StarKiller studies Android remote access techniques — how mobile malware establishes C2 communication, evades Play Protect detection, and maintains persistence on Android devices. Built on researcher-owned Android hardware to understand the mobile threat landscape from first principles.
The research complements the Windows-focused VADER project — modern attack chains often pivot from desktop to mobile or begin on mobile. Understanding both platforms is required for complete defensive coverage.
| Component | Language | Function |
|---|---|---|
| C2 server | Python | Command dispatch, session management, web dashboard |
| Android client | Kotlin | C2 beacon, command execution, payload delivery |
| Obfuscation pipeline | Python | APK repackaging, class renaming, string encryption |
| Binder | Python | Embeds client inside legitimate-looking APK |
TCP-based command and control. Session management supporting multiple devices. Web dashboard for operator view. Bidirectional communication.
Kotlin APK that beacons to C2 on launch. Executes shell commands, returns output. Requests permissions via standard Android prompts — no exploits, no privilege escalation. Studies what a standard-permission APK can access.
APK obfuscation pipeline tests what transformations are required before Play Protect stops flagging the APK. Measures the effectiveness of static signature detection on Android — analogous to the Windows Defender XOR study.
Play Protect static detection can be defeated with class renaming and string encryption alone. Mobile security relies heavily on reputation (app age, install count) rather than deep static analysis. Newly published APKs from unknown developers receive less scrutiny regardless of code similarity to known malware.