Z App Spoofing Is NOT Dead

NovaAlpha on 02/05/2024 - 17:15
Last edited 05/05/2024 - 15:55

Well, looks like Z finally caught on and implemented additional checks. I was PM'd by a Cheapies user today about not being able to spoof anymore and I can verify this is indeed the case.

I've verified this on several phones, running different ROMs (stock and custom and all rooted) and different Android versions ranging from A10~A14. I've also tested this on Bluestacks. All have failed. Tested using several GPS spoofing apps.

The spoofing itself works fine, I'm able to get the local prices for the suburb/region that I've spoofed. But at the payment stage, it'll decline the transaction. It's the same behaviour across all the devices I've tested, including Bluestacks.

The issue isn't that they are detecting root, or detecting that you've configured mock location under Developer Settings. Those have separate checks that trigger separate errors. And it shouldn't be related to IP either, because if you're on mobile data, you could be anywhere in the country. It seems that perhaps they're accessing the FuseLocation API on Android to check for some flags.

My Z app hasn't been updated for a long time. I've purposely made it hidden from Play Store, so it's not like this is a client-side change. This all seems to be server-side related.

I've also patched my Android Framework to make mock location seem like it's getting genuine location updates, via this method - https://xdaforums.com/t/module-smali-patcher-7-4.3680053/

However, while my Location Changer app doesn't show it's using Mock Location anymore, the payment still gets declined.

The only thing I can think of is that Google Play Services is automatically updated in the background and that Z is utilizing Google Location Accuracy, which relies on Google Play Services and is probably using a newer API. Due to this, Z is probably getting a more accurate read of your real location.

The last thing I haven't tested is to find an older Android device that runs on Android 8 or 9, patch the Android Framework and then test again. The reason is that this patch isn't guaranteed to work on versions > A10 and all my current devices are on A13 or A14. I haven't gotten a bootloop or anything, and some people said it did work for them on A13, but the apps they're testing are probably games like Pokemon Go and not Z App. My current devices, including my spares, all came with stock Android > 10 and so I can't just downgrade to A8 or A9 using a custom ROM or stock ROM.

And assuming the above doesn't work, then I'd need to downgrade Google Play Services to an older APK - which is easy to do. But I'd still need an older Android device to test.

I've also tested this on 2 different Z accounts.

Without spoofing location, I can make purchases just fine.

Anyway, seems like too much effort atm.

UPDATE:

After some more testing, I managed to spoof the location to Whanganui and paid $2.69 / Litre. It seems like there is a certain location range that you can spoof to. Either that, or it could be that they've blocked purchases for the cheapest Z station in the country, which is Wairoa and has been so for the past 2 months or so (based on my monitoring). I've spoofed a few places and was able to make purchases for them, just not for Wairoa. I might need to update my automation to report the next cheapest location shown in Gaspy. But so far, I can see that Whanganui has one of the next cheapest prices.

For those interested, buy it quick before they patch the server-side or make changes to the app. You may need to adjust the purchase amount. It seems like they also check whether you're purchasing a huge amount of petrol and so breaking it down into smaller chunks may work better.

Also, I'm using the latest Z app atm. I don't think the client-side matters, it's the server-side that got updated with better spoofing detections.

There is one other trick that I haven't tried and this is something I just came up with today, but will be using this as a backup option. But I feel like there may be a Z spy lurking around the forums, so I'm keeping this to myself when it breaks again.

General Discussion

Related Stores

Z Energy
Z Energy

Comments

  • Madao on 02/05/2024 - 17:38
    +1

    That is, as they say, all Greek to me

    • NovaAlpha on 02/05/2024 - 17:49
      +3

      Yeah, this is mainly for the techies out there who even know how to spoof location in the first place. If you don't know anything about Z App spoofing, then this won't make any sense to you.

      • Aba22 on 08/05/2024 - 01:48

        I don’t know much about spoofing, but had been managing well enough with Bluestacks. Guess that’s over now 😓

  • xsolider on 02/05/2024 - 18:12

    Try purchasing the fuel using your real location and see if it's successful? This is to check if your account is blocked or not.

    • NovaAlpha on 02/05/2024 - 18:12
      +1

      Did that already and it's fine. Forgot to mention this in the post. Will update it.

  • dryburn on 02/05/2024 - 18:13

    Thanks for confirming your findings, I spent the last day and half trying to figure it out. (getting around xapk, why does everything change)
    That will be why I can't install a android 7.1.1 phone.
    I've also tried with Android studio and had the same issue with spoofed location but no issue purchasing without spoofed location.
    In Android Studio there is no Play store

    • kfr23 on 02/05/2024 - 21:05

      There is if you pick an older emulated device, Pixel 3 should have the Play Store

  • rkl on 02/05/2024 - 18:15

    Ah this saves me some time.
    Been meaning to root my old s9 to get the app working wirh mock locations again. (Used to use bluestack), but alas no point now.

    Suppose its good timing as my local z shit down on Tuesday

    • Bill on 02/05/2024 - 19:16

      hillsborough

    • Bobtherobber on 06/05/2024 - 23:15

      This might be a stupid question, but why can't you just use a mock location app and developer mode instead of having to root your phone?

      • NovaAlpha on 07/05/2024 - 00:16

        Read my post, it's all explained there. They're all required.

        In a nutshell - apps can detect if you have mock location spoofed. Some apps can even detect that you have developer settings enabled. Even if you're on a stock ROM with nothing else but Developer Settings enabled, some apps can still detect this and prevent you from using them.

        Therefore, root is required to hide Developer Settings status AND mock location from these apps. You'd also need root to spoof a lot of other things. In short, it's not that simple, otherwise everyone would be doing this left right and center. Pokemon Go and many other apps that rely heavily on user's actual location will implement a lot of methods to detect various things.

        And if you're unsure, the best thing is to try and verify it yourself so you understand what the problem is.

  • mdsl32 on 02/05/2024 - 21:42
    +1

    Suggestion get a random android phone and hide it in a few libraries around the country with TeamViewer installed no way to block that lol

    • Harebrainedkiwi on 02/05/2024 - 23:27
      +2

      I thought that you can't top up if the phone is connected to a charger (so they have kinda blocked that)

    • NovaAlpha on 02/05/2024 - 23:35

      Yeah, was thinking of doing that lol. Although from memory (and this was many many years ago), Teamviewer doesn't allow remote management of an Android device even if it's rooted. But there are other apps that do support this though.

      Was thinking I can get a portable solar panel to charge the device and leave it somewhere out in the wilderness. Makes it less likely for it to be stolen if it's in a library. But I'd literally have to fly out to Wairoa (currently the cheapest 91 and 95 in the country) just for this. Meh.

      • mdsl32 on 03/05/2024 - 13:40

        Teamviewer does work without root as of a few months ago.

  • jackvdbuk on 02/05/2024 - 22:06

    Great analysis, very interesting read and thank
    you for doing this! Is this a hobbie or do you do app development?

    • NovaAlpha on 02/05/2024 - 23:27
      +1

      I'm not a software dev, so nope I don't do app development. Not really a hobby either. I just invested a bit of time to automate Gaspy checks for cheapest Z prices daily and then spoof my location to get cheaper petrol.

  • ABCDEFG on 03/05/2024 - 06:13
    +1

    This is really annoying, but I'm a little impressed that they went to the trouble of closing this hole. Thanks for updating @NovaAlpha, you've been massively helpful.

    EDIT: I likely have an older android device kicking around the back of a drawer somewhere. I might try your patching method over the weekend, will post up results in this thread if I do.

    • Joe on 19/05/2024 - 21:54

      Thanks to the idiots out there who "who spell" it out for the vendors to fix it. There must be a discrete way bit like the countdown rewards shutdown

  • c3rn on 03/05/2024 - 08:17
    +1

    That's a very technical explanation, over my head, so this question might be a dumb one. Is it possible to have location spoof active to find the fuel location of your choice then disable it just before you reach the payment stage?

    • jackvdbuk on 03/05/2024 - 08:26

      This is common with a few vpn tricks so be interested to know too.

    • NovaAlpha on 03/05/2024 - 08:39

      Good question. Short answer is yes but the payment will still fail.

  • dave8501 on 03/05/2024 - 09:23

    i've got an older phone i had rooted just for this, will test it when i get home. I remember i had some issues with it when i didnt have a simcard in the phone so wonder if they're picking up some location information to do with that

    • NovaAlpha on 03/05/2024 - 13:57

      I tried with airplane mode off so it shouldn't have picked up any cell tower signals.

      I think it's purely using Google Location Accuracy to pinpoint your real location, even if it's spoofed. There's 2 different location APIs and FuseLocation I believe is the one that can't be spoofed. Problem is that you can't NOT use Google Location Accuracy, otherwise it wouldn't even show you the price, let alone let you go to the payment stage.

      • huffboy on 03/05/2024 - 14:00

        so google is a sellout

        • NovaAlpha on 03/05/2024 - 14:28

          How do you mean?

          Most Android apps will make use of existing Android OS APIs, including requesting access to system apps such as Google Play Services. Rather than implementing their own security checks for root or whatever, they just make use of Google Play Services, which deals with SafetyNet and Play Integrity. And since Google Play Services is a system app, it'll just automatically update in the background. Even if you disable Play Store, I believe Play Services will just update automatically regardless, or update it the next time you enable Play Store, which you're bound to do from time to time, unless you want to sideload APKs to update them every time, or unless you update apps via F-Droid or Aurora Store.

          In a nutshell, Google isn't doing anything different. 3rd parties just make use of their APIs. I do however think that Android is getting more and more frustrating to use, but still a lot better than iOS for my use cases.

          • dave8501 on 03/05/2024 - 15:58

            @NovaAlpha: i found some notes on ozbargain so will try the below when i get home. It works for their 7/11 app

            There is an app (using LSPosed) that hides the app list called "Hide My Applist" (HMA): https://github.com/Dr-TSNG/Hide-My-Applist

            Install the HMA app
            In the HMA app, hide your Device ID changer, GPS setter, Magisk app and HMA.
            Clear app data and reset your device ID.
            That worked for me.

            edit: HMA also recommend an applist detector app for you to check your config.

            • kartikb on 03/05/2024 - 17:04

              @dave8501: What's Device ID Changer?

              • NovaAlpha on 03/05/2024 - 20:50

                @kartikb: Your device generates an ID after every factory reset. If the app somehow flagged your device ID, you can spoof a new one, without having to factory reset.

            • NovaAlpha on 03/05/2024 - 20:05

              @dave8501: Did that already. I wrote a similar guide on Cheapies somewgere too. So spoofing is currently eorking for you?

              • dave8501 on 03/05/2024 - 20:32

                @NovaAlpha: Nah no luck for me fails at payment

              • NovaAlpha on 03/05/2024 - 20:50

                @NovaAlpha: Just to clarify, GPS Setter works fine for me by spoofing the location without using mock location under Developer Settings. I can get the local Z prices. But payment still fails.

                As for HMA and Device ID Changer, I've been using those for ages already, among other things. You can also use HMA to hide apps from the Play Store, so that they'll never update because they won't even show up. I've hidden my Z app from the Play Store using this method for years.

  • NeverLucky on 03/05/2024 - 23:48

    Unfortunately, my phone updated automatically to the newest iOS edition. Can confirm that it’s most likely server-side changes, Z2.0 app was not updated as I have set all updates to manual. However, something tripped and made it so it wouldn't accept payment upon spoofing location. Sucks that we can't simply decompile the respective .ipa's and .apk's to look further into it as it contains no source code.

    I will keep looking around and seeing if anybody else has found a reason for this abrupt change, will update this thread if anything comes up…

    • NovaAlpha on 05/05/2024 - 16:13

      You can actually decompile the APKs using various tools, I've done it before. But haven't looked into this yet as I didn't deem it to be worth my time. So far, Whanganui is able to be spoofed, among some other locations.

  • xsolider on 04/05/2024 - 09:10

    I don't know much about the phone system. But is it possible that the z app can access the previous phone location logs that were created before we open the z app? If it detects a suspicious location change in a short period of time, the payment will fail? Just a guess.

    • NeverLucky on 04/05/2024 - 10:59

      Perhaps so? But I don’t think it’s the case. I have a good rule of thumb to only open the Z app to redeem fuel after 24 hours. This makes it much more believable. But still I’m getting payment failed.

      • xsolider on 04/05/2024 - 12:50

        24 hours after spoofing and payment still failed?

  • ABCDEFG on 05/05/2024 - 14:11

    Thanks for the update @NovaAlpha, jumped on and topped up.

  • falloutshank on 05/05/2024 - 15:19

    I think what set them off is too many people spoof to Wairoa and then track that most use their app in Auckland etc….

    Very interesting, its like cat and mouse game!

    Cheers to @NovaAlpha for your hard work

    • NovaAlpha on 05/05/2024 - 16:12
      +2

      Not really. If you spoof it properly, e.g. on mobile data or even while using a VPN, then they can't 100% track that you're using the app from Auckland. It'll just show you're on a mobile network, which could mean anywhere in the country.

      In order for them to get cell location of your phone, they would need to request additional APIs in the app so that Android can expose those information to them. There's something else that's going on with the server side that's blocking Wairoa from being used for Sharetank, but I haven't figured that part out yet. So far, anywhere else seems to be fine though.

      • falloutshank on 05/05/2024 - 18:19

        OK I see your point, I will have to buy a cheap android to root soon. Cheers for the education

      • Steve113 on 06/05/2024 - 08:32

        Thanks for the update.
        I am not much of a phone guru but theoretically speaking, perhaps there is a way to trace API calls made during an app execution from Android system.

        Or you maybe use an Android hooking technique.
        It may aid you to inspect network traffic or if cert pinning used them you may be able to view the requested APIs perhaps.
        At least to validate your suspicions about the API calls.

        • NovaAlpha on 06/05/2024 - 10:56

          Yeah, there are apps that can be installed on Android to act as a proxy. The proxy app intercepts traffic on Android and lets you analyze it with tools on your PC. But all of this takes a considerable amount of time to troubleshoot, which I just don't have the time for atm.

  • monkey on 05/05/2024 - 21:51

    Thanks for the update, appreciated.

  • 0mfgroflmao on 06/05/2024 - 09:02
    +1

    I've got a few litres left to use, I remember reading you can't use the whole sharetank and it leaves a small balance? Was there a work around to use up the whole sharetank?

    • Superpower21 on 06/05/2024 - 10:06

      I just used the left over litres and pay at the counter instead of at the pump.

  • genesis on 06/05/2024 - 10:29

    I was able to buy some fuel using Mockgo on iOS in Whanganui. I forgot to turn off wifi when completing the purchase though… :(

  • apas023 on 06/05/2024 - 12:13

    Just had this issue with Wairoa, and came across this thread. The next cheapest for 95 was Z London St, but that was almost 25c more per liter than Wairoa. The transaction went through flawlessly for this pump. Still managed to save 20c per litre compared to the local pumps.

    Hope we find a work around, the Wairoa pricing was just too good :(((

    Does anyone know for certain what the next cheapest 95 Z would be? I can't imagine there being a 25c difference between cheapest and second cheapest.

    • NeverLucky on 06/05/2024 - 12:25
      +1

      If you followed previous threads, Wairoa has been the cheapest because of another gas station around that location that has opened up, they wanted to stay competitive so lowered their price.

      • apas023 on 06/05/2024 - 13:09

        Ah I see, that makes sense. Hopefully we can find another way to purchase from wairoa.

        Can't edit my original comment but in case anyone is curious have just checked that Z Bethlehem may be the lowest.

        • xsolider on 06/05/2024 - 13:20

          $2.82 @Z Bethlehem? That's no way the lowest. Quite a few my local Zs beat that price.

          • apas023 on 06/05/2024 - 13:36

            @xsolider: Hmm just bought an hour ago for $2.75. Must’ve changed.

            • NovaAlpha on 07/05/2024 - 00:17
              +1

              @apas023: Cheapest should be:

              • Wairoa $2.66
              • Whanganui $2.73
              • Rotorua $2.75
              • Hastings $2.75

              These are generally pretty static

  • tomgeniewang on 07/05/2024 - 13:56

    Unfortunately, i always failed at the payment, I tried whanganui, it still doesn't work. it seems it could just detect my root somehow.
    For my case, I have a specific phone with a specific account to purchase fuel, I never use fuel from this account or this phone, it's only for purchase. And there is no other apps installed on this phone other than the ones for spoofing. I share it to another account in another phone, so the information Z could get from the purchase account is very limited. I don't know how they detect the root. But when i configured the deny list, the google service frame work will always uncheck itself. I don't know whether this would be the cause.

    • NovaAlpha on 07/05/2024 - 14:34
      +1

      It's normal if you see the GSF uncheck itself in Magisk denylist, but it's actually still ticked. You want to make sure you expand the app and then tick it. If you simply tick it, it only ticks the root, it doesn't tick any of the sub-services for that app. It's also not just GSF, you'd need to make sure your Play Services is also in denylist.

      Don't use Magisk either. It doesn't have good root-hide mechanisms anymore. You'd want to use something like Magisk Alpha, which is a fork of Magisk with better implementations. There's also APatch and KernelSU methods.

      You'd also want to use Hide My Ass to hide root apps from Z.

      More importantly, you should verify your Play Integrity is actually passing device security. Use Simple Play Integrity Checker from Play Store to check. If you're failing, then you'd need to get the Play Integrity Fix from Github.

      Lastly, don't make huge purchases. Make small purchases like $100 or so for Whakatane and do it in batches. Don't do a single transaction of $400, as payment will fail.

      • tomgeniewang on 08/05/2024 - 14:40

        Thank you so much for your help. I will follow this tonight.

      • NovaAlpha on 08/05/2024 - 15:15

        Sorry, not Hide My Ass, I meant Hide My Applist. It's a LSPosed module.

        • tomgeniewang on 11/05/2024 - 08:10

          unfortunately, I rooted with magisk alpha but still no luck at the sharetank stage. It still detects root. I am not sure whether because my hide my applist setting is wrong. i created 2 templates, one is z, and other root or spoofing apps will not be seen by google play service, google play store, google frame work, and the other template is root or spoofing apps will not be seen by Z.
          What's more is it could still detect root even after I factory reset or uninstall root?

          • NovaAlpha on 11/05/2024 - 13:41

            @tomgeniewang: Then it may be that you need to hide bootloader unlock status, or you are running a custom rom with props that isn't considered to be normal. And id you have a Samsung, then once Knox is tripped, it is basically tripped permanently and apps can see that.

            • tomgeniewang on 13/05/2024 - 09:36

              @NovaAlpha: Hi, Nova, thank you so much for the reply. You are absolutely right. I am using a custom rom which is call crDoird, android 13. So, I actually tried to use the Z app right after I flashed the rom without rooting it and it actually works fine. So i uninstalled it and a day later, I rooted it with magisk alpha and all the other stuff, and the root was detected.
              I will try again to root it first before testing the z app. Because I suddenly remember the only time that i succeeded in topping up with the new version z app was the first time I installed it which was after root and everything. Because i thought it should be as easy as the sweet old times.
              My phone is too old, it's an asus zenfone laser 2, the stock rom could only support to android 6, i used to use the custom rom groovy android 7 to do the z share tank all the time with the old version z app.

  • dave8501 on 08/05/2024 - 09:06
    +1

    anyone with apple devices having any luck? Would like to purchase from Wairoa again :)

    • NeverLucky on 08/05/2024 - 16:32

      It literally said in the post Wairoa cannot be purchased as of now

      • dave8501 on 08/05/2024 - 16:50

        thanks for answering that, can you confirm if anyone with apple devices are having the same issue

Login or Join to leave a comment
Login Join