RSS

Reverse engineering Android malware from popular Chinese projectors

3abiton1 pts0 comments

Reverse engineering Android malware with Claude Code - Zane St. John

← Back to blog<br>Reverse engineering Android malware with Claude Code<br>February 5, 2026<br>security<br>reverse-engineering<br>claude-code<br>malware-analysis<br>ai-agents

I plugged in a $35 projector from AliExpress and pointed it at my bedroom wall. Within minutes of connecting it to Wi-Fi, my Pi-hole lit up.

DNS queries to suspicious domains including o.fecebbbk.xyz and impression.appsflyer.com

o.fecebbbk.xyz? impression.appsflyer.com? I hadn't opened a browser, installed any apps, or navigated past the home screen. The projector was phoning home on its own. Then:

DNS query to usmyip.kkoip.com

usmyip.kkoip.com. I didn't know what that was yet. I would.

Cheap projectors like the Magcubic HY300 Pro+ have flooded TikTok, Amazon, Temu, and AliExpress. The projectors community on Reddit doesn't think much of them, with complaints ranging from poor image quality to outright failure. I bought mine for ~$35 USD, promising 8000 lumens (dubious), automatic keystone correction, and "4K support." I had a feeling it would come with some unsavory malware like its TV box cousins, which was admittedly part of the fun.

Projecting on my wall. Ignore my unmade bed.

When I powered it on, the experience was more professional than expected. Android 11 (API 30), production build (not signed with test keys!), and not rooted out of the box. But the polished launcher couldn't fully mask the sketchiness underneath—as my Pi-hole had already made clear.

Getting started

Armed with adb and jadx, I started examining the pre-installed apps. The first red flag: a litany of com.htc. packages on a device that isn't made by HTC. It's made by a company called Hotack (sold under brand names like Magcubic). A thin disguise.

Between the fake com.htc. namespace and the suspicious DNS traffic, I had a strong feeling these packages were responsible. To disable them, I first needed root access; these are system-level apps that can't be touched without it. I rooted the device following this tutorial on XDA Forums, then disabled every package that looked suspicious:

adb shell pm disable-user --user 0 com.hotack.silentsdk<br>adb shell pm disable-user --user 0 com.htc.eventuploadservice<br>adb shell pm disable-user --user 0 com.htc.expandsdk<br>adb shell pm disable-user --user 0 com.htc.htcotaupdate<br>adb shell pm disable-user --user 0 com.htc.storeos

Five packages disabled. The suspicious DNS queries stopped. That confirmed these were the culprits, but I wanted to know exactly what they were doing. So I pulled the APKs:

adb pull $(adb shell pm path com.hotack.silentsdk | cut -d: -f2) silentsdk.apk<br>adb pull $(adb shell pm path com.htc.eventuploadservice | cut -d: -f2) eventuploadservice.apk<br>adb pull $(adb shell pm path com.htc.expandsdk | cut -d: -f2) expandsdk.apk<br>adb pull $(adb shell pm path com.htc.htcotaupdate | cut -d: -f2) htcotaupdate.apk<br>adb pull $(adb shell pm path com.htc.storeos | cut -d: -f2) storeos.apk

I cracked open com.hotack.silentsdk in jadx. ProGuard/R8 obfuscation had reduced class names to single letters—a.java, b.java, f.java—with encrypted strings and deliberately confusing control flow. After a while of tracing through the code by hand, I could see the general shape: a service that started on boot, contacted a remote server, and downloaded something. But decrypting obfuscated strings by hand, following reflection chains, mapping the C2 protocol... this was going to take days.

I wasn't going to brute-force this alone.

Letting Claude Code drive

I'd been using Claude Code with mixed success (mostly positive) for software engineering work, and I suspected it could do more than just speed up the tedious parts of reverse engineering. I decompiled the APKs with jadx, dumped the source into directories, and gave it a prompt:

# Android Projector Malware Investigation

You are investigating an Android-based projector suspected of<br>containing pre-installed malware. You have root access via ADB.

**Please think carefully before major analysis steps.<br>Maintain a todo list to track progress.**

## Mission

Discover suspicious packages, reverse engineer them, identify C2<br>infrastructure, and document everything with IoCs.

## Tools

ADB (root available - use `su` in `adb shell` to use root),<br>JADX (decompiler), Python (scripts), and standard CLI tools<br>are available.

## Hints

- The disabled packages I flagged are likely the source of the suspicious DNS traffic<br>- Expect obfuscation and encrypted strings

## Deliverables

Write comprehensive reports (FINDINGS.md + technical deep-dive)<br>when done.

## Success

Fully document the malware's capabilities, infrastructure,<br>and attack chain.

Then I let it run.

Its first move was to find and decode the XOR-encrypted strings littered throughout com.hotack.silentsdk. Sensitive strings (URLs, algorithm names, file paths, etc.) were stored as encrypted byte arrays and decoded at runtime using a rotating XOR cipher:

// a/a.java:834 - XOR string...

shell user malware reverse engineering android

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.