Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / MALWARE REVERSE / ANALYSIS / STATIC / FILES

APK

DFIR tool for Android: ALEAPP

JADX-GUI: Dex to Java decompiler

FindingSeverityHow to Detect
Excessive permissionsHighCheck AndroidManifest.xml for dangerous perms
Accessibility service abuseCriticalLook for BIND_ACCESSIBILITY_SERVICE + service in manifest
Device admin usageCriticalCheck for DEVICE_ADMIN_ENABLED receiver
Obfuscated package/class namesHighRandom strings in package/classes (jadx)
Hardcoded URLs / IPsCriticalstrings / grep / jadx search
Dynamic code loadingCriticalLook for DexClassLoader, loadDex
SMS / Call / Contacts accessHighPermissions + API usage in code
Boot persistenceHighRECEIVE_BOOT_COMPLETED + BroadcastReceiver
Overlay / screen captureCriticalSYSTEM_ALERT_WINDOW, MediaProjection APIs

Suspicious Patterns:

  • Random package names (com.asd.qwe.zxc)
  • Large permission set (SMS, mic, contacts, location)
  • Accessibility + Device Admin combo
  • RECEIVE_BOOT_COMPLETED
  • SYSTEM_ALERT_WINDOW
  • REQUEST_INSTALL_PACKAGES
  • Obfuscated class names
  • Embedded .dex / .so
  • Base64 / encrypted blobs
  • Fake app labels/icons

Identify

file sample.apk

Enumerate

unzip -l sample.apk

Look for:

  • AndroidManifest.xml
  • classes.dex
  • assets/
  • lib/

Extract Safely

7z x sample.apk -oapk_out

Decode

apktool d sample.apk
jadx -d jadx_out sample.apk

Manifest Analysis

cat apk_out/AndroidManifest.xml

Check:

ArtifactWhat to Look For
PermissionsDangerous perms (READ_SMS, RECORD_AUDIO)
ServicesBackground services
ReceiversBoot persistence
AccessibilityBIND_ACCESSIBILITY_SERVICE
Device AdminDEVICE_ADMIN_ENABLED

Hunt

strings sample.apk | grep -Ei "http|https|tcp|udp"
grep -R "http" jadx_out/
grep -R "base64" jadx_out/

Code Analysis (jadx)

Look for:

PatternIndicator
NetworkingHttpURLConnection, OkHttp
C2Hardcoded domains/IPs
Obfuscationmeaningless variable names
Dynamic loadingDexClassLoader
CommandsRuntime.exec()

Persistence

MethodDetection
Boot receiverRECEIVE_BOOT_COMPLETED
Accessibilityservice declared
JobSchedulerJobService
AlarmManagerscheduled tasks

Storage

LocationUse
/data/data/<pkg>/internal storage (configs, DBs)
/data/media/0/Android/data/<pkg>/external storage
/sdcard/payload staging

Summary

APK = ZIP + DEX
Analyze:

  1. Manifest (permissions + components)
  2. Code (jadx)
  3. Strings (C2, payloads)
  4. Storage (files, DBs)