Fix AppGuard detection

[strazzere]

Currently the rule is gated on finding /assets/appguard/ AND classes.sox, however this does not seem to be consistent across the board;

[96%]diff@rocksteady:[appguard] $ unzip -l GrowStone_net.supercat.stone_V1114.apk | grep -i appguard
   123040  07-28-2017 13:50   assets/appguard/sign.mf
      256  07-28-2017 13:50   assets/appguard/sign.crt
   125142  01-01-1980 09:00   assets/appguard/armeabi/libstub.sox
      384  01-01-1980 09:00   assets/appguard/update.dat
   503142  01-01-1980 09:00   assets/appguard/armeabi/libengine.sox
[96%]diff@rocksteady:[appguard] $
[96%]diff@rocksteady:[appguard] $
[96%]diff@rocksteady:[appguard] $ shasum GrowStone_net.supercat.stone_V1114.apk 
e656173648e345f72d34210b0c0d0e4a7ebdd974  GrowStone_net.supercat.stone_V1114.apk
[96%]diff@rocksteady:[appguard] $ apkid GrowStone_net.supercat.stone_V1114.apk 
[+] APKiD 1.0.0 :: from RedNaga :: rednaga.io
[*] GrowStone_net.supercat.stone_V1114.apk!classes.dex
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, device ID check, network operator name check, possible Build.SERIAL check, possible vm check, ro.kernel.qemu check, ro.product.device check, subscriber ID check
 |-> compiler : dexlib 2.x
[*] GrowStone_net.supercat.stone_V1114.apk!classes2.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check
 |-> compiler : dexlib 2.x

[strazzere]

Unsure if they're both the same appguard. This one may be a different version/company?

This one seems to wrap every activity by using an intermediary class which captures all the actions in proxy style;

.super Lcom/inca/security/Proxy/AppGuardProxyActivity;
    invoke-direct {p0}, Lcom/inca/security/Proxy/AppGuardProxyActivity;-><init>()V
    invoke-super {p0, p1}, Lcom/inca/security/Proxy/AppGuardProxyActivity;->dispatchKeyEvent(Landroid/view/KeyEvent;)Z
    invoke-super {p0, p1}, Lcom/inca/security/Proxy/AppGuardProxyActivity;->onConfigurationChanged(Landroid/content/res/Configuration;)V
    invoke-super {p0, p1}, Lcom/inca/security/Proxy/AppGuardProxyActivity;->onCreate(Landroid/os/Bundle;)V
    invoke-super {p0}, Lcom/inca/security/Proxy/AppGuardProxyActivity;->onDestroy()V
    invoke-super {p0}, Lcom/inca/security/Proxy/AppGuardProxyActivity;->onPause()V
    invoke-super {p0}, Lcom/inca/security/Proxy/AppGuardProxyActivity;->onResume()V
    invoke-super {p0, p1}, Lcom/inca/security/Proxy/AppGuardProxyActivity;->onTouchEvent(Landroid/view/MotionEvent;)Z
    invoke-super {p0, p1}, Lcom/inca/security/Proxy/AppGuardProxyActivity;->onWindowFocusChanged(Z)V

[strazzere]

This one is interesting, it seems to be the previous one we had been detecting, however this specific sample also seems to have used DexGuard (maybe it's part of AppGuard's sdk flow?) though this one is specifically wrapping a .Net game.