diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md
index 01b7ad48f7b..1b901ac0956 100644
--- a/src/mobile-pentesting/android-app-pentesting/README.md
+++ b/src/mobile-pentesting/android-app-pentesting/README.md
@@ -127,6 +127,40 @@ Instead of custom sockets, some malware uses **Firebase Cloud Messaging (FCM)**
 
 Native payloads can be delivered as encrypted ELF blobs and decrypted with `CipherInputStream()`, using a key **derived from SHA‑1 of the downloaded filename**. Each filename/version yields a distinct key, hindering static IOC reuse.
 
+### High-entropy extensionless assets + native JNI decryptors
+
+A useful Android malware triage pattern is a **small `classes.dex` + one oversized asset under `assets/`** (sometimes extensionless) with **near-max entropy**. If one asset holds most of the APK size and looks uniformly random, treat it as a probable **encrypted stage 2** instead of a normal media/resource file.
+
+Quick checks:
+```bash
+unzip -l suspicious.apk | sort -k1,1nr | head
+ent assets/<blob>
+readelf -s lib/*/lib*.so | grep ' Java_'
+strings lib/*/lib*.so | grep -E 'ByteArrayOutputStream|AssetManager|Cipher|RegisterNatives'
+```
+
+Triage ideas:
+- Compare the payload size against `classes.dex`; if the asset dominates the APK, the visible Java code may only be a loader.
+- Very large JNI routines with meaningless names plus stack/XOR-decoded strings often indicate **native-only decrypt/load logic**.
+- Hook asset reads or the JNI decryptor instead of only decompiling DEX. Good choke points are `AssetManager.open`, `CipherInputStream`, `RegisterNatives`, and the suspicious `Java_*` export itself.
+
+### Multi-identity deception in Android droppers
+
+Some loaders deliberately use **three different identities**:
+- the **visible app label** shown to the victim,
+- the **real manifest package** used by Android,
+- and a **different JNI namespace / class path** embedded in `Java_<pkg>_<Class>_<method>` exports.
+
+When these identities do not match, use all three during hunting and IOC generation. Malware analysts often miss second-stage clues because the native library points to a package/class name that never appears in the launcher UI.
+
+### Sensor-gated anti-analysis + raw-IP C2 fallback
+
+Recent Android spyware also mixes **FCM-based command delivery** with **local anti-analysis gates**:
+- `com.google.firebase.MESSAGING_EVENT` receivers blend C2 into normal Google push traffic.
+- JNI exports such as `onSensorChanged` / `onAccuracyChanged` can be used to check for missing accelerometer/gyroscope noise in emulators.
+- Permissions such as `QUERY_ALL_PACKAGES`, `REQUEST_IGNORE_BATTERY_OPTIMIZATIONS`, `WAKE_LOCK`, `FOREGROUND_SERVICE`, and `REQUEST_INSTALL_PACKAGES` are a strong sign that the sample is meant to **profile**, **persist**, and **stage extra APKs** (installation still depends on Android version / user-consent state).
+- A decrypted **raw IP** contacted directly over TLS avoids DNS logs and passive-DNS correlation; if sandbox traffic shows CDN/proxy IPs with **no preceding DNS lookup**, assume the real C2 indicator may only exist inside the decrypted stage.
+
 ### OEM system-app droppers and `customer.prop` root backdoors
 
 Cheap Android TVs/projectors and other OEM devices sometimes ship with **privileged system apps** signed with **AOSP test keys** or an OEM platform key, plus **weak boot-property handling**. Treat these builds as both an Android-app and firmware target: the system app can act as a **dropper**, while insecure OEM partitions can turn **ADB over TCP** into a repeatable root backdoor.
@@ -1091,5 +1125,6 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
 - [BeatBanker: A dual‑mode Android Trojan](https://securelist.com/beatbanker-miner-and-banker/119121/)
 - [Pre-installed C2 Infrastructure and RAT Payload on Android Projectors](https://github.com/Kavan00/Android-Projector-C2-Malware)
 - [Reverse-engineering pre-installed Android malware with Claude Code](https://zanestjohn.com/blog/reing-with-claude-code)
+- [Inside the Fake RTO Challan Checker: How I Uncovered a Sophisticated Android Spyware Targeting Indians](https://medium.com/@singhbkn07/inside-the-fake-rto-challan-checker-how-i-uncovered-a-sophisticated-android-spyware-targeting-8f2da6a9a5a0)
 
 {{#include ../../banners/hacktricks-training.md}}