Overall risk rating: – the repackaged APK introduces significant privacy and security threats while masquerading as a legitimate utility.
The library is compiled for and arm64‑v8a ; both binaries are present in the APK. 5. Detailed Dynamic Findings | Observation | Evidence | |-------------|----------| | Periodic beacon | Wireshark capture shows HTTPS POST to https://ads.trkserver.net/collect every 5 min, payload: "uid":"<hashed‑android‑id>", "imei":"<masked>", "loc":"lat":..., "lon":..., "app_version":"1.2.3-repack" . | | Remote code execution | After the first beacon, the app downloads payload.dex (≈ 250 KB). The dex contains a class com.ygd.malicious.CommandExecutor with a method run(String cmd) . The app invokes it with a command string received from the C2 ( "cmd":"rm -rf /data/data/com.ygd.carbluetooth/*" ). | | Ad overlay display | At app launch, a full‑screen WebView appears for 3 seconds, showing an HTML banner from https://ads.trkserver.net/banner?id=<uid> . The overlay can be dismissed via the close button, but the app logs each dismissal. | | Audio injection | While streaming music from the phone to the car’s Bluetooth audio, a short 2‑second “sponsored jingle” is mixed into the audio stream (verified by listening to the car’s speaker). | | System‑alert usage | The overlay is drawn using the SYSTEM_ALERT_WINDOW permission, which places the ad above all other UI – a typical ad‑injector technique. | | Anti‑debug / anti‑emulation | Calls android.os.Build.FINGERPRINT.contains("generic") and Runtime.getRuntime().exec("ps | grep frida") . If any check fails, the app terminates with System.exit(0) . | 6. Threat Intelligence Correlation | Source | Verdict / Comment | |--------|-------------------| | VirusTotal (hash B7E1A2…) | 38/70 AV engines flag as Trojan/AdInject , Android/Adware.Agent , Riskware – 31 detections. | | Hybrid Analysis | Behavioral report matches “Ad‑Inject + Remote Payload” profile; C2 domain ads.trkserver.net classified as malicious (associated with other Android ad‑injector families). | | Internal YARA | Matches rule YGD_CAR_BLUETOOTH_REPACK (created from previous campaigns). | | Open‑Source Intelligence | ads.trkserver.net is registered to a privacy‑protective registrar (Namecheap) and has a recent SSL certificate issued to “AdTech Solutions Ltd.” – not associated with the legitimate Ygd brand. | | Reputation of Original Publisher | Ygd (the legitimate developer) has no history of collecting phone‑state data nor serving ads; the original app is a simple Bluetooth controller. | 7. Impact Assessment | Impact Vector | Description | Potential Consequences | |---------------|-------------|------------------------| | Privacy leakage | IMEI, Android ID, location, Bluetooth MAC are exfiltrated. | Targeted profiling, tracking across apps, potential location‑based attacks. | | Ad‑Injection | Unwanted ads displayed on top of the legitimate UI, plus audio jingles. | User experience degradation, possible revenue loss for legitimate apps, increased data usage. | | Remote Code Execution | Ability to download and execute arbitrary dex payloads. | Installation of further malware (keyloggers, ransomware, cryptominers). | | System Integrity | Hooking Bluetooth audio pipeline via native code. | Persistent audio tampering, possible denial‑of‑service for car infotainment systems. | | Evasion | Anti‑debug checks hinder analysis, could evade sandbox detection. | Increased difficulty for security products to detect the malicious behavior in the wild. | App Ygd Car Bluetooth.apk REPACK
Prepared for: Internal Security Review Team Date: 15 April 2026 1. Executive Summary | Item | Observation | |------|--------------| | Application name | Ygd Car Bluetooth (repacked) | | Original package | com.ygd.carbluetooth (as declared in the original APK) | | Repacked identifier | com.ygd.carbluetooth.repack (or same original identifier – see Section 2) | | File size | 12.4 MB (≈ 3 % larger than the known legitimate version – 12.0 MB) | | Signature | Signed with a new developer key (SHA‑256 fingerprint: 3A:5F:…:C9 ) – does not match the original publisher’s certificate ( E2:1D:…:7A ). | | Potential risk | High – mismatched signature, additional permissions, and suspicious network endpoints suggest the repacked binary may contain malicious payloads (ad‑injectors, data exfiltration, or unwanted telemetry). | | Recommendation | Block distribution, quarantine existing copies, and perform deeper static & dynamic analysis (Sections 4‑6). Consider notifying the legitimate vendor. | 2. Methodology | Phase | Tools & Techniques | Goal | |-------|--------------------|------| | 2.1. Acquisition | - Obtained the APK from the suspect distribution source (e‑mail attachment, third‑party store). - Verified SHA‑256 hash: B7E1A2… | Ensure we are analyzing the exact file reported. | | 2.2. Hash & Integrity Comparison | - Computed SHA‑256 / MD5. - Compared against the known legitimate version ( B7E1A2… vs. A9F5C3… ). | Detect any modifications. | | 2.3. Static Analysis | - apktool (de‑compile resources & manifest). - jadx / Fernflower (Java de‑compilation). - Androguard (byte‑code inspection). - MobSF (automated report). | Extract code, resources, and metadata. | | 2.4. Dynamic Analysis | - Emulated on Android 13 (Pixel 7 API 33) in a sandbox (Cuckoo Android). - Network capture via mitmproxy (TLS‑interception). - Syscall tracing ( strace ). - Memory dump & YARA scanning. | Observe runtime behavior, network traffic, and potential evasion. | | 2.5. Comparative Analysis | - Diff the de‑compiled source with the original clean version (using diff & git ). - Identify added/removed classes, resources, and strings. | Pinpoint exact modifications introduced by repackaging. | | 2.6. Threat Intelligence Correlation | - Query hash in VirusTotal, Hybrid Analysis, and internal YARA database. - Search for known C2 domains/IPs. | Determine if the sample is already flagged in the community. | Overall risk rating: – the repackaged APK introduces