{
	"id": "40ad43a7-5ac0-4b59-9ece-6e27b6362719",
	"created_at": "2026-04-06T01:31:49.528189Z",
	"updated_at": "2026-04-10T13:11:32.201428Z",
	"deleted_at": null,
	"sha1_hash": "6734d5da9ca0f122bd5a8e1196ec18fb574e2e63",
	"title": "Locating the Trojan inside an infected COVID-19 contact tracing app",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 977430,
	"plain_text": "Locating the Trojan inside an infected COVID-19 contact tracing\r\napp\r\nBy @cryptax\r\nPublished: 2020-09-25 · Archived: 2026-04-06 01:14:39 UTC\r\n5 min read\r\nSep 18, 2020\r\nUpdate Sept 25, 2020: part 2 is available here.\r\nAn italian company, SoftMining, developed an Android COVID-19 contact tracing application “SM-COVID-19”.\r\nUnfortunately, malware authors repackaged the application to include a Java-based Meterpreter backdoor from\r\nMetasploit.\r\nThe samples were discovered in March 2020, and you can find several blog posts on them (here, here). For\r\ninstance, this one mentions the samples are “repackaged application injected with metasploit”. Interesting! But\r\nwhere is that “metasploit” in the samples? That’s what we are going to discuss in this article.\r\nA remote shell for the attacker\r\nWhen the victim launches the infected app on the smartphone, the legitimate COVID-19 application begins, but,\r\nadditionally, in background, the malicious part connects to a remote server (samples were found connecting to IP\r\naddresses 87.19.73.8 and 95.239.79.156 — there may be others).\r\nhttps://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe\r\nPage 1 of 7\n\nThe malware includes the legitimate app. So, it is difficult for the victim to understand this is an\r\ninfected version.\r\nPress enter or click to view image in full size\r\nAn infected version is connected to the attacker’s server. For this study, we do not contact the real\r\nserver (!) but our own local host, whose IP address is 192.168.0.42 (we’ll explain how to do that\r\nlater).\r\nThe attacker gets a shell with numerous commands: dump SMS, contacts, get a screenshot, get webcam view etc.\r\nSeen from attacker’s end. What s/he can have your smartphone do. Uses metasploit console\r\n(msfconsole)\r\nhttps://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe\r\nPage 2 of 7\n\nLocating the trojan in the code (easy case)\r\nDepending on the sample, the difficulty may vary. For example, in a non-obfuscated sample , the malicious part is\r\nobvious and located within the explicit hierarchy com.metasploit.stage .\r\nIn this sample (sha2 56: f3d452befb5e319251919f88a08669939233c9b9717fa168887bfebf43423aca) ,\r\nthe injected meterpreter hasn’t been obfuscated. Its code is located within com.metasploit.stage.\r\nLocating the trojan in an obfuscated sample (intermediate)\r\nBut, of course, there are obfuscated samples 😏 where the name for the trojanized part isn’t going to be so\r\nimmediate. A close inspection of the Android manifest can help. We skip the permissions and jump to the\r\n“application” part.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe\r\nPage 3 of 7\n\nAndroid manifest of sample\r\n7b8794ce2ff64a669d84f6157109b92f5ad17ac47dd330132a8e5de54d5d1afc\r\nFirst, notice the application uses multiple DEX (i.e the code is contained not only within classes.dex , but also\r\nclasses2.dex and potentially more) with the label “androix.multidex.MultiDexApplication”. We’ll get back to\r\nthat in a future post and it has some importance in that case.\r\nThen, there is an activity named it.softmining.projects.covid19.savelifestyle.SendRiskActivity : this is an\r\nactivity from the real application. Not suspicious. Later, the main activity\r\nit.softmining.projects.covid19.savelifestyle.MainActivity .Then, do you see it? There is a service whose\r\nname is it.softmining.projects.covid19.savelifestyle.apzcp.Xmevv . This is not part of the real application,\r\nand the fact the last part of the name apzcp.Xmevv is obfuscated when the beginning is not, should immediately\r\ntrigger an alarm in your mind. We decompile the class and recognize the Meterpreter’s MainService.\r\nPress enter or click to view image in full size\r\nObfuscated name “Xmevv” for com.metasploit.stage.MainService. All other malicious classes are\r\nlocated in “apzcp” namespace.\r\nLocating the trojan in difficult cases!\r\nhttps://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe\r\nPage 4 of 7\n\nNow, what if the malicious activity or service names are not mentioned in the manifest (or you don’t spot them)?\r\nActually, I was unlucky, this is what happened with the first sample I examined 😓\r\nGet @cryptax’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nsha256: 992f9eab66a2846d5c62f7b551e7888d03cea253fa72e3d0981d94f00d29f58a\r\nIn this sample, the manifest only consisted of activities, services and receivers from the real app. So, I had trouble\r\nlocating the malicious part.\r\nIn that case, I recommend reading the code of the Meterpreter and searching for similar parts in the infected\r\napplication. There are 2 solutions to get the code of the Meterpreter:\r\n1. Long (but educational): generate a Meterpreter APK and decompile it (with your favorite Android\r\ndecompiler). This also has the advantage to show you exactly what to expect in the decompiled code.\r\n2. Short: read the sources on GitHub (it’s quick once you have the link, huh 😏)\r\nThere are several interesting parts to spot:\r\n1. The payload uses a configuration byte array. The content in the sample will be different, but if you see a\r\nbyte array in a class, give it a second look… especially that this byte string contains the IP address of the\r\nremote attacker’s server !\r\nprivate static final byte [] configBytes = new byte[] { (byte) 0xde, (byte) 0xad, (byte) 0xba,\r\n(byte) 0xad, //placeholder /*8192 bytes */ 0, 0, 0, 0, 0, 0, 0, 0,0, 0, 0, 0, 0, 0, 0, 0, 0, …\r\n};\r\n2. Meterpreter connects to the remote server via a Socket. So, you can search in your Android app which part\r\nuses Sockets. There shouldn’t be that many. You can typically use DroidLysis for that. Run the tool\r\n( python3 droidlysis3.py --input thesample.apk --output dir ). Then, in the output directory, search\r\nfor “Socket” in autoanalysis.md , and you get a list of all parts that call Socket methods (for the precise\r\npattern that is matched, in your DroidLysis configuration, go and see ./conf/smali.conf and search for a\r\nproperty named “socket”: the pattern is listed just below).\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe\r\nPage 5 of 7\n\nMeterpreter source code creates a Socket server or a Socket client. Search for Sockets in your\r\nsample!\r\nPress enter or click to view image in full size\r\nDroidLysis shows the code instantiates a Socket and calls SocketServer.accept() and in a class\r\nnamed Snotq. This helps locate malicious code within the package.\r\n3. Meterpreter reads an incoming payload Jar from the Socket with the remote server, and loads it using\r\nDexClassLoader . Same, we can use DroidLysis to spot which part of the code uses DexClassLoader . Once\r\nagain, we are lucky, the only spots that use DexClassLoader are the malicious class Snotq and DroidLysis\r\npoints it out. Yes, we are “lucky” because there could be non-malicious parts using DexClassLoader , but in\r\nreality, the use of DexClassLoader is often an excellent marker for suspicious activity. Even in the worse cases,\r\nyou shouldn’t have too many classes to inspect.\r\nThere are several other things you can notice in Meterpreter’s code, but actually, those 3 are enough.\r\nWhat if you don’t know that Meterpreter is injected in your code? Well, in that case, you resort to the standard job\r\nof a malware analyst: decompile the sample, and analyze anything that looks out of place. I personally use\r\nDroidLysis to get hints at where to start searching, and as I said earlier, for instance, noticing use of\r\nDexClassLoader , or even Sockets, gives you nice hints to look at the corresponding classes.\r\nContinued in part 2.\r\nIOCs (March 2020):\r\n992f9eab66a2846d5c62f7b551e7888d03cea253fa72e3d0981d94f00d29f58a\r\nhttps://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe\r\nPage 6 of 7\n\nf3d452befb5e319251919f88a08669939233c9b9717fa168887bfebf43423aca\r\n7b8794ce2ff64a669d84f6157109b92f5ad17ac47dd330132a8e5de54d5d1afc\r\n— cryptax\r\nSource: https://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe\r\nhttps://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe"
	],
	"report_names": [
		"locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe"
	],
	"threat_actors": [],
	"ts_created_at": 1775439109,
	"ts_updated_at": 1775826692,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6734d5da9ca0f122bd5a8e1196ec18fb574e2e63.pdf",
		"text": "https://archive.orkl.eu/6734d5da9ca0f122bd5a8e1196ec18fb574e2e63.txt",
		"img": "https://archive.orkl.eu/6734d5da9ca0f122bd5a8e1196ec18fb574e2e63.jpg"
	}
}