Skip to content

Inside the Fake RTO Challan Checker Android Spyware Targetin... #2235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+35 −0
Open

Inside the Fake RTO Challan Checker Android Spyware Targetin... #2235

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions src/mobile-pentesting/android-app-pentesting/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,40 @@ Instead of custom sockets, some malware uses **Firebase Cloud Messaging (FCM)**

Native payloads can be delivered as encrypted ELF blobs and decrypted with `CipherInputStream()`, using a key **derived from SHA‑1 of the downloaded filename**. Each filename/version yields a distinct key, hindering static IOC reuse.

### High-entropy extensionless assets + native JNI decryptors

A useful Android malware triage pattern is a **small `classes.dex` + one oversized asset under `assets/`** (sometimes extensionless) with **near-max entropy**. If one asset holds most of the APK size and looks uniformly random, treat it as a probable **encrypted stage 2** instead of a normal media/resource file.

Quick checks:
```bash
unzip -l suspicious.apk | sort -k1,1nr | head
ent assets/<blob>
readelf -s lib/*/lib*.so | grep ' Java_'
strings lib/*/lib*.so | grep -E 'ByteArrayOutputStream|AssetManager|Cipher|RegisterNatives'
```

Triage ideas:
- Compare the payload size against `classes.dex`; if the asset dominates the APK, the visible Java code may only be a loader.
- Very large JNI routines with meaningless names plus stack/XOR-decoded strings often indicate **native-only decrypt/load logic**.
- Hook asset reads or the JNI decryptor instead of only decompiling DEX. Good choke points are `AssetManager.open`, `CipherInputStream`, `RegisterNatives`, and the suspicious `Java_*` export itself.

### Multi-identity deception in Android droppers

Some loaders deliberately use **three different identities**:
- the **visible app label** shown to the victim,
- the **real manifest package** used by Android,
- and a **different JNI namespace / class path** embedded in `Java_<pkg>_<Class>_<method>` exports.

When these identities do not match, use all three during hunting and IOC generation. Malware analysts often miss second-stage clues because the native library points to a package/class name that never appears in the launcher UI.

### Sensor-gated anti-analysis + raw-IP C2 fallback

Recent Android spyware also mixes **FCM-based command delivery** with **local anti-analysis gates**:
- `com.google.firebase.MESSAGING_EVENT` receivers blend C2 into normal Google push traffic.
- JNI exports such as `onSensorChanged` / `onAccuracyChanged` can be used to check for missing accelerometer/gyroscope noise in emulators.
- Permissions such as `QUERY_ALL_PACKAGES`, `REQUEST_IGNORE_BATTERY_OPTIMIZATIONS`, `WAKE_LOCK`, `FOREGROUND_SERVICE`, and `REQUEST_INSTALL_PACKAGES` are a strong sign that the sample is meant to **profile**, **persist**, and **stage extra APKs** (installation still depends on Android version / user-consent state).
- A decrypted **raw IP** contacted directly over TLS avoids DNS logs and passive-DNS correlation; if sandbox traffic shows CDN/proxy IPs with **no preceding DNS lookup**, assume the real C2 indicator may only exist inside the decrypted stage.

### OEM system-app droppers and `customer.prop` root backdoors

Cheap Android TVs/projectors and other OEM devices sometimes ship with **privileged system apps** signed with **AOSP test keys** or an OEM platform key, plus **weak boot-property handling**. Treat these builds as both an Android-app and firmware target: the system app can act as a **dropper**, while insecure OEM partitions can turn **ADB over TCP** into a repeatable root backdoor.
Expand Down Expand Up @@ -1091,5 +1125,6 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
- [BeatBanker: A dual‑mode Android Trojan](https://securelist.com/beatbanker-miner-and-banker/119121/)
- [Pre-installed C2 Infrastructure and RAT Payload on Android Projectors](https://github.com/Kavan00/Android-Projector-C2-Malware)
- [Reverse-engineering pre-installed Android malware with Claude Code](https://zanestjohn.com/blog/reing-with-claude-code)
- [Inside the Fake RTO Challan Checker: How I Uncovered a Sophisticated Android Spyware Targeting Indians](https://medium.com/@singhbkn07/inside-the-fake-rto-challan-checker-how-i-uncovered-a-sophisticated-android-spyware-targeting-8f2da6a9a5a0)

{{#include ../../banners/hacktricks-training.md}}