"cmd": "upload_sms", "target": "server_1", "interval": 300
The Android Package Kit (APK) format remains the primary vector for mobile malware distribution. This paper presents a comprehensive static and dynamic analysis of a previously undocumented malware sample, designated bask.apk (SHA-256: 3f2c8a1d... ). The sample demonstrates a sophisticated, multi-stage attack chain employing bytecode obfuscation via string encryption and reflection, abuse of the Accessibility Service API for gesture injection, and a resilient command-and-control (C2) communication protocol leveraging Firebase Cloud Messaging (FCM) for covert tasking. We reverse-engineered the DEX bytecode, reconstructed the application’s behavior in a sandboxed environment, and identified exfiltration mechanisms for SMS, contacts, and 2FA codes. Our findings indicate that bask.apk belongs to a new variant of the "Basket" banking trojan family, targeting South Korean financial applications. We conclude with detection signatures and mitigation strategies. bask.apk
Exfiltration of stolen data occurred over HTTPS to a rotating set of domains (e.g., baskcdn[.]com , api-updates[.]net ), with each POST payload encrypted via AES-128-CBC, key hardcoded in the native library libbask.so . The sample demonstrates a sophisticated
Before hitting that download button, ask yourself three questions: and identified exfiltration mechanisms for SMS
The C2 server responded with a 200 OK and an encrypted command list. The malware's authors implemented a sliding TTL (time-to-live) of 7 days for exfiltrated data blobs to avoid server storage limits.