Project Description
I have an heavily-obfuscated Android APK that ships with a native lib named libnative-lib.so. Your task is two-fold: first, perform deep static code analysis on the decompiled Java layer; second, capture and dissect its outbound network traffic. The goal is to surface every hidden C2 domain or URL, understand the encryption routine that conceals them, and document any malicious behaviour revealed in transit.
You are free to combine JADX, apktool, Ghidra/IDA for the static pass and instruments such as Frida, tcpdump, Wireshark or mitmproxy for traffic capture, so long as the findings are reproducible.
Deliverables
• Comprehensive report describing discovered C2 domains/URLs, encryption algorithms or hard-coded keys, and any behavioural indicators of compromise
• IOC list in plain text (one item per line)
• PCAP or HAR files plus decoded request/response bodies that demonstrate the traffic to those endpoints
• Step-by-step notes or scripts needed to replicate your results on a clean analysis workstation
Acceptance criteria
– All C2 endpoints must be traceable to code locations and corroborated by captured traffic.
– Encryption workflow should be explained clearly enough that a third party can reproduce decryption.
– No unexplained network calls should remain after analysis.
If this scope is clear and you have prior experience dismantling obfuscated Android samples, please outline your approach and estimated turnaround time.