F-droid Malware Internals

Static and Dynamic Analysis.

In this blog i will be taking you through the tour of reversing the alleged malware app F-droid.

Analysis: Hammering off “F-droid” app

Static Analysis:-[Basic]


Hash’s of F-droid 1.10

Information about app :

info. of App.

Certificate Info:

Certificate Information shows 2 false signature.

App Permissions:

In image we can see app has access to many malicious permissions.

Obfuscation and Anti-VM Code:

Anti-VM code and Anti-Debug Code used.

Code Analysis:

App logs into the sensitive information, has weak hash’s, sensitive to SQL injection, app files contains hard-coded usernames and passwords, consists of insecure RNG and discloses the IP address.


URLs found during static analysis of app.

Activities Run by App:

Activities found during static analysis of app.

Services run by App:


Dynamic Analysis:-


Urls found during dynamic analysis.


C2 Server:

148[.]251[.]140[.]42 & 217[.]160[.]165[.]113

Communicating Files with C2 Server:

Files communicating with C2 server.

YARA Signature:

Yara signature for detection of F-droid Malware.


C2 server of F-droid app is hosting many apps that are legit hacking tools malware.

That’s all for today.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store