Reverse engineering Android malware from popular Chinese projectors
4 hours ago
- #Android Malware Analysis
- #Reverse Engineering
- #IoT Security
- A $35 Android projector was found to be pre-installed with malware, connecting to Command and Control (C2) servers without user interaction.
- The malware, identified as a Remote Access Trojan (RAT) in the package com.hotack.silentsdk, uses system-level privileges, XOR obfuscation, and AES encryption for C2 communication.
- Key components include a multi-stage architecture: Stage 1 dropper, Stage 2 framework for plugin management, and Stage 3 plugins for residential proxy services like KKOIP.
- The malware survives factory resets, with malicious init scripts disabling Google Play Protect and enabling silent app installations from firmware.
- Claude Code autonomously reverse-engineered the malware, decrypting strings, reconstructing protocols, and communicating with live C2 servers to map the attack chain.
- Infrastructure includes C2 domains like api.pixelpioneerss.com and connections to Kookeey's residential proxy network, conscripting user IPs for commercial use.
- Detection and mitigation steps include disabling suspicious packages via ADB and blocking C2 domains at the network level, but complete removal is uncertain due to firmware persistence.