The APK was protected by StringFog — every string literal replaced with an encrypted hex payload decoded at runtime — requiring a Python port of the custom LCG cipher to bulk-decrypt the entire source tree and find the flag.