Conditional execution (malicious behavior only triggers for non-organic installs)
Abuse of mobile marketing attribution SDKs to detect installation source
Steganography (delivering malicious APK fragments hidden within PNG images)
Hidden WebViews to navigate to threat actor-owned cashout sites
Use of Firebase Remote Config for encrypted C2 communication
Deployment of 'FatModule' malicious payloads
Use of AI-themed lure applications (e.g., StableDiffusion, ChatGLM clones)