HackTricks-wiki · carlospolop · Apr 20, 2026
diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md
@@ -127,6 +127,44 @@ Instead of custom sockets, some malware uses **Firebase Cloud Messaging (FCM)**
 
 Native payloads can be delivered as encrypted ELF blobs and decrypted with `CipherInputStream()`, using a key **derived from SHA‑1 of the downloaded filename**. Each filename/version yields a distinct key, hindering static IOC reuse.
 
+### Multi-stage Android droppers: native bootstrap -> DexClassLoader -> split payload rebuild
+
+Another common Android malware pattern is a **multi-stage loader chain** where a trojanized host app only contains the first bootstrap layer while the real payload is rebuilt at runtime from encrypted assets.
+
+Typical flow:
+- The `Application` subclass loads a native library very early, often before any visible activity.
+- The `.so` keeps strings and indicators **XOR-obfuscated** and only decodes them in memory, then performs **root/emulator gating** (`Build.MODEL`, ABI, system properties, `su` paths, sensors, telephony artifacts) and aborts if the environment looks hostile.
+- That native stage decrypts an asset into a first DEX and executes it with `DexClassLoader`.
+- The first DEX decrypts a second-stage asset with **filename-derived AES material**, e.g. `key = SHA1(filename)[:16]` or `SHA1(filename + "1")[:16]`, so there is no static AES literal to grep.
+- Later stages decrypt a **config blob** that decides which encrypted asset "splits" must be merged into the final APK (for example, miner vs RAT branch) and may show a **fake Google Play / update** screen while unpacking continues in the background.
+
+What to hunt for during triage:
+- `System.loadLibrary(...)` from `Application.onCreate()` or a custom `attachBaseContext()`.
+- Asset names that look random but are reused in nearby `MessageDigest.getInstance("SHA-1")`, `Cipher.getInstance("AES/...")`, or small XOR loops.
+- Repeated `DexClassLoader` hops instead of a single packer stage.
+- JSON configs with fields such as `splits`, mode flags, installer state, subscription timestamps, or MAC/authentication values.
+- Native code that calls `killProcess()` or short-circuits execution after environment checks.
+
+Useful hooks:
+```javascript
+Java.perform(() => {
+  const DCL = Java.use('dalvik.system.DexClassLoader');
+  DCL.$init.implementation = function(dexPath, odexPath, libPath, parent) {
+    console.log(`[DexClassLoader] dex=${dexPath} odex=${odexPath} lib=${libPath}`);
+    return this.$init(dexPath, odexPath, libPath, parent);
+  };
+
+  const MD = Java.use('java.security.MessageDigest');
+  MD.digest.overload('[B').implementation = function(data) {
+    const out = this.digest(data);
+    console.log(`[MessageDigest] algo=${this.getAlgorithm()} in_len=${data.length} out_len=${out.length}`);
+    return out;
+  };
+});
+```
+
+If the last stage reconstructs the final APK from encrypted pieces, dump the decrypted buffers or the temporary files after each stage instead of waiting for the final installer. This usually reveals the per-stage filenames, config schema, and key-derivation pattern much faster than fully reversing the whole loader.
+
 ## Jezail rooted Android pentesting toolkit (REST API + web UI)
 
 - Runs on a **rooted device** (Magisk/rootAVD) and starts an **HTTP server on tcp/8080** with a **Flutter web UI** and **REST API**.
@@ -972,5 +1010,7 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
 - [justapk — multi-source APK downloader with Cloudflare bypass](https://github.com/TheQmaks/justapk)
 - [Jezail rooted Android pentesting toolkit (REST API + Flutter UI)](https://github.com/zahidaz/jezail)
 - [BeatBanker: A dual‑mode Android Trojan](https://securelist.com/beatbanker-miner-and-banker/119121/)
+- [MiningDropper – A Global Modular Android Malware Campaign Operating at Scale](https://cyble.com/blog/miningdropper-global-modular-android-malware/)
+- [LumoLight trojanized host project](https://github.com/BitMavrick/Lumolight)
 
 {{#include ../../banners/hacktricks-training.md}}