| name | reverse-engineering-android-malware-with-jadx |
| description | Reverse engineers malicious Android APK files using JADX decompiler to analyze Java/Kotlin source code, identify malicious functionality including data theft, C2 communication, privilege escalation, and overlay attacks. Examines manifest permissions, receivers, services, and native libraries. Activates for requests involving Android malware analysis, APK reverse engineering, mobile malware investigation, or Android threat analysis.
|
| domain | cybersecurity |
| subdomain | malware-analysis |
| tags | ["malware","Android","reverse-engineering","JADX","mobile-malware"] |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | ["DE.AE-02","RS.AN-03","ID.RA-01","DE.CM-01"] |
| mitre_attack | ["T1027","T1055","T1140","T1497","T1068"] |
Reverse Engineering Android Malware with JADX
When to Use
- A suspicious Android APK has been reported as malicious or flagged by mobile threat detection
- Analyzing Android banking trojans, spyware, SMS stealers, or adware samples
- Determining what data an app collects, where it sends it, and what permissions it abuses
- Extracting C2 server addresses, encryption keys, and configuration data from Android malware
- Understanding overlay attack mechanisms used by banking trojans
Do not use for analyzing obfuscated native (.so) libraries within APKs; use Ghidra or IDA for native ARM binary analysis.
Prerequisites
- JADX 1.5+ installed (download from https://github.com/skylot/jadx/releases)
- Android SDK with
aapt2 and adb tools for APK inspection
- apktool for full APK disassembly including smali code and resources
- Python 3.8+ with
androguard library for automated APK analysis
- Frida for dynamic instrumentation (optional, for runtime analysis)
- Isolated Android emulator (Genymotion or Android Studio AVD) without Google services
Workflow
Step 1: Extract APK Metadata and Permissions
Examine the APK structure and AndroidManifest.xml:
aapt2 dump badging malware.apk
apktool d malware.apk -o apk_extracted/ -f
python3 << 'PYEOF'
from androguard.core.apk import APK
apk = APK("malware.apk")
print(f"Package: {apk.get_package()}")
print(f"App Name: {apk.get_app_name()}")
print(f"Version: {apk.get_androidversion_name()}")
print(f"Min SDK: {apk.get_min_sdk_version()}")
print(f"Target SDK: {apk.get_target_sdk_version()}")
dangerous_perms = {
"android.permission.READ_SMS": "SMS theft",
"android.permission.RECEIVE_SMS": "SMS interception",
"android.permission.SEND_SMS": "Premium SMS fraud",
"android.permission.READ_CONTACTS": "Contact harvesting",
"android.permission.READ_CALL_LOG": "Call log theft",
"android.permission.RECORD_AUDIO": "Audio surveillance",
"android.permission.CAMERA": "Camera surveillance",
"android.permission.ACCESS_FINE_LOCATION": "Location tracking",
"android.permission.READ_PHONE_STATE": "Device fingerprinting",
"android.permission.SYSTEM_ALERT_WINDOW": "Overlay attacks",
"android.permission.BIND_ACCESSIBILITY_SERVICE": "Full device control",
"android.permission.REQUEST_INSTALL_PACKAGES": "Sideloading apps",
"android.permission.BIND_DEVICE_ADMIN": "Device admin abuse",
}
print("\nDangerous Permissions:")
for perm in apk.get_permissions():
if perm in dangerous_perms:
print(f" [!] {perm}")
print(f" Risk: {dangerous_perms[perm]}")
elif "android.permission" in perm:
print(f" [*] {perm}")
print("\nActivities:")
for act in apk.get_activities():
print(f" {act}")
print("\nServices:")
for svc in apk.get_services():
print(f" {svc}")
print("\nReceivers:")
for rcv in apk.get_receivers():
print(f" {rcv}")
PYEOF
Step 2: Decompile with JADX
Open the APK in JADX for Java/Kotlin source analysis:
jadx-gui malware.apk
jadx -d jadx_output/ malware.apk --show-bad-code
jadx -d jadx_output/ malware.apk \
--deobf \
--deobf-min 3 \
--deobf-max 64 \
--show-bad-code \
--threads-count 4
Step 3: Identify Malicious Functionality
Search for suspicious code patterns in decompiled sources:
grep -rn "HttpURLConnection\|OkHttpClient\|Retrofit\|Volley\|URL(" jadx_output/sources/
grep -rn "SmsManager\|getDefault().sendTextMessage\|SMS_RECEIVED" jadx_output/sources/
grep -rn "SYSTEM_ALERT_WINDOW\|TYPE_APPLICATION_OVERLAY\|WindowManager.LayoutParams" jadx_output/sources/
grep -rn "AccessibilityService\|onAccessibilityEvent\|performAction" jadx_output/sources/
grep -rn "getDeviceId\|getSubscriberId\|getSimSerialNumber\|getLine1Number" jadx_output/sources/
grep -rn "SecretKeySpec\|Cipher.getInstance\|AES\|DES\|RSA" jadx_output/sources/
grep -rn "DexClassLoader\|PathClassLoader\|loadDex\|loadClass" jadx_output/sources/
grep -rn "Base64.decode\|decrypt\|decipher\|xor" jadx_output/sources/
Step 4: Analyze C2 Communication
Trace the network communication logic:
import os
import re
jadx_dir = "jadx_output/sources"
url_pattern = re.compile(r'https?://[^\s"\'<>]+')
ip_pattern = re.compile(r'"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"')
base64_pattern = re.compile(r'"([A-Za-z0-9+/]{20,}={0,2})"')
urls = set()
ips = set()
b64_strings = set()
for root, dirs, files in os.walk(jadx_dir):
for fname in files:
if fname.endswith('.java'):
filepath = os.path.join(root, fname)
with open(filepath, 'r', errors='ignore') as f:
content = f.read()
for match in url_pattern.finditer(content):
urls.add(match.group())
for match in ip_pattern.finditer(content):
ips.add(match.group(1))
for match in base64_pattern.finditer(content):
b64_strings.add(match.group(1))
print("URLs found:")
for u in urls:
print(f" {u}")
print("\nIP addresses:")
for ip in ips:
print(f" {ip}")
import base64
print("\nDecoded Base64 strings:")
for b64 in b64_strings:
try:
decoded = base64.b64decode(b64).decode('utf-8', errors='ignore')
if any(c.isprintable() for c in decoded) and len(decoded) > 3:
print(f" {b64[:30]}... -> {decoded[:100]}")
except:
pass
Step 5: Examine Native Libraries
Check for native code that may contain additional malicious logic:
unzip -l malware.apk | grep "\.so$"
unzip malware.apk "lib/*" -d apk_native/
file apk_native/lib/armeabi-v7a/*.so
readelf -d apk_native/lib/armeabi-v7a/*.so | grep NEEDED
strings apk_native/lib/armeabi-v7a/libpayload.so | grep -iE "(http|url|key|encrypt|password)"
Step 6: Document Analysis and Extract IOCs
Compile a comprehensive Android malware analysis report:
Analysis documentation should include:
- APK metadata (package name, version, signing certificate)
- Permission analysis with risk assessment
- Component analysis (activities, services, receivers, providers)
- Decompiled code walkthrough of malicious functions
- C2 communication protocol and endpoints
- Data exfiltration methods and targeted data types
- Persistence mechanisms (device admin, accessibility service)
- Evasion techniques (emulator detection, root detection)
- Extracted IOCs (C2 URLs, domains, IPs, signing certificate hash)
Key Concepts
| Term | Definition |
|---|
| APK (Android Package) | Android application package format containing compiled DEX bytecode, resources, manifest, and native libraries |
| DEX Bytecode | Dalvik Executable format containing compiled Java/Kotlin code; JADX converts this back to readable Java source |
| Overlay Attack | Banking trojan technique displaying a fake UI layer over a legitimate banking app to steal credentials using SYSTEM_ALERT_WINDOW permission |
| Accessibility Service Abuse | Malware registering as an accessibility service to capture screen content, perform actions, and prevent uninstallation |
| Smali | Human-readable representation of DEX bytecode; intermediate representation between bytecode and Java used by apktool |
| Dynamic Code Loading | Loading additional DEX code at runtime using DexClassLoader to hide malicious functionality from static analysis |
| Device Admin Abuse | Malware requesting device administrator privileges to prevent uninstallation and perform device wipe threats |
Tools & Systems
- JADX: Open-source DEX to Java decompiler providing GUI and CLI for Android APK analysis with deobfuscation support
- apktool: Tool for reverse engineering Android APK files to smali code and decoded resources
- androguard: Python framework for automated Android APK analysis including permission, component, and code analysis
- Frida: Dynamic instrumentation toolkit for hooking Java methods and native functions at runtime on Android
- MobSF (Mobile Security Framework): Automated mobile application security testing framework for static and dynamic analysis
Common Scenarios
Scenario: Analyzing an Android Banking Trojan
Context: A banking trojan APK is distributed via SMS phishing targeting customers of a specific bank. The sample needs analysis to identify targeted banks, C2 infrastructure, and data theft mechanisms.
Approach:
- Extract APK metadata and identify requested permissions (SMS, accessibility, overlay, device admin)
- Decompile with JADX and search for overlay activity classes that mimic banking app UIs
- Identify the list of targeted banking apps by searching for package name lists in the code
- Trace the SMS interception receiver to understand how 2FA codes are stolen
- Follow the C2 communication code to extract server URLs and command protocol
- Check for web injection configuration files in assets/ directory
- Extract all IOCs and document the complete attack chain
Pitfalls:
- Not deobfuscating class and method names before analysis (use JADX --deobf flag)
- Missing dynamically loaded DEX files downloaded after installation
- Ignoring native .so libraries that may contain the actual C2 logic or encryption routines
- Overlooking assets/ directory which may contain encrypted configuration or web injects
Output Format
ANDROID MALWARE ANALYSIS REPORT
==================================
APK File: update_bank.apk
Package: com.android.systemupdate
SHA-256: e3b0c44298fc1c149afbf4c8996fb924...
Version: 1.2.3
Min SDK: 21 (Android 5.0)
Signing Cert: SHA-256: abc123... (self-signed)
CLASSIFICATION
Family: Anubis Banking Trojan
Type: Banking Trojan / SMS Stealer / Keylogger
DANGEROUS PERMISSIONS
[!] RECEIVE_SMS - Intercepts incoming SMS (2FA theft)
[!] READ_SMS - Reads SMS messages
[!] SEND_SMS - Sends premium SMS
[!] SYSTEM_ALERT_WINDOW - Overlay attacks on banking apps
[!] BIND_ACCESSIBILITY - Full device control
[!] BIND_DEVICE_ADMIN - Prevents uninstallation
MALICIOUS COMPONENTS
Service: com.android.systemupdate.C2Service (C2 communication)
Receiver: com.android.systemupdate.SmsReceiver (SMS interception)
Activity: com.android.systemupdate.OverlayActivity (credential overlay)
TARGETED APPS (23 banking apps)
com.bank.example1, com.bank.example2, ...
C2 INFRASTRUCTURE
Primary: hxxps://c2-server[.]com/api/bot
Fallback: hxxps://backup-c2[.]net/api/bot
Protocol: HTTPS POST with JSON body
Bot ID: MD5(IMEI + Build.SERIAL)
EXTRACTED IOCs
Domains: c2-server[.]com, backup-c2[.]net
IPs: 185.220.101[.]42
URLs: hxxps://c2-server[.]com/api/bot
hxxps://c2-server[.]com/api/injects
Cert Hash: abc123def456...
