Malicious functionality responsible for downloading a payload is implemented in the “apputils” subpackage inserted into the legitimate messaging apps. After initializing, the malware checked a hard-coded list against the device to find any security software installed and utilizes that to determine whether to deploy the first-stage payload or not from the C2 server. The first-stage payload is similar to the trojanized application. It is responsible for downloading the second-stage payload, which is then dynamically loaded and executed. The second-stage payload is a Dalvik executable. The malicious functionality is implemented in this stage; however, it is operated by the first-stage payload, which loads it whenever necessary. The AridSpy malware can deactivate itself, as it states in the code, by changing the exfiltration C&C server used for data upload to a dummy hardcoded androidd[.]com domain (a currently registered typosquat).