In part I of this blog, I finished the analysis of the native layer of a newly discovered Rootnik malware variant, and got the decrypted real DEX file. Here in part II, we will continue our analysis.
A look into the decrypted real DEX file
The entry of the decrypted DEX file is the class demo.outerappshell.OuterShellApp. The definition of the class OuterShellApp is shown below.
Figure 1. The class demo.outerappshell.OuterShellApp
We will first analyze the function attachBaseContext(). The following is the function aBC() in the class…