Analysis of an Android Step Counter Manipulation App Using the Xposed Framework

The article examines a step‑counter simulator Android app that claims to modify the step counts of any fitness application to reach a user‑specified target, and outlines how the app achieves this cheating behavior.

It begins with a background on the Xposed Framework, a powerful hook system that runs in high‑privilege mode by replacing /system/bin/app_process , loading XposedBridge.jar , and providing hook APIs such as beforeHookedMethod and afterHookedMethod for developers.

The piece then reviews Android sensor basics, noting the three sensor categories (dynamic, environmental, positional) and the key classes used to interact with them: SensorManager , Sensor , SensorEvent , and SensorEventListener .

In the functional analysis, the app is shown to have no third‑party code protection; its core logic resides in three Java classes: MainActivity , HookSensor , and an unnamed class referred to as b . MainActivity checks whether the Xposed framework is installed and reads user settings from the UI.

The HookSensor class serves as the entry point of the Xposed module, using Xposed’s hook interfaces to intercept system sensor calls. It targets classes such as android.hardware.SystemSensorManager$SensorEventQueue and android.hardware.SensorManager to capture and alter sensor data.

The b class performs the actual cheating by hooking sensor event methods with beforeHookedMethod . It examines the sensor type and, based on constants such as:

public static final int TYPE_MAGNETIC_FIELD = 2;

public static final int TYPE_ORIENTATION = 3;

public static final int TYPE_GYROSCOPE = 4;

public static final int TYPE_LIGHT = 5;

public static final int TYPE_PROXIMITY = 8;

public static final int TYPE_GRAVITY = 9;

public static final int TYPE_ROTATION_VECTOR = 11;

the module manipulates the step count data before it reaches the target application.

The app also requests several Android permissions, including android.permission.VIBRATE , android.permission.WRITE_EXTERNAL_STORAGE , and android.permission.READ_EXTERNAL_STORAGE , and its main entry point is com.specher.sm.MainActivity . It can launch other apps via ComponentName cn = new ComponentName(packageName, className); to detect the presence of Xposed.

In conclusion, the analyzed program is a straightforward Xposed plugin that cheats by hooking system sensor APIs, and the article notes that many modern apps now implement Xposed detection and countermeasures, leading to customized frameworks such as LSPosed.