{
	"id": "8bbb8431-d9e7-4673-bc0b-81e9e5b5acbe",
	"created_at": "2026-04-06T00:07:08.114819Z",
	"updated_at": "2026-04-10T03:21:11.847943Z",
	"deleted_at": null,
	"sha1_hash": "f7ebc9ed27c4740f977614dfa1c8324a03a6e149",
	"title": "Live reverse engineering of a trojanized medical app — Android/Joker",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1180202,
	"plain_text": "Live reverse engineering of a trojanized medical app —\r\nAndroid/Joker\r\nBy @cryptax\r\nPublished: 2022-03-08 · Archived: 2026-04-05 18:08:02 UTC\r\nA few days ago, a tweet reporting an Android malware caught my attention, because it was apparently found\r\ninside a health-related application named “Health Index Monitor”.\r\nhttps://cryptax.medium.com/live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1\r\nPage 1 of 8\n\nA tour inside Cordova…\r\nThe name of the package is com.monotonous.healthydiat , and the main activity is\r\ncom.monotonous.healthydiat.MainActivity . Its code is extremely simple, and we quickly recognize the use of\r\nCordova:\r\npublic class MainActivity extends CordovaActivity {\r\n @Override // org.apache.cordova.CordovaActivity, android.app.Activity\r\n public void onCreate(Bundle savedInstanceState) {\r\n super.onCreate(savedInstanceState);\r\nhttps://cryptax.medium.com/live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1\r\nPage 2 of 8\n\nloadUrl(this.launchUrl);\r\n }\r\n}\r\nCordova is a (not malicious) framework for creating cross-platform mobile apps using web technologies,\r\nmeaning that the app’s code is not to be found in the DEX, but within assets web pages:\r\nThe app’s main entry point is in the assets: www/index.html\r\nHalf grumbling because I don’t like to read web files, I started poking into them, and found they were reaching out\r\nto a health website. At the time of my analysis, this website was down and could have hosted malicious code, but\r\nit just didn’t sound like what I’d expect from a malware.\r\nA dynamically loaded DEX!\r\nI continued inspecting the APK and noticed DroidLysis said the app was using DexClassLoader , a well-know\r\nclass for dynamically loading Dalvik Executables, and often used by malware to hide and run malicious payload.\r\nDex class loading apparently occurred in class b/a/b$a , for sure an obfuscated name, but I wondered how we\r\ngot there, the MainActivity being so small.\r\nActually, the call occurs before the main activity, from the App class which extends Application (this is a\r\nknown “trick” used by packers). And there I saw the call new b(...)\r\nimport a.b.a.c;\r\nimport android.app.Application;\r\nhttps://cryptax.medium.com/live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1\r\nPage 3 of 8\n\nimport b.a.b;\r\n/* loaded from: classes.dex */\r\npublic class App extends Application {\r\n @Override // android.app.Application\r\n public void onCreate() {\r\n super.onCreate();\r\n new b(new c(this).getContext()).setGravity(100);\r\n }\r\n}\r\nFrida hook\r\nTo get the payload DEX, we need to retrieve the DEX which is provided to the DexClassLoader constructor. As\r\nusual, I created a Frida hook and ran the malware.\r\nPress enter or click to view image in full size\r\nThe payload DEX is /data/user/0/com.monotonous.healthydiat/app_/v1\r\nThe v1 file is the payload DEX 😃.\r\nOnce the DEX is loaded, the packer loads a class named yin.Chao , and inside that class, calls a method named\r\nyin .\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1\r\nPage 4 of 8\n\nUse of reflexion to load method yin() from the dynamically loaded class yin.Chao.\r\nReversing v1 , the dynamically loaded DEX\r\nThere are two places to inspect:\r\n1. Method yin from class yin.Chao\r\n2. A service named NerService , inside com.monotonous.healthydiat , and mentioned by the app’s\r\nmanifest. This service is implemented in the dynamically loaded DEX.\r\nMethod yin asks for the end-user to grant permissions for READ_PHONE_STATE and READ_CONTACTS , and add\r\nthe app as a notification listener (this enables the app to read and interact with any notification). Note that this\r\nshould sound suspicious to an average end-users: why would a health app need those?!\r\nGet @cryptax’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nOnce this is done, yin loads a remote JAR from a remote HTTPS website and calls a method named\r\ncanbye from com.canbye .\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1\r\nPage 5 of 8\n\nDynamically loading a remote JAR. The JAR should be present inside the app’s directory, inside\r\n./files/logs. If that file does not exist, it is downloaded from the remote HTTPs website and stored in\r\nlogs.\r\nBefore we reverse the remote JAR, let’s finish with NerService . It is a notification listener, and will catch any\r\nSMS notification, read the notification’s text message and send it to via a custom intent.\r\nPress enter or click to view image in full size\r\nNotice that onNotificationPosted() is only interested in notifications from SMS. The class\r\nimplements a post() method which grabs the notification text, broadcasts it and cancels all other\r\nnotifications.\r\nThis is an interesting way to steal SMS: the malware is not reading the SMS (thus no need for READ_SMS\r\npermissions) but reading the notification of SMS!\r\nReversing the remote JAR canbye\r\nThis JAR only has a few classes, but they are dense 😉. Method canbye initializes a shared preferences file\r\n(named bshwai ) and sets a few entries such as an identifier based on the phone’s Android ID or MAC address.\r\nThen, the malware registers a SMS receiver. It will process all broadcast messages sent by v1 (previous layer),\r\nstore the messages and later sent them in JSON object to a remote server. For an uncertain reason, the malware\r\nalso directly intercepts incoming SMS messages and particularly forwards those beginning with keyword rch\r\nto hxxp://www.canbye.com/op/pair?remote=\u003cint\u003e\u0026device_id=\u003cid\u003e . This is perhaps to ensure the notification for\r\nthis SMS is not shown to the victim, thus completely hiding the SMS.\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1\r\nPage 6 of 8\n\nReport SMS with keyword rch to remote server.\r\nWe also notice other functionalities such as retrieving the list of accounts on the victim’s phone and sending SMS\r\nmessages: this depends on what the remote server instruct.\r\nThe canbye JAR implements a (malicious) Facebook component DEX which can be downloaded from\r\nhxxps://canbye.oss-accelerate.aliyuncs.com/fbhx\u003cINT\u003e . This is a fourth stage DEX!!! I haven’t reversed\r\nthis one yet.\r\nPress enter or click to view image in full size\r\nFour stages for this malware!\r\nWe notice the first 3 stages with a Frida hook on java.net.URL and DexClassLoader :\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1\r\nPage 7 of 8\n\nThe cutt.ly URL actually resolves to xni.oss-eu-central-1.aliyuncs.com. The file is downloaded and\r\nstored as v1 and loaded. Then, the stage 3 is downloaded from canbye.oss-accelerate.aliyuncs.com,\r\nand stored locally as a file named logs. Stage 4 download is not shown here.\r\nThis malware belongs to the Android/Joker family. The initial APK is detected as Android/Joker.D!tr.dldr. For\r\nmore references on the Joker family, please read here, here and here.\r\n— the Crypto Girl\r\nMalicious URLs\r\nhxxps://xni.oss-eu-central-1.aliyuncs.com/0302/hindex\r\nhxxps://canbye.oss-accelerate.aliyuncs.com/canbye\r\nhxxps://www.canbye.com/canbye/v1\r\nhxxps://www.canbye.com/canbye/v2\r\nhxxps://www.canbye.com/canbye/op/probe?...\r\nhxxps://www.canbye.com/canbye/op/up?..\r\nhxxps://www.canbye.com/canbye/op/arly...\r\nhxxps://www.canbye.com/canbye/op/crly...\r\nIOC\r\n5613c51caf6bece9356f238f2906c54eaff08f9ce57979b48e8a113096064a46 (this is the APK)\r\n0058f2bfc383c164f4263bf0ed6e9252b20c795ace57ca7b686b6133d183bb42 (this is the payload DEX,\r\nnamed v1 )\r\n2da5ad942435714f52204d6955f7ae941d959dc275df75acd6aa15bfe81e653b (this is canbye JAR, loaded by\r\nv1 )\r\n949a16417b183d55f766fa507cc8c1699cd73ffc5da9856bb35b315b678ac1d8 fbhx1 (a 4th stage DEX)\r\na3f5b26ba8102a63d9864ab8099eed7519244df8bc6464f888c515c7e3575f4e fbhx2 (another possible 4th\r\nstage DEX)\r\nSource: https://cryptax.medium.com/live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1\r\nhttps://cryptax.medium.com/live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cryptax.medium.com/live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1"
	],
	"report_names": [
		"live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1"
	],
	"threat_actors": [],
	"ts_created_at": 1775434028,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f7ebc9ed27c4740f977614dfa1c8324a03a6e149.pdf",
		"text": "https://archive.orkl.eu/f7ebc9ed27c4740f977614dfa1c8324a03a6e149.txt",
		"img": "https://archive.orkl.eu/f7ebc9ed27c4740f977614dfa1c8324a03a6e149.jpg"
	}
}