Bask.apk ❲DIRECT – STRATEGY❳

bask.apk registered two alarms via AlarmManager :

Unofficial apps can conflict with your Android OS, causing battery drain, overheating, or random reboots.

| Issue | Likely Cause | Solution | | :--- | :--- | :--- | | | Signature conflict (an existing app with the same name is installed) | Uninstall the existing version or search for a differently signed APK. | | Parse error | The APK is corrupted or incompatible with your Android version | Re-download from a reliable source. Check minimum Android version. | | App crashes on launch | Missing libraries or device incompatibility | Try clearing cache (Settings > Apps > Bask > Storage > Clear Cache). If persists, the file is faulty. | | "Virus detected" warning | Google Play Protect flags the APK | Do not bypass this unless you are 100% sure the source is trustworthy. | bask.apk

Our analysis employed a three-pronged approach:

There are several risks associated with downloading and installing bask.apk: Check minimum Android version

bask.apk represents a mature, modular Android trojan that leverages legitimate cloud messaging infrastructure for evasion. Its dual reliance on user-assisted Accessibility enablement and native-layer encryption demonstrates that modern mobile malware continues to outpace signature-based defenses. Future work should explore detecting FCM abuse via traffic behavioral analysis rather than static domains. The complete deobfuscated source code and PCAPs of this analysis are available upon request for research purposes.

"device_id": "android-<hardware_uuid>", "contacts": ["name":"John","number":"+8210..."], "sms": ["sender":"bank","body":"Your OTP: 847291","timestamp":1744900000], "installed_packages": ["com.kbstar","com.shinhan","com.toss"] | | "Virus detected" warning | Google Play

The method obf.a(String key) performed a two-step XOR decryption using a rolling key derived from the application’s package signature. This anti-static analysis technique forced dynamic execution to reveal meaningful strings.

In Q1 2026, a suspicious application named bask.apk was submitted to VirusTotal from a distribution channel masquerading as a "system battery optimizer." Initial antivirus detection was low (3/65). However, manual inspection revealed structural anomalies: a mismatch between the declared package name ( com.bask.optimize ) and the code signing certificate issued to an unrelated entity. This paper aims to dissect the artifact's inner workings to inform detection engineering and incident response.