Contact Us

1. File and Malware Submission Ingestion Pipeline

Our research team is committed to identifying, analyzing, and documenting malicious software campaigns, phishing sites, and deceptive distribution applications that target players and developers. We strongly encourage security researchers, Android developers, and individual gamers to submit suspicious APK packages, active scam links, or telemetry payloads. To ensure the integrity of our analytical operations and to safeguard our internal systems, all incoming files undergo a highly automated and isolated ingestion pipeline.

When a file or domain is submitted to our queue, it is processed through the following structural checkpoints to determine its danger level and catalog it for static or dynamic execution checks:

• Metadata Parsing and Pre-screening: Before any binary package is downloaded or decompiled, our ingestion agent extracts primary metadata. This includes the submitter's notes, the specific version of the game or software targeted, the source domain hosting the file, and initial device behavior reports. The domain is cross-referenced against multiple threat intelligence feeds to check if it belongs to an established adware network or dynamic DNS registrar used in previous campaigns.
• Cryptographic Indexing: The submitted file (or fetched binary) is immediately hashed to generate unique SHA-256 and MD5 keys. These cryptographic keys function as digital fingerprints. The resulting hashes are checked against our local malware registry and public repositories like VirusTotal. If a match is found, the file is automatically marked with its existing classification, saving processing cycles. If it is a new, unique hash, the file is moved to the queue for deep analysis.
• Decoupled Proxy Fetching: When a submitter shares a direct URL to a suspicious file instead of a local hash, our remote ingestion agent pulls the binary. This transfer is executed through an isolated proxy network that strips header information, preventing the hosting server from identifying our scraper or delivering a modified, non-malicious payload (a technique often used by smart malware servers to evade sandboxes).
• Network-Isolated Encrypted Storage: All incoming binaries are stored in an encrypted, non-executable storage container outside the web server's root. The files are encrypted at rest using AES-256 encryption. This ensures that even if an analyst accesses the storage directory, the binaries cannot be executed accidentally on the host system.

Once the file has successfully passed through these ingestion checks, it is queued for detailed static decompilation and dynamic behavioral monitoring within our secure analysis environment.

During the static decompilation phase, our analysis software automatically extracts the compiled Android manifest file to examine the permissions demanded by the software. Unofficial game mods, fake beta updates, and third-party tools frequently request broad system access. We scrutinize permissions such as system overlay alerts, contact harvesting, SMS monitoring, and audio recording. Any file asking for permissions that exceed the baseline requirements of a standard mobile application is flagged for elevated dynamic analysis.

Dynamic sandboxing is the final step in the threat assessment pipeline. The suspect binary is loaded onto physical Android devices or highly configured emulator environments equipped with comprehensive monitoring software. These test environments are completely decoupled from our primary systems and are routed through specialized gateways that record all outbound DNS lookups, API requests, and system events. This allows us to witness the malware's real-time attempts to communicate with remote command servers or execute privilege escalation scripts without exposing our production nodes to any danger.

2. Form Handling and Spam Prevention Architecture

Web forms are a primary entry point for cyberattacks, database injection attempts, and automated spam campaigns. To protect our contact interfaces and maintain the integrity of our ingestion databases, we implement a multi-tiered security and spam mitigation architecture on the server side. Every request transmitted to our servers undergoes strict token validation, data sanitization, and automated bot detection checks.

CSRF Token Validation Mechanics

Cross-Site Request Forgery (CSRF) is a vulnerability where an unauthorized website commands a user's browser to submit a request to a trusted application on which the user is authenticated. To prevent this exploit, our system utilizes the Synchronizer Token Pattern. When a user requests the contact or submission page, the server generates a cryptographically secure, random 32-byte token using the PHP function random_bytes(). This token is saved in the user's active session array and embedded in the HTML form as a hidden input parameter.

Upon submission, the server extracts the POST parameter and compares it to the token stored in the session. To prevent timing attacks—where an attacker deduces the matching token characters by measuring the microsecond differences in comparison speeds—we employ PHP's hash_equals() function. This function performs a constant-time string comparison, ensuring that the comparison time is identical regardless of where a discrepancy occurs. If the tokens do not match or are missing, the server rejects the request immediately, returns a 403 Forbidden status code, and writes a security log entry.

Server-Side Filtering and Sanitization

We never trust client-side validation, as it can be easily bypassed by attackers using command-line tools or custom scripts. Our server-side processing engine applies strict sanitization algorithms to all incoming data fields. For text areas and text fields, we use standard string sanitization functions to strip HTML tags, preventing Cross-Site Scripting (XSS) payloads from being executed when our staff views reports.

For email addresses, the server uses PHP's native filter_var() function with the FILTER_VALIDATE_EMAIL flag, which validates the address format against standard RFC specifications. Furthermore, to block temporary, disposable, or entirely fake domains, our system runs a DNS query using getmxrr() to check for the presence of valid Mail Exchanger (MX) records. If a domain does not have active MX records, the submission is rejected as spam.

For file uploads, the server ignores the user-provided MIME type and file extension. Instead, we use PHP's finfo extension to analyze the binary signature (magic bytes) at the beginning of the file. If the file claims to be a screenshot (PNG format) but starts with the bytes of an executable file, the server drops the upload instantly. Any allowed file is renamed using a cryptographically secure unique identifier and moved outside the public web root to prevent Remote Code Execution (RCE) exploits.

Honeypot Field Implementation

Traditional CAPTCHA systems can be difficult to read and create significant friction for users, particularly those using screen readers or assistive technologies. To block automated spambots without degrading usability, we deploy a honeypot mechanism. We inject a hidden text input field named contact_form_website_url into our forms. This field is hidden from human view using CSS layout properties that place it far off-screen or set its display value to none.

Because automated bots scan the raw HTML DOM rather than rendering the visual layout, they assume the hidden input is a required form element and populate it with link payloads. When a POST request is received, the server checks if the honeypot field contains any data. If it is not empty, the server marks the request as spam. Instead of showing an error message, which would help bot developers debug their scripts, the server returns a simulated success response while silently discarding the submission on the backend.

3. Email Transmission Protocols (SMTP, SPF, DKIM, and DMARC)

When our analysis team replies to a submission, issues a report verification, or contacts a user, the security and authenticity of that communication must be guaranteed. Email spoofing is a common vector used by scammers to trick users into downloading fake applications. To establish secure, spoof-proof communication, all our outgoing mail servers are configured using strict authentication protocols, ensuring that receiving mailboxes can verify our digital identity.

Secure SMTP Routing

We do not rely on standard PHP mail() functions, which run locally on the web server and are highly prone to interception or blacklisting. All outbound messages are sent through dedicated, TLS-encrypted Simple Mail Transfer Protocol (SMTP) relays. These relays authenticate each session using secure API keys stored as server environment variables. This prevents configuration details from being leaked in public code repositories. The transmission is secured using Transport Layer Security (TLS) over port 587, protecting the contents of our emails from eavesdropping in transit.

SPF (Sender Policy Framework)

SPF is an email validation protocol designed to detect email spoofing. It allows the owner of a domain to publish a public record in their DNS settings detailing which mail servers and IP addresses are authorized to send emails on behalf of that domain. When a mail server receives an email claiming to come from our domain, it queries our DNS records to check the SPF settings.

Our SPF configuration is established with a strict fail mechanism (-all), which explicitly commands receiving servers to reject any email claiming to come from our domain if it originates from an unauthorized IP address. This significantly reduces the likelihood that malicious actors can successfully impersonate our analysts when communicating with players.

DKIM (DomainKeys Identified Mail)

DKIM adds cryptographic signature verification to all outgoing emails. It ensures that the message was sent by the actual domain owner and has not been altered or modified while traveling across the internet. When our mail server prepares an email, it generates a unique cryptographic hash of the email headers and body. It then signs this hash using our private RSA key and appends the signature to the email header.

The corresponding public key is published in our domain's DNS TXT records. When the recipient's mail server receives the message, it retrieves the public key from our DNS and decrypts the signature. If the decrypted hash matches the hash of the received email, the signature is validated. This verification guarantees both the origin and the integrity of the message.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC is the policy framework that coordinates SPF and DKIM. It defines how a receiving mail server should handle messages that fail either SPF or DKIM checks. We maintain a DMARC policy set to reject (p=reject), instructing receiving mail servers to immediately block and delete any emails that fail authentication.

Furthermore, DMARC allows us to monitor our email ecosystem by receiving daily XML feedback reports. These reports outline which servers worldwide are sending mail claiming to be from our domain, including the authentication status of those messages. This reporting enables our security team to quickly identify and report fraudulent domains and phishing networks attempting to abuse our brand identity.

4. Dynamic Contact Interface Components and Client-Side Validation

Providing a modern user interface requires real-time feedback loops that help users correct submission mistakes immediately. Our contact forms utilize modern JavaScript and CSS custom properties to manage interface state, validate user entries dynamically, and handle form submission statuses asynchronously.

Interactive Feedback Validation

To prevent frustrating form resets and page reloads, our front-end validation script monitors input fields in real time using the input event listener.

• Email Syntax Matching: The script checks email inputs against a robust client-side regular expression: /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/. If the syntax does not match, a visual warning is instantly rendered below the input, and the field is highlighted.
• File Size Constraints: When a user attaches a telemetry log or screenshot, the browser checks the file size property in the file array list. If the file exceeds our 10MB limit, the input is cleared, a warning message is shown, and the upload button is disabled.
• Length Monitoring: The text area for the report description is monitored for length. If the entered text is shorter than 30 characters, the interface reminds the user to provide more technical detail to help our analysis team.

UI Error Indicators and Accessibility (a11y)

When a validation error occurs, our stylesheet and script coordinate to update the DOM. Fields that fail validation are given an .is-invalid class, which triggers CSS styles to change the input borders to crimson and display a clear error message below the field.

To ensure the form is accessible to visually impaired users, we implement ARIA (Accessible Rich Internet Applications) standards. Any invalid field is dynamically assigned the attribute aria-invalid="true". The error message container is assigned a unique ID, and the input's aria-describedby attribute is updated to target this ID. This ensures that screen readers read the error message aloud when the user focuses on the invalid field. If the user tries to submit the form with errors, the page automatically scrolls to the first invalid field and focuses it.

Asynchronous Request Handling (AJAX/Fetch)

When the form is submitted, the default page reload is blocked using event.preventDefault(). Instead, the data is compiled into a FormData object and sent to the server via the Fetch API:

• Button Disable: The submit button is disabled immediately, and its text is updated to 'Processing...' with an active loading spinner to prevent duplicate submission entries.
• Success State (HTTP 200): The script hides the form and renders a success message card containing a reference ID and estimated response timeline.
• Validation Failures (HTTP 400): The script reads the JSON error response from the server and renders field-specific error messages directly above the relevant inputs.
• Forbidden / Token Expiry (HTTP 403): The script displays a security error informing the user that their session token has expired, automatically refreshing the page after a brief delay.
• Too Many Requests (HTTP 429): The interface intercepts rate-limiting failures and displays a notification indicating that the client has sent too many requests, rendering a countdown indicating when the form will be unlocked.

5. Secure File Submission Pipeline (Hashes, Telemetry, and Logs)

To perform deep malware analysis or troubleshoot software conflicts, our research team must examine binary files, operating system crash logs, and process telemetry data. However, transmitting large files can be bandwidth-intensive, and raw crash logs can accidentally contain sensitive user data. To balance security, bandwidth, and personal privacy, we offer three main paths for submitting analytical information.

Cryptographic Hash Submissions

In many cases, we do not need to download the full binary file if we can verify its identity. We encourage users to submit the file's cryptographic hash first. The hash is a unique string of characters generated by passing the file through a mathematical algorithm. Because even a tiny change to a file alters its hash completely, this serves as a reliable digital fingerprint.

Users can easily generate these hashes on their local machines before sending a report:

• Windows PowerShell: Open the terminal and type Get-FileHash -Path C:\path\to\file.apk -Algorithm SHA256 to get the 64-character hash.
• macOS & Linux Terminal: Open the console and run sha256sum /path/to/file.apk or shasum -a 256 /path/to/file.apk.

When you submit this hash, our server queries our database to see if we have already cataloged the file. If we have, the system records your report immediately, eliminating the need to upload the full binary.

Memory Dump and Telemetry Log Sanitization

Memory dumps (DMP files) and Android logcat logs are invaluable for tracking exploit payloads and application crashes. However, because these files capture snapshot data from device RAM, they may contain Personally Identifiable Information (PII), such as active login tokens, email addresses, hardware MAC addresses, or device identifiers.

Before uploading any log file, we require users to perform the following sanitization steps:

1. Open in Text Editor: Open the log file in a plain text editor like Notepad++, VS Code, or TextEdit.
2. Scrub Sensitive Identifiers: Use the search-and-replace feature to find and replace personal email addresses, usernames, and physical device identifiers (such as IMEI or MAC addresses) with generic placeholders.
3. Remove OAuth and Session Tokens: Inspect headers and log lines for strings containing authorization bearer tokens, cookies, or session keys, and delete them.
4. Verify Plain Text Format: Ensure the file is saved as a plain text .txt or .log file. Our upload filters reject files containing unreadable binary strings in text inputs to protect our parsing scripts from buffer overflow exploits.

Sandbox Ingestion and Network Isolation

When a full APK upload is approved, the file is handled within our isolated malware detonation network. The file is uploaded directly to a secure storage container that is encrypted at rest using AES-256 keys. This storage is completely decoupled from our public web server's file system, preventing any local file inclusion (LFI) or execution exploits.

From there, the file is transferred to our physical test devices or virtualization systems in a completely isolated network segment. The sandbox records all API calls to the Android operating system, captures network packet dumps, and tracks process spawning. All outbound network traffic is redirected to a simulated internet service, preventing the malware from establishing an active connection with its remote command servers while still allowing us to log its behavior.

6. Step-by-Step Guide: Submitting Official Tickets to Garena

As an independent security research organization, we cannot manage player accounts, retrieve lost profiles, remove game bans, or resolve payment discrepancies. These actions require access to official databases and transaction logs managed by Garena. If you are experiencing account issues, you must file a ticket through the official Garena Help Center. Below is a detailed, step-by-step guide to navigating their support system successfully: