Faker Unlocker — Xposed Module
An Xposed/LSPosed module that unlocks all VIP features in Android Faker v2 beta (com.android1500.androidfaker) for educational/practice purposes.
Usage
Steps
- Install the APK on your device
- Enable the module in LSPosed/Xposed:
- Open LSPosed Manager
- Enable "Faker Unlocker"
- Scope:
com.android1500.androidfaker(should auto-select) and any other app that you want to spoof (the target apps for Android Faker) - Force stop Android Faker and reopen
What It Does
This module hooks into Android Faker's app process and bypasses all VIP/premium feature gates:
| Feature | Gate | Hook |
|---|---|---|
| Profile creation | ms6.b() VIP check |
→ returns true |
| Profile switching | ms6.b() VIP check |
→ returns true |
| Randomize All | ms6.b() VIP check |
→ returns true |
| VIP-only hook fields (MediaDRM, GSF ID, App Set ID, +1) | ms6.b() + tg2.w() |
→ VIP check true + param override |
| SIM country lock | ms6.b() VIP check |
→ returns true |
| Export to file | ms6.b() VIP check |
→ returns true |
| Device model VIP properties | tg2.j() isVipUser param |
→ forced true |
| Account screen VIP badge | ms6$a.d() + d6.c() |
→ returns 1 (VIP) |
| Account screen expiry date | ms6$a.c() + d6.a() |
→ returns year 2100 |
| APK signature verification | ep5.d(Context) |
→ returns true |
Architecture (version 2.0.0-beta-9-5)
Hook Layer 1 — Source of Truth
ms6.b() → true Core isVip check (cascades to all ViewModels)
ms6$a.d() → 1 Account vipStatus
ms6$a.c() → year 2100 Account vipDueDate
Hook Layer 2 — Native Stability & DEX Spoofing in Target Apps
Runtime.loadLibrary0 → Blocks "af_native" to prevent anti-tamper kill thread
Native.doInit → returns true (anti-tamper bypass)
Native.getDex → serves XOR-decrypted payload (via DexExtractor)
Hook Layer 3 — Static Utility Methods
tg2.w() → isVipUser=true Randomization of VIP-only fields
tg2.j() → isVipUser=true Device model application
Hook Layer 4 — UI Display (Cosmetic)
d6.c() → 1 UserInfo Parcelable vipStatus
d6.a() → year 2100 UserInfo Parcelable dueDate
Hook Layer 5 — Anti-Tamper
ep5.d() → true APK signature verification bypass
Native Stability & SPOOFING (Runtime Extraction)
Android Faker distributes its spoofing classes3.dex payload inside libaf_native.so as an XOR-encrypted blob to evade detection. To safely serve this payload to target apps:
- Target Crash Prevention: Android Faker spawns an anti-tamper thread (
kill()) fromJNI_OnLoadwhen hooking target apps. The module hooksRuntime.loadLibrary0to blocklibaf_native.soentirely, preventing the kill thread. - Runtime DEX Extraction: Since the
.sois blocked,Native.getDex()is no longer available in memory. The module dynamically scanslibaf_native.so(either from the filesystem or by extracting it directly from the Faker APK ZIP usingDexExtractor), finds the XOR cipher (0x32), and decrypts the DEX blob at runtime. - Serving the Payload: It intercepts
Native.doInit(bypassing anti-tamper constraints) andNative.getDex(), seamlessly serving the runtime-decrypted DEX directly into memory. No manual extraction needed!
VIP Flow (How It Works)
ms6$a.vipDueDate (account field)
↓
ms6.b() — compares vipDueDate > currentTime/1000 ← HOOKED (always true)
↓
AuthRepository.userStateFlow → StateFlow<ms6>
↓
ViewModels observe flow → extract ms6.b() into isVipUser Boolean
↓
UI state classes: fr4.isVipUser, HookState.isVipUser
↓
Feature gates: m15039k().getIsVipUser() == Boolean.TRUE → ALWAYS PASSES
Class Name Mapping
| Obfuscated (DEX) | Original (Kotlin) | Purpose |
|---|---|---|
a.ms6 |
UserState |
Active user + accounts + isVip |
a.ms6$a |
UserState.Account |
userId, email, vipStatus, vipDueDate |
a.tg2 |
HookConfigKt |
Extension functions for HookConfig |
a.d6 |
UserInfo |
Parcelable for Compose UI |
a.ep5 |
SignatureValidator |
APK signing cert verification |
a.ir4 |
ProfileViewModel |
Profile feature gating |
a.nf2 |
HookViewModel |
Hook feature gating |
a.fr4 |
ProfileState |
UI state (has isVipUser field) |
a.ww |
AuthRepository |
Interface exposing userStateFlow |
a.rl3 |
Model |
Device model data class |
Building
Prerequisites
- Android Studio (or Gradle CLI)
- Android SDK 34+
- JDK 11+
Steps
- Open
FakerUnlocker/in Android Studio as a project - Sync Gradle
- Build → Build APK (
./gradlew assembleDebug)
Manual Build (CLI)
cd FakerUnlocker
./gradlew assembleDebug
# APK at: app/build/outputs/apk/debug/app-debug.apkLogs
Check Xposed/LSPosed logs for hook status:
adb logcat | grep FakerUnlocker
Expected output:
FakerUnlocker: Hooking com.android1500.androidfaker
FakerUnlocker: [OK] ms6.b() → true (core VIP check)
FakerUnlocker: [OK] ms6$a.d() → 1 (VIP status)
FakerUnlocker: [OK] tg2.w() → isVipUser forced true (randomization)
FakerUnlocker: [OK] d6.c() → 1 (UserInfo VIP status)
FakerUnlocker: [OK] ep5.d(Context) → true (signature bypass)
FakerUnlocker: All hooks installed successfully
And in target apps (where location/device info spoofing is applied):
FakerUnlocker: Installing target-app native stability (block + lazy DEX extraction)
FakerUnlocker: [BLOCKED] System.loadLibrary("af_native") — kill thread prevention
FakerUnlocker: [OK] Native.doInit → true
FakerUnlocker: [OK] DEX from Faker APK: 53584 bytes
FakerUnlocker: [SERVED] getDex() → 53584 bytes
Troubleshooting
App crashes after enabling module
Android Faker's native library (libaf_native.so) has extensive anti-tamper:
/proc/self/mapsscanning for RWX memory pages- ARM64 trampoline detection on libc.so functions (inline hook detection)
libart.sobyte-level integrity comparison (disk vs memory)libandroid_runtime.sointegrity checks- TracerPid / ptrace / wchan detection
- Frida thread & memory detection
If the app crashes, try:
- Use Shamiko (Zygisk module) to hide Xposed from Android Faker
- Use LSPosed in Zygisk mode (stealthier than Riru)
- Deny-list the app in Magisk Hide / Zygisk
Hook method not found
If you see [FAIL] messages, the app may have been updated with new obfuscation. The obfuscated names (b, w, j, etc.) change between R8 builds. You'll need to re-analyze the APK with JADX and update the method names.
Disclaimer
This module is created for educational purposes only as part of a reverse engineering practice lab. Do not use it to circumvent legitimate software protections in production.