The game runtime environment is a key indicator for assessing the risk of third-party cheats. When games operate in high-risk environments such as rooted devices, jailbroken devices, virtual machines, virtual frameworks, or cloud phones, the associated security risks significantly increase.
These risk environments can grant cheats the elevated privileges needed to tamper with memory and inject code, while also utilizing plugins to conceal process characteristics, thereby evading conventional detection mechanisms.
This paper analyzes the characteristics and detection challenges of gaming risk environments through case studies and proposes effective and reliable detection solutions.
Android Root
Root refers to superuser privileges. In the Android system, gaining root access means users can modify system files, remove pre-installed applications, and install specialized apps. The primary methods for obtaining root access currently include: flashing custom ROMs, virtual environments, and PC emulators.
In a root environment, cheating users can use modifiers to scan the game's memory and tamper with elements such as currency amounts, character data, and critical items. Alternatively, they may employ reverse engineering tools to analyze and modify the game, creating hack versions or ad-free editions.
During countermeasures, we discovered that some users exploit Magisk in conjunction with the Shamiko module and LSP framework to render Magisk itself, root privileges, and Cheats invisible to the game. This renders traditional detection methods ineffective, severely compromising game balance.
iOS Jailbreak
iOS jailbreak refers to the process of removing or bypassing Apple's operating system restrictions on iOS devices through software or hardware vulnerabilities, thereby gaining the highest level of access to the device.
After jailbreaking a device, users can leverage the elevated privileges gained to install software like Cydia Manager. This allows them to bypass the App Store and install various unreviewed plugins and Cheats, enabling modifications to system files and even access to system-level APIs.
Cheaters employ anti-jailbreak detection plugins to evade detection. Common plugins include HideJB, abapass, fyjb, and others. These plugins hook numerous system interface layers, filtering all jailbreak-related strings to prevent proper detection at the application layer.
Virtual Machine
A virtual machine can simulate multiple Android systems on a single phone. Each simulated system operates independently and can be flexibly configured as needed, enabling simultaneous operation of multiple applications to achieve multi-instance operation and background tasks.
The simulated Android system comes with root privileges, providing an environment for running cheats. Cheaters also use plugins like Magisk to hide cheats’ processes from the game, evading detection.
Virtual Framework
Virtual frameworks employ diverse implementation principles. Common approaches include replicating an APK into a virtual space for execution via virtualization technology; modifying the APK package name and signature; or utilizing plugin mechanisms for operation.
Within virtual frameworks, cheating users can run multiple instances of a game simultaneously to achieve multi-instance idling. Additionally, some virtual frameworks come with built-in root privileges, providing an environment for game Cheats and Hack.
Cloud Phone
Cloud phones operate by leveraging public cloud infrastructure and ARM virtualization technology to provide users with an Android instance hosted in the cloud. Users remotely control the cloud phone in real time via video streaming, enabling native Android apps and mobile games to run seamlessly in the cloud.
Cloud phones are primarily used for running multiple instances of cheats. Some cloud phones feature dedicated app rooting capabilities, allowing users to enable root access selectively for specific cheats to evade detection.
Some cloud phones come with a one-click reset feature that randomly generates new device IDs and device information to evade bans and penalties.
Additionally, PC emulators pose certain security risks in specific scenarios, such as: built-in root privileges, auto click, multi-instance operation, and asymmetric advantages.
However, as emulators are commonly used by players, we cannot simply ban them outright. Instead, we need customized solutions tailored to different game genres and scenarios to prevent emulator-based cheating.
In response to the aforementioned gaming risk environment and detection challenges, JikGuard has developed specialized countermeasures. This solution has been integrated into multiple popular games and has demonstrated outstanding protection capabilities.
Security Risk Environment Detection
Unlike other products on the market, JikGuard employs deeper-level detection methods to precisely identify game runtime environments. It can recognize various risk environments such as rooted devices, jailbroken devices, virtual machines, virtual frameworks, cloud phones, and PC emulators. Game developers can then implement targeted countermeasures based on the detection results.
Anti-Jailbreak Protection
Utilizing proprietary detection technology, it achieves precise identification without false positives. By comprehensively analyzing multiple runtime indicators, it detects unknown anti-jailbreak plugins and jailbreak methods, ensuring thorough processing of anti-jailbreak plugins with zero false negatives.
Magisk Dedicated Detection
JikGuard's exclusive detection solution can accurately identify Magisk even when all hidden options are enabled, and perform actions like triggering app crashes.
