Risk Label
Last updated: 2025-12-08 20:36:54
Android
Primary | Secondary | Introduction | Label |
Virtual devices | Emulator | Identify apps running in mainstream emulator environments. | 301 |
| Cloud Emulator | Identify apps running in cloud-based virtual phone environments. | 302 |
| Customized Emulator | Identify the device as a development board or other non-standard mobile device. | 303 |
| API Attack | Identify the use of tools to bypass the application and construct malicious network protocol packets for requests. | 1201 |
Environmental risk | Developer Mode | Identify that Developer Mode is enabled on the device. | 201 |
| Root | Identify that the device has been rooted. | 202 |
| Code Injection | Identify that the app process may have been injected with tools. | 203 |
| Repackage | Identify that the current app is a repackaged or tampered version from unofficial channels; the app's program logic may be altered after being unpacked or re-signed. | 204 |
| Hook | Identify that key system APIs or application functions may have been hijacked. | 205 |
| Dual App Env | Identify apps running in third-party multi-instance or sandbox environments. | 206 |
| Risk Process Found | Identify the presence of risky processes such as root or group control tools in the system. | 207 |
| USB Debugging | Identify that debugging mode is enabled on the device. | 211 |
| Customized ROM | Identify that a non-official or security-risky custom system has been flashed onto the device. | 212 |
| Magisk | Identify that the underlying system has been modified by hijacking tools. | 213 |
| System App Clone | Identify the use of the system's built-in multi-instance functionality. | 214 |
| Non-System User | Identify the use of the system's built-in multi-user functionality. | 216 |
| No SIM | Detect the SIM card status of the device. | 217 |
| Memory Scanned | Identify that the app process memory is being scanned, typically for game cheating modifications. | 1202 |
| Bootloader Unlocked | Identify that the device's Bootloader is unlocked, allowing third-party recovery or system images to be flashed. | 220 |
Device tampering | Device Tampering | Device hardware or system information has been tampered with, such as model, manufacturer, system version, etc. | 1001 |
Underground industry devices | Abnormal ROM | Identify the device using a custom ROM commonly found in black/gray market scenarios. | 218 |
| Cloud Device | Identify the device as a cloud-based real device. | 1100 |
| Dev Mode ROM | Identify the device using an uncommon or development/debug mode ROM. | 219 |
Network risk | Network Proxy(WiFi Permission Needed) | Identify that an HTTP network proxy is configured on the device. | 210 |
| VPN | Identify that a VPN or proxy tool is in use on the device. | 209 |
Underground industry tools | Automator App Installed | Mainstream automation tools are present in the device's software list. | 401 |
| Group Control App Installed | Mainstream group control tools are present in the device's software list. | 402 |
| Camera Hijacking Tools installed | Camera hijacking tools are present in the device's software list. | 1318 |
| Fake Geographic Location Tools installed | Virtual location tools are present in the device's software list. | 1320 |
Abnormal behavior | Auto-Clicking & Fake Events | Device suspected of having automated script behaviors, including operations like keyboard inputs, page navigation, and clicks. Commonly seen in scenarios like batch account registration, task farming, and coupon abuse, leading to fraud losses. | 4 |
| Screen Mirroring | Device is suspected of having screen recording risk targeting the app interface. | 215 |
| Process Traced | Identify the app process may be under dynamic reverse engineering, e.g., using debugging tools. | 1003 |
| System Restored | Device is suspected to have been restored to factory settings. | 222 |
Location Spoofing | Fake Geographic Location | Identify the use of virtual location services or software to forge geographical locations. | 208 |
Camera Attack | Camera Hijacking | The system device camera is hijacked. | 1006 |
iOS
Primary | Secondary | Introduction | Label |
Virtual devices | Simulator | Identify apps running in a simulator environment. | 5012 |
| API Attack | Identify the use of tools to bypass the application and construct malicious network protocol packets for requests. | 5018 |
Environmental risk | Jailbroken | Identify the device as jailbroken. | 5001 |
| Code Injection | Identify that the app process may have been injected with tools. | 5004 |
| Repackage | Identify the current app is a repackaged or tampered version from unofficial channels; the app's program logic may be altered after being unpacked or re-signed. | 5011 |
| Hook | Identify that key system APIs may have been hijacked. | 5007 |
| Dual App Env | Identify apps running in a third-party multi-instance environment. | 5009 |
| No SIM | Detect the SIM card status of the device. | 5020 |
Device Tampering | Device Information Manipulation | Identify that the device's system information has been tampered with. | 5010 |
Underground industry devices | Auto-Clicking & Fake Events | Identify that the device may be controlled by automation tools. | 5016 |
Network risk | Network Proxy | Identify that an HTTP network proxy is configured on the device. | 5005 |
| VPN | Identify that a VPN or proxy tool is in use on the device. | 5006 |
Location Spoofing | Fake Geographic Location | Identify the use of virtual location services or software to forge geographical locations. (Requires cloud configuration and interface switches to be enabled) | 5015 |
Abnormal behavior | Screen Mirroring | Identify potential screen capture or recording risk targeting the app interface. | 5019 |
| Auto-Clicking & Fake Events | Identify automated script behaviors in the device, including operations like keyboard inputs, page navigation, and clicks. Commonly seen in scenarios like batch account registration, task farming, and coupon abuse, leading to fraud losses. (Requires cloud configuration and interface switches to be enabled) | 5017 |
| Process Traced | Identify that the app process may be under debugging, with potential for dynamic reverse engineering. | 5008 |
| System Restored | Identify that the device is suspected to have been restored to factory settings. | 5024 |
Camera Attack | Camera Hijacking | Identify that the system camera device may be hijacked. | 5102 |
WEB
Primary | Secondary | Introduction | Label |
Headless Browser | | Identify that the request originates from a virtual browser environment. | 30001 |
Malicious Web Plugin | | Identify that the browser may have cheating plugins installed. | 30002 |
Web Parameter Tampering | | Identify that browser parameters may have been tampered with. | 30003 |
Debug Mode | | Identify that the browser may be in debug mode. | 30005 |
Cookie Disabled | | Identify that cookies may be disabled in the browser. | 30006 |
Incognito | | Identify that the browser may be in incognito/private mode. | 30007 |
Automator Tool | | Identify that the request may be initiated by automation tools. | 30009 |
HOOK | | Identify that page functions may have been hijacked. | 30010 |
Privacy Browser | | Identify that the request originates from a privacy-focused browser. | 30011 |
Crawler | | Identify that the request may originate from a web crawler. | 30012 |
Network Risk Identification
Primary | Secondary | Introduction | Label |
IDC IP | | The client IP address for the request is an IDC IP address. | 50001 |
General
Primary | Secondary | Introduction | Label |
Local time abnormality | | Cilent timestamp and server timestamp different. | 50006 |
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback