Monday, 8 August 2016

Download all APK from Google Play - Device/Country bypass (Android 6 Marshmallow)

As we all know Google Play has multiple filters whose main objective is to verify whether the application to download (APK) is compatible with our device, however as I have seen there are also filters by country, limiting downloading the APK to the country where it is used. The clearest example we can have in international organizations that have different APK depending on where the headquarters.

The objective of this article will be to evade the principal restrictions or filters determined by Google Play.

Maybe someone us there said someone there websites that evade these restrictions allowing download any APK, but the reality is different, they are sites with their own repositories, previously downloaded from Google Play, with this means that if the application has not been previously downloaded you can not download this APK from those sites.

1.Bypass device filter:

Before you start talking about the filters, you must set the stage for action, ie the type of device to use (virtual or physical). In the case of using a virtual machine recommend:
Mobile Security Framework (MobSF) with Xposed Framework to spoof your device, but if the application uses GPS MobSF may not be useful. For this reason I decided to use a physical device, in my case a terminal with Android Xiaomi MI4 to force device filter on Google Play.Let's see if your device is not compatible with the download of certain applications. Then you will see something like that on Google Play:

The only solution is to spoof our Android device to avoid this restriction. If you use MobSF you can use Xposed Framework and spoof your Android virtual machine. You can also install Xposed Framework on your physical Android device, I could not incompatible with my kernel version 3.4.0. Therefore, and after rooting my physical device, install an application that allowed me to spoof my device.

I will not go into details about the application. Once  spoofed we can check in the device manager of Google. By other hand, Google Play will automatically recognize the new device, make sure you have installed Google Play services on your Android device.

I changed my Xiaomi MI4 LTE by OnePlus One... and magicly I have OnePlus MI4LTE. If you check your new user-agent will see a Real Phone + Spoofed Phone agent combination.  Therefore, if we could do MitM to Google Play with BurpSuite (for example) and modify the user-agent, and with this we could spoof the device also. Although it is easier to change the User-Agent in the system, with the application shown above.

Now you can check Google Play to see the new state...
2.Bypass country filter:

To skip this filter, I followed the following steps:

1) Create a Gmail account in the country where you want to download the APK.
2) Create a virtual phone that country for use in my new Gmail account.
3) Locate a free VPN connection in the country where you want to download the APK.
4) Download a GPS simulation software to place in that country.

Well, with this and we can download all the APKs available in the repository of Google Play, although the process may seem tedious, it is not much and will be very useful in the future.

Note: If you use virtual machine with Android, remembers take snapshots.

If you want know more about Google Play filters:

Thanks to: