To further ensure the longevity of their adware, the developers employed obfuscation techniques. Firstly, the apps did not run automatically upon download, as this would require additional permissions that might raise suspicion. Instead, they remained dormant until activated by the user.
Additionally, after the “uninstall” process, the apps entered a dormant state for several hours. Following this period, they would register two “intents” that would trigger the app to launch upon device reboot or unlocking. However, these intents also remained dormant for the initial two days.
