Caria Giovanni - Harpocrates

Reverse engineered the Mintegral MBridge SDK (common in gaming APKs with aggressive adv).
The SDK assembles exfiltration endpoints at runtime via AES/XOR decryption + Android IPC Intents. No hardcoded domain in the binary. MobSF classifies the package as Advertisement and stops there. Knox and Play Protect see legitimate inter-process communication between signed components — nothing to flag.
Extracted 6 C2/collection domains. Loaded them into AegisDNS as a SIGINT feed.
Both Knox and Play Protect: no block, no alert.
AegisDNS: all 6 blocked at resolution.
The IPC obfuscation chain is effective against every on-device analysis layer. It stops at port 53 — the one operation the OS cannot perform inside the obfuscation boundary.
Full write-up with architecture, the structural argument for perimeter DNS vs MTD, and operational trade-offs (block rate, DoH bypass mitigation via iptables, PCRE2/FFI trade-off):

https://cariagiovannib.wordpress.com/2026/06/06/crowdstrike-didnt-block-it-knox-didnt-block-it-a-dns-query-did/

#dns #android #reverseengineering #infosec #mobilesecurity

CrowdStrike Didn’t Block It. Knox Didn’t Block It. A DNS Query Did.

There are currently more active mobile devices on Earth than there are people. Every one of them is a network endpoint. Every one of them resolves DNS. And virtually none of them are protected at t…

Caria Giovanni - Security Blog
Jun 6 at 12:21pmWeb