload (via DexExtractor)
Hook Layer 3 — Static Utility Methods
tg2.w() → isVipUser=true Randomization of VIP-only fields
tg2.j() → isVipUser=true Device model application
Hook Layer 4 — UI Display (Cosmetic)
d6.c() → 1 UserInfo Parcelable vipStatus
d6.a() → year 2100 UserInfo Parcelable dueDate
Hook Layer 5 — Anti-Tamper
ep5.d() → true APK signature verification bypass
Android Faker distributes its spoofing classes3.dex payload inside libaf_native.so as an XOR-encrypted blob to evade detection. To safely serve this payload to target apps:
kill()) from JNI_OnLoad when hooking target apps. The module hooks Runtime.loadLibrary0 to block libaf_native.so entirely, preventing the kill thread..so is blocked, Native.getDex() is no longer available in memory. The module dynamically scans libaf_native.so (either from the filesystem or by extracting it directly from the Faker APK ZIP using DexExtractor), finds the XOR cipher (0x32), and decrypts the DEX blob at runtime.Native.doInit (bypassing anti-tamper constraints) and Native.getDex(), seamlessly serving the runtime-decrypted DEX directly into memory. No manual extraction needed!ms6$a.vipDueDate (account field)
↓
ms6.b() — compares vipDueDate > currentTime/1000 ← HOOKED (always true)
↓
AuthRepository.userStateFlow → StateFlow<ms6>
↓
ViewModels observe flow → extract ms6.b() into isVipUser Boolean
↓
UI state classes: fr4.isVipUser, HookState.isVipUser
↓
Feature gates: m15039k().getIsVipUser() == Boolean.TRUE → ALWAYS PASSES
| Obfuscated (DEX) | Original (Kotlin) | Purpose |
|---|---|---|
a.ms6 |
UserState |
Active user + accounts + isVip |
a.ms6$a |
UserState.Account |
userId, email, vipStatus, vipDueDate |
a.tg2 |
HookConfigKt |
Extension functions for HookConfig |
a.d6 |
UserInfo |
Parcelable for Compose UI |
a.ep5 |
SignatureValidator |
APK signing cert verification |
a.ir4 |
ProfileViewModel |
Profile feature gating |
a.nf2 |
HookViewModel |
Hook feature gating |
a.fr4 |
ProfileState |
UI state (has isVipUser field) |
a.ww |
AuthRepository |
Interface exposing userStateFlow |
a.rl3 |
Model |
Device model data class |
FakerUnlocker/ in Android Studio as a project./gradlew assembleDebug)cd FakerUnlocker
./gradlew assembleDebug
# APK at: app/build/outputs/apk/debug/app-debug.apk
Check Xposed/LSPosed logs for hook status:
adb logcat | grep FakerUnlocker
Expected output:
FakerUnlocker: Hooking com.android1500.androidfaker
FakerUnlocker: [OK] ms6.b() → true (core VIP check)
FakerUnlocker: [OK] ms6$a.d() → 1 (VIP status)
FakerUnlocker: [OK] tg2.w() → isVipUser forced true (randomization)
FakerUnlocker: [OK] d6.c() → 1 (UserInfo VIP status)
FakerUnlocker: [OK] ep5.d(Context) → true (signature bypass)
FakerUnlocker: All hooks installed successfully
And in target apps (where location/device info spoofing is applied):
FakerUnlocker: Installing target-app native stability (block + lazy DEX extraction)
FakerUnlocker: [BLOCKED] System.loadLibrary("af_native") — kill thread prevention
FakerUnlocker: [OK] Native.doInit → true
FakerUnlocker: [OK] DEX from Faker APK: 53584 bytes
FakerUnlocker: [SERVED] getDex() → 53584 bytes
Android Faker’s native library (libaf_native.so) has extensive anti-tamper:
/proc/self/maps scanning for RWX memory pageslibart.so byte-level integrity comparison (disk vs memory)libandroid_runtime.so integrity checksIf the app crashes, try:
If you see [FAIL] messages, the app may have been updated with new obfuscation. The obfuscated names (b, w, j, etc.) change between R8 builds. You’ll need to re-analyze the APK with JADX and update the method names.
This module is created for educational purposes only as part of a reverse engineering practice lab. Do not use it to circumvent legitimate software protections in production.
tn.loukious.fakerunlocker
Release Type: Stable
4/16/2026, 1:30:51 AM