🌎 How to Bypass Geo Restrictions in Android Apps and Games

 🌎 How to Bypass Geo Restrictions in Android Apps and Games

📖 Background:

In Android apps and games, geo-related information is commonly retrieved via TelephonyManager methods such as:

– getNetworkOperatorName() / getSimOperatorName() — Operator/Carrier Name (e.g., “AT&T”)

– getNetworkOperator() / getSimOperator() — PLMN (MCC+MNC, e.g., “310410”)

– getNetworkCountryIso() / getSimCountryIso() — Country ISO code (e.g., “US”)

🔗 TelephonyManager API:
https://developer.android.com/reference/android/telephony/TelephonyManager

At the smali level we can patch the code right after the invoke-virtual call and the move-result-object so that the register that received the string result is overwritten with a fixed string (dummy/fake values). Below are example regex searches and the replacement snippets to inject constant strings.

🛠️ Smali Patching Instructions

1️⃣ Spoofing Carrier Name

🔍 Search Pattern (Regex):

(invoke-virtuals{(?:[pv]d+)},sLandroid/telephony/TelephonyManager;->get(?:Network|Sim)OperatorName()Ljava/lang/String;n(?:s(?:[.#][^n])?n)smove-result-objects([pv]d+))(?:nnsconst-strings2,s".")?



✏️ R

eplace With:
$1nn

tconst-string $2, "AT&T"



This

overrides the result of getNetworkOperatorName() or getSimOperatorName() with a hardcoded carrier name.

2️⃣ Spoofing PLMN (MCC+MNC)

🔍 Search Pattern (Regex):
(invok

e-virtuals{(?:[pv]d+)},sLandroid/telephony/TelephonyManager;->get(?:Network|Sim)Operator()Ljava/lang/String;n(?:s(?:[.#][^n])?n)smove-result-objects([pv]d+))(?:nnsconst-strings2,s".")?



✏️ Replace

With:
$1nntcons

t-string $2, "310410"



This sets 

the MCC+MNC code to “310410″ (AT&T USA).

3️⃣ Spoofing Country ISO

🔍 Search Pattern (Regex):
(invoke-virt

uals{(?:[pv]d+)},sLandroid/telephony/TelephonyManager;->get(?:Network|Sim)CountryIso()Ljava/lang/String;n(?:s(?:[.#][^n])?n)smove-result-objects([pv]d+))(?:nnsconst-strings2,s".")?



✏️ Replace With:

$1nntconst-stri

ng $2, "US"



This forces the 

app to believe the device is located in the United States.

🧠 Why These Regex Patterns Are Powerful

These regexes are designed with advanced smali parsing in mind. Here’s what makes them robust and reliable:

1. ✅ Comprehensive Matching: They capture all possible TelephonyManager calls, even if debug directives, annotations, or comments are present or absent.

2. 📏 Multi-line Resilience: Whether debug info appears single line or across multiple lines, the regex still matches accurately without breaking.

3. 🔁 Safe Reapplication: You can apply these regexes repeatedly without stacking duplicate replacements or injecting dummy code fragments.

📝 Notes:
1. Because this modifies smali code (dex disassembly), it will not work if the app uses native code, runtime-decrypted strings, or has tamper-proofing/encryption/packing that prevents straightforward smali patching.

2. This technique changes only the returned string values at the smali level. It does not handle other checks the app may make (e.g., location APIs, server-side verification, or other device identifiers).

3. To obtain MCC+MNC codes, you can check out the following resources.

– 🌐 Website:
https://mcc-mnc.net — A comprehensive database of Mobile Country Codes (MCC) and Mobile Network Codes (MNC).
– 📦 GitHub Repository:
https://github.com/P1sec/MCCMNC — An open-source collection of MCC/MNC data maintained by the community.
━━━━━━━━━━━━━━━━━━━
📣 Main Channel: @TDOhex
📱Second Channel: @AndroidPatches
💬 Discussion Group: @TDOhexDiscussion
━━━━━━━━━━━━━━━━━━━