GAMA | Greyware Analysis and Mitigation Approach

4Open Source Tools

7GAMA Techniques

31Findings / APK

40+SDKs Fingerprinted

1B+Users Potentially Affected

// THE PROBLEM

Standard Scanners Are Not Enough.

Modern Android apps routinely embed advertising and analytics SDKs that collect data through channels invisible to standard monitoring tools. These are not malware techniques — they are deliberate architectural choices that maximise data collection while evading privacy controls.

The most common evasion vector is custom URI scheme IPC: data passed through Android WebView's shouldOverrideUrlLoading before any network call. This channel bypasses mitmproxy, Charles Proxy, and every VPN-based blocker.

Popular idle games and free-to-play apps with hundreds of millions of installs embed up to 11 advertising SDKs simultaneously. The Mintegral MBridge SDK alone — confirmed active in thousands of apps — routes device identifiers and behavioural data through the mv:// channel documented in CENT-2026-001.

GAMA was built to find these patterns systematically, document them with defensible evidence, and contribute them to a shared community knowledge base that grows with every analysis.

2.6B Android devices active globally — every one a potential vector for undisclosed data collection

11 Ad/analytics SDKs found simultaneously in a single 140MB idle game APK

22 Custom URI schemes found in one APK — 10 with suspicion score ≥9

0 Standard network monitors that can see inside WebView IPC channels

// THE ECOSYSTEM

Four Tools. One Pipeline.

Python · CLI

GAMA Framework

Interactive analyst workspace. 7-phase structured methodology. URI scanner, SDK fingerprint, finding management, Class A/B/C/D classification, enforcement rule generation (DNS sinkhole, Zeek, Snort/Suricata).

→ gama-framework

Python · Pipeline

GAMA-Intel

Automated static analysis pipeline. Ingests APK (.apk, .xapk, .apks), produces URI scheme scores, SDK fingerprint, manifest analysis, encoded string decoder, STIX 2.1 reports for ATT&CK Navigator.

→ gama-intel

Rust · ML

GAMA-Deep

Three-channel MLP anomaly scoring. Static features (128-dim), smali bytecode embeddings (256-dim), network sequences (256-dim). Pure Rust, no CUDA required. Community module system for extensibility.

→ gama-deep

Python · Knowledge Base

GAMA-Community

Shared confirmed findings. SQLite local DB synced from GitHub, PR-based submission workflow, CenturiaLabs + independent lab validation. Every confirmed finding distributed to all labs on next sync.

// COMING SOON

// LIVE DEMO

Airport Empire Idle — Real Analysis.

A popular idle game. 140MB APK. Millions of installs. This is what GAMA-Intel found in under 10 minutes of static analysis.

# GAMA-Intel — Airport Empire Idle v0.7.0 (com.SekGames.AirportEmpireIdle) # SHA256: 9c57f407e6db3517... Size: 140.4 MB Workspace: 20260315_170023_airport-idle APK: Airport Idle_0.7.0_APKPure.xapk Phase 1: Static analysis jadx: 31,677 Java files recovered SDK fingerprint: 11 SDKs identified Encoded strings: 21 Base64/hex hits URI SCHEME SCANNER RESULTS ──────────────────────────────────────────────────────── 12 mv:// 4 occ · smali_classes9 · WebView handler co-located 12 mraid:// 18 occ · 7 files · tracking context: event 12 applovin:// 6 occ · tracking context: event, ad 11 tcp:// 1 occ · smali_classes8 · WebView handler — ANOMALOUS 10 gmsg:// 5 occ · tracking context: ad 9 unity-ads-cache:// 5 occ · smali_classes6 8 global:// 99 occ in 2 files · smali_classes9 · UNUSUAL VOLUME 7 fbconnect:// 13 occ · 7 files ...14 more schemes ──────────────────────────────────────────────────────── FINDINGS: 31 BY TECHNIQUE: GAMA-T001: 30 GAMA-T007: 1 GAMA-Deep anomaly score: 51.0/100 static: 23% smali: 77% network: 0% RESULT: mv:// confirmed Class-C → CENT-2026-001

# The mv:// channel — what it looks like at runtime (Frida) # Hook: android.webkit.WebViewClient.shouldOverrideUrlLoading [GAMA-T001] { "ts": "2026-03-15T18:00:00Z", "technique": "GAMA-T001", "scheme": "mv", "url": "mv://show?uid=abc123&did=device456&event=launch&adtype=1" } # uid = user identifier, did = device identifier # Passed BEFORE any outbound network request # Invisible to VPN, mitmproxy, Charles Proxy

// CONFIRMED FINDINGS

Community Intelligence.

CENT-2026-001 // CONFIRMED // CLASS-C // 2026-03-15

Mintegral MBridge SDK — mv:// URI Scheme IPC Bypass

The Mintegral MBridge advertising SDK (com.mbridge.msdk) uses the custom URI scheme mv:// to route device identifiers and ad event data through Android WebView's shouldOverrideUrlLoading before any outbound network request is made.

This channel is invisible to mitmproxy, Charles Proxy, and VPN-based blockers. URI parameters include uid (user identifier), did (device ID), event type, and ad metadata. The data is transmitted before the network monitoring layer has any opportunity to inspect or block it.

Confirmed in Airport Empire Idle v0.7.0 (com.SekGames.AirportEmpireIdle) and cross-validated by CenturiaLabs and ClickSafe UAE.

TECHNIQUE // GAMA-T001

ATT&CK // T1637.002 (proposed)

CLASS // C — CONCEALED

SCORE // 12/15

SDK // Mintegral / MBridge

CONFIRMED BY // CenturiaLabs + ClickSafe UAE

// GAMA-Community knowledge base — submit findings via GitHub PR. Every confirmed Class-C/D finding distributed to all labs.

// TECHNIQUE CATALOGUE

Known Evasion Patterns.

ID	Name	ATT&CK Mobile	Detection Method
GAMA-T001	Custom URI scheme IPC bypass	T1637.002 (proposed)	URI scanner + Frida WebView hook
GAMA-T002	Post-install silent payload delivery	T1407	Size delta + DexClassLoader hook
GAMA-T003	Background task persistence	T1624.003 (proposed)	WorkManager hook + post-termination DNS
GAMA-T004	Domain fronting via CDN	T1665	SNI vs destination IP in Zeek ssl.log
GAMA-T005	JNI policy bypass	proposed	Native lib entropy + JNI symbol analysis
GAMA-T006	Premium tier visual illusion	proposed	Runtime capture after paid tier activation
GAMA-T007	Encoded string obfuscation	T1406	Base64/hex decoder + obfuscation ratio

// CLASSIFICATION SYSTEM

Four Classes. No Ambiguity.

CLASS A

Operational

Proportionate to declared purpose. Disclosed in privacy policy. No evasion techniques detected.

CLASS B

Disproportionate

Collects more data than declared. Not actively concealed. Clear policy gap between declaration and behaviour.

CLASS C

Concealed

Uses evasion techniques — custom URI bypass, encoding, JNI bridges — to hide collection from network monitoring tools.

CLASS D

Deceptive

Directly contradicts an explicit privacy policy statement. Highest severity. Requires Frida confirmation + policy text quote.

// ROADMAP

What Is Built. What Is Coming.

✓ DONE

GAMA Framework v1.0

7-phase investigation CLI. URI scanner, SDK fingerprint, finding management, enforcement rule generation. Full XAPK/APKS support.

✓ DONE

GAMA-Intel v1.0

Automated static analysis pipeline. STIX 2.1 report generation. Import from GAMA Framework workspaces. Batch analysis mode.

✓ DONE

GAMA-Deep v0.1

Three-channel ML anomaly scoring in Rust. CPU-only, no CUDA. Community module system. Obfuscation detector module.

✓ DONE

CENT-2026-001

First confirmed community finding. Mintegral MBridge mv:// URI bypass. Class-C, confirmed by two independent labs.

► ACTIVE

GAMA-Community v0.1

Public knowledge base on GitHub. PR-based finding submission. SQLite local sync. CenturiaLabs + independent lab governance.

○ PLANNED

GAMA-Deep v0.2

Full backpropagation training. Transformer-based smali encoder. Network LSTM for temporal sequence analysis.

○ PLANNED

Frida Script Library

Pre-built hooks for all 7 GAMA techniques. Auto-generated from static findings. Integration with GAMA Framework Phase 3.

○ PLANNED

Network Analysis Integration

Full Zeek pipeline for post-termination detection. Domain fronting classifier. GAMA-T003 and GAMA-T004 automated confirmation.

// CONTRIBUTE

BUILD THE KNOWLEDGE BASE.

Analysed an APK with GAMA and found something interesting? Submit a Class-C or Class-D finding to the community knowledge base. Every confirmed entry is distributed to all labs on the next sync. Security researchers, mobile privacy labs, and forensics teams welcome.

[ GITHUB ] [ SECURE LINE ]