← Back to Research Vault

Android Bootstrap Hijacking

By Shay Mordechai | May 27, 2026

Introduction

Many Android users and developers are unaware that the "Android world" doesn't actually exist the moment the device powers on. In the first few seconds, it is simply a plain Linux platform[cite: 23]. This article focuses on the fraction of a second after execution, and how advanced malware impersonates the OS before the user sees any screen[cite: 23]. We analyze Anatsa, a Banking Trojan with over 100,000 Google Play downloads, which unconventionaly bypasses the UI presentation[cite: 23].

Chapter A — The Race Begins

The Zygote initializes the Android Runtime (ART), the Framework, and a Local Socket listening for `fork()` requests before the System Server is born[cite: 23]. During boot, Zygote initiates a child process, closing the socket for security[cite: 23]. Init passes the `--start-system-server` flag to Zygote, storing the `SystemServer.main()` string in memory[cite: 23]. From then on, only the System Server can wake Zygote via the socket to clone new processes[cite: 23].

Chapter B — Division of Roles

The `SystemServer.main()` manages the application process using the Activity Manager Service (AMS) and Package Manager Service (PMS)[cite: 23]. The AMS manages the ActivityThread, while PMS scans Manifests to define permissions[cite: 23]. Applications run on a single UI Thread loop (Looper), suspended until the AMS sends execution commands (onCreate, onStart) via Binder IPC[cite: 23].

Chapter C — The Hijacking Point

Android has two entry points: process-level and window-level[cite: 23]. The first AMS command, `bindApplication`, creates the Application object before the UI[cite: 23]. The Anatsa malware uses the `android:name` attribute in its Manifest to define a custom Application object (`ihp.opjhprs.fsthjpoyr.rhhkkff`), creating a lethal Entry Point at the Process level[cite: 23]. It uses Stub Unpacking to load the encrypted DEX and integrate malicious classes via `attachBaseContext()`[cite: 23].

Chapter D — The Dynamic Analysis Challenge

Standard Frida "Attach" mode is too late to catch `attachBaseContext()`[cite: 23]. We must use "Spawn" mode to suspend the process immediately after the Zygote Fork, before the Process Entry Point runs[cite: 23]. To beat advanced anti-analysis, we use a Zygote Hook, injecting the Frida Agent directly into the Zygote so every cloned app inherits it[cite: 23]. By hooking `android.app.LoadedApk.makeApplicationInner`, we forced `forceDefaultAppClass = true` to neutralize the malware's custom class[cite: 23].

Chapter E — The Crashed Process

The process crashed seeking `SomeProvider`, revealing an even earlier Bootstrap stage[cite: 23]. Android uses `ContentProvider.onCreate` to preload third-party libraries, often abused by Packers to load encrypted DEX files before the Application object[cite: 23]. I intercepted the `BaseDexClassLoader.findClass` via Frida to manually fake `MySomeProvider` and prevent the crash[cite: 23].