Back to Blog
Malware Analysis
November 5, 202515 min readby DexGh0st

Anatomy of a Payment App Trojan: ShadowHook and Code Injection in Production

Deep forensic analysis of a real-world payment app trojan using ShadowHook for PLT/GOT hooking, custom injection libraries, and BeiDou VMP obfuscation to intercept payment data.

Executive Summary

In October 2025, our threat research team discovered a sophisticated payment app trojan targeting mobile banking applications across Southeast Asia. This malware employs advanced techniques including ShadowHook for PLT/GOT hooking, custom injection libraries, and BeiDou VMP obfuscation to intercept payment data in real-time.

Technical Analysis

Initial Infection Vector

The malware was distributed through compromised third-party app stores and social engineering campaigns targeting users of legitimate banking apps. Once installed, it masquerades as a system update utility while establishing persistence through the Android Accessibility Service.

ShadowHook Implementation

The trojan uses a modified version of ShadowHook, an open-source PLT/GOT hooking framework, to intercept critical function calls:

// Simplified hook registration
shadowhook_hook_func_addr(
    target_func_addr,
    (void *)hooked_payment_handler,
    (void **)&original_payment_handler
);

Key functions targeted include:

  • SSL/TLS handshake functions to perform MITM attacks
  • Payment SDK initialization routines
  • Biometric authentication callbacks

BeiDou VMP Obfuscation

To evade detection, the malware employs BeiDou Virtual Machine Protection (VMP), a commercial-grade code virtualization tool that:

  1. Converts native code to custom bytecode
  2. Executes through a proprietary virtual machine
  3. Implements anti-debugging and anti-tampering checks

Data Exfiltration

Intercepted payment data is encrypted using AES-256-GCM and exfiltrated through:

  • Covert DNS tunneling
  • Steganography in image uploads
  • WebSocket connections disguised as analytics traffic

Detection and Prevention

Indicators of Compromise (IoCs)

| Type | Value | |------|-------| | SHA256 | 3f7a8b2c1d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a | | C2 Domain | api-analytics[.]payment-secure[.]com | | C2 IP | 185.234.XX.XX |

Recommendations

  1. Implement Runtime Application Self-Protection (RASP) to detect hooking attempts
  2. Use certificate pinning with backup pins and proper error handling
  3. Integrate mobile threat detection SDKs for real-time protection
  4. Regular security assessments using automated scanning tools like appaudix

Conclusion

This trojan represents a significant evolution in mobile banking malware, combining multiple advanced techniques to evade detection while maintaining reliable data exfiltration. Organizations must adopt a defense-in-depth approach to protect their mobile payment applications.

For automated detection of these and other mobile security threats, scan your app with appaudix.

Newsletter

Get the AppAudix Security Notes

A short mobile app security brief with PCI DSS, OWASP MASVS, Android, and iOS findings.

We verify email ownership before subscribing. No spam.

Share this article

Secure Your Mobile App Today

Automatically scan your Android or iOS app for security vulnerabilities and compliance issues.

Cookie preferences

We use necessary storage for security and login. With your permission, we also use analytics to understand page journeys and marketing pixels to measure ad campaigns.