Characteristic Analysis of Trojan-Spy Malware on the Android Operating System through a Reverse Engineering Approach

Abstract

The rapid advancement of communication technology has led to the widespread use of Android devices, accompanied by an increasing number of security threats, including Trojan-Spy malware. This type of malware often disguises itself as a legitimate application while covertly collecting and transmitting sensitive data. This study analyzes the characteristics of Trojan-Spy malware on the Android OS using a reverse engineering approach. The analysis focuses on a real-case sample, UndanganPernikahan.apk, which was distributed through WhatsApp using social engineering. The research was conducted through several stages, including initialization, decompilation, static analysis, code reversing, behavioral analysis, and quantitative runtime evaluation. The main contribution of this study lies in the detailed characterization of a Trojan-Spy sample as an integrated threat, combining SMS interception, notification harvesting, remote command execution, and data exfiltration through a Telegram-based command-and-control channel. The findings also demonstrate how the malware conceals its activity through WebView-based camouflage and control-flow manipulation. In addition, runtime analysis confirms that these malicious functions are actively executed and significantly impact system performance. These results show that reverse engineering is not only effective for identifying malware structure but also for reconstructing its operational behavior in real-world attack scenarios, particularly those involving socially engineered distribution through messaging platforms.