The study explores the Android runtime (ART) hijacking mechanism for bytecode injection by analyzing the packer used in the DJI Pilot Android application. The packer aims to protect application code from static analysis for various reasons like business logic protection and evading malicious logic detection. The analysis focuses on the DJI Pilot app’s runtime mechanism implemented through a modified SecNeo packer. To unpack the packer and understand its logic, a Python proof-of-concept named DxFx is provided. Surprisingly, the unpacked DEX files reveal stolen and overwritten method code, hinting at a secondary bytecode protection mechanism. The analysis uncovers encrypted data and reveals an intricate RC4 encryption algorithm used for decryption.
https://blog.quarkslab.com/dji-the-art-of-obfuscation.html