Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer

If we unzip the sample and explore the AndroidManifest.xml, we see that the entry point is not found in the code of the sample. This an indication of a packed sample. You can identify the packing technique using droidlysis or APKiD. If we use droidlysis, We can see the it the sample uses DexClassLoader, malware uses JsonPacker packer. So we need to get the decrypted payload of the sample. We will use Frida to get the decrypted payload. We will install the sample on the Android studio as an emulator and by using WSL on my host we will launch Frida to start the malicious APP to get the payload. Then we pull the payload to our host from the emulator. Technical analysis of Hydra Android malware