Providing false coordinates is an inconvenient process and would require a rooted phone as well as the skills and knowledge to pull, edit, and then push the database back to the phone. There are far simpler methods available in the Google Play Market that will work on any device, rooted and not.
|Mock Locations setting|
I was unable to follow the steps located at the bottom of this page to set the location on an actual device. Multiple applications in the Google Play Market that can set fake GPS coordinates require that this setting be enable in order to function unless the application is moved into the '/system/app' directory (which requires root).
I tested 'Fake GPS location' by Lexa as it was the first result that comes up when searching for 'fake gps'. This application is very simple to use and will prompt the user to enable Mock Locations if it is not already on.
|Lexa's Fake GPS location|
|Fake GPS location's notification|
I tested the applications that I have looked at in previous blog posts and they all believed that the phone was where I had set the location. I also looked at the various SQLite entries and could not see anything to indicate that the application knew that the GPS coordinates were false. I was expecting the 'is non authoritative' field within the messages table of Facebook Messenger's threads_db2 to be different for these messages but they were not.
As the picture on the below shows, Lexa's Fake GPS location stores the previous locations that have been set. Knowing this I set out to find the specific database on the device.
Both the history and favorites tables contain the same fields:
|Entry from the history table|
One field that is not stored in this database are timestamps of when the location was set. It may be possible to determine this by checking the last modified time of the database file, but as I extracting the database file using adb pull I was unable to verify this.
Detecting Mock Location Applications
Determining if Currently Installed
As the presence of these types of applications on the device can call into doubt any of the coordinate artifacts outlined in my previous posts, knowing if one of these applications is installed is crucial.
To see if the application is currently installed search for the .apk file signature which is:
50 4B 03 04 14 00 08 0008 00
You can also manually check for the .apk which should be in either /data/apps or /system/apps.
Localappstate.db found in com.android.vening/databases also lists every application installed on the device.
Determining if Previously InstalledIt is also important to determine if one of these applications was previously installed on the device as it could have been uninstalled before the phone was acquired. The Play Market database files contain information on the applications that have been linked to the Google account and those that have been installed on the device. Found in com.android.vending/databases are three SQLite databases:
Suggestions.db will list every term searched in the Google Play Market including the time that it was entered. This can be used to see if the suspect was searching for applications to fake the gps coordinates, or even other applications to aid in anti-forensics.