McAfee found a new MalBus Android variant inserted into a South Korean education app distributed through ONE Store after earlier MalBus activity had used Google Play. The malicious versions loaded an encrypted native payload after a 10-hour delay to evade dynamic analysis, then used libmovie.so as a downloader that decoded URLs, dropped curl, fetched RC4-encrypted ELF payloads from compromised servers, decrypted them, and executed the Libfunc export. The loaded code selected a C2 server, generated a target device identifier, and acted as a spy agent awaiting attacker commands. Notable capabilities included local TCP 1111 communication with native code and SMS/MMS capture that could be enabled or disabled by command strings.