Netmirror exposed - The Free Movie App That Was Robbing You Blind
Came across this really interesting analysis of a pirated Android movie streaming APK called NetMirror and honestly didn’t expect it to go this deep.
At first glance the app looked completely normal:
clean UI, React Native based, movies streamed properly.
But the analysis found:
- emulator/sandbox detection for Genymotion, Nox, BlueStacks, VirtualBox, etc.
- Base64-encoded infrastructure domains hidden inside the Hermes JS bundle
- staged permission handling for SMS and call log access
- WebView credential interception hooks
- native libraries containing the same tracking infrastructure references
The most interesting part was how it bypassed automated analysis.
Hybrid Analysis apparently marked it as “safe” because most of the suspicious logic wasn’t in the Java layer scanners usually inspect — it was hidden inside the React Native Hermes bundle and native libraries.
Pretty solid example of how modern Android malware is starting to exploit analysis blind spots in cross-platform frameworks.
Worth the read:
https://medium.com/@Espress0/the-free-movie-app-that-was-robbing-you-blind-eeefe9c5e65c
greatly broken down and presented