The Reveal Platform
Intel Name: Multi-stage android malware delivery campaign
Date of Scan: October 17, 2025
Impact: High
Summary: Sophisticated Android campaign that uses adult-content lures to distribute malicious APKs. Multi-stage architecture with obfuscated front-end lure sites and a separate backend; front pages use commercial JS obfuscation (jsjiami[.]com) and Triple DES to conceal backend URLs and config. Evasion techniques include deceptive loading messages and timing checks (e.g., test-image load time) to frustrate analysis. Resilient, dynamic backend design (stable IPs, rotating subdomains) and heavily obfuscated payloads (core logic hidden in a native .so, filenames vary) enable stealthy APK downloads. Post-install deception uses generic app names and CY51[.]TV branding while requesting aggressive permissions (phishing overlays, screen capture, install/FS manipulation); app becomes unstable or crashes if those permissions are denied, indicating malicious purpose.
