How I Decompiled a Malicious Android App and Uncovered Its Hidden Email Spy

Someone received a phishing SMS that included the sender’s full name and a link to an unknown Android application. The message originated from a telecom number in Sichuan, raising suspicion that the link might lead to a malicious app.

An analyst downloaded the APK in a virtual machine and immediately noticed that the app requested an unusually large number of permissions. Among them was the Device Admin permission, which, once granted, makes the app difficult to uninstall.

Using a decompiler, the analyst reversed the APK despite heavy obfuscation. After about two hours of analysis, the most critical classes were identified, including a class named PreferencesWrapper that stored the trojan’s configuration.

Within PreferencesWrapper, the analyst found encrypted username and password strings that were used to send stolen data via email. The credentials were protected with DES encryption, implemented in a class called DESEncipher.

The decryption key was located in another part of the code. After extracting the key and applying it, the analyst successfully decrypted the credentials, revealing the attacker’s email address.

Using the compromised email account, the attacker receives all SMS messages and contacts from infected devices. The analyst demonstrated this by logging into the email client and viewing the exfiltrated data, which included personal messages and contact lists.

The investigation concludes with a strong warning: users should be extremely cautious about installing applications from unknown sources, especially those received via unsolicited messages, as such apps can silently harvest personal information and forward it to malicious actors.