Notes

If we unzip the sample and explore the AndroidManifest.xml, we see that the entry point com.sdktools.android.MainActivity is not found in the code of the sample. This an indication of a packed sample. You can identify the packing technique using droidlysis or APKiD. If we use droidlysis, We can see the it the sample uses DexClassLoader, malware uses JsonPacker packer. So we need to get the decrypted payload of the sample. We will use Frida to get the decrypted payload. We will install the sample on the Android studio as an emulator and by using WSL on my host we will launch Frida to start the malicious APP to get the payload. Then we pull the payload to our host from the emulator. Technical analysis of Hydra Android malware