============================================================
  Android Malware Analysis
============================================================

  Analyze suspicious Android APK files using static and dynamic techniques available in REMnux.

────────────────────────────────────────────────────────────

  Step 1: APK Triage
  Tools: file, apkid
  Verify file type and check for packers/obfuscators.
  APKiD detects: known packers (DexGuard, Bangcle),
  obfuscators, anti-debug techniques.

    $ file specimen.exe

  Step 2: Manifest Analysis
  Tools: apktool
  Decompile APK: apktool d <apk> -o output/. Examine
  AndroidManifest.xml for: excessive permissions,
  receivers, services, exported components, intent
  filters.

    $ apktool d <app.apk> -o output/

  Step 3: Source Code Recovery
  Tools: jadx
  Decompile DEX to Java: jadx <apk> -d output/. Review
  source code for: C2 URLs, crypto operations, SMS
  interception, data exfiltration, root checks.

    $ jadx <app.apk> -d output/

  Step 4: Static Analysis
  Tools: androguard, droidlysis
  androguard: analyze APK structure, permissions,
  activities. droidlysis: automated static analysis with
  IOC extraction. Check for: hardcoded keys, URLs,
  suspicious API usage.

    $ androguard analyze <app.apk>

  Step 5: Native Library Analysis
  Tools: strings, radare2
  If APK contains .so libraries: extract from lib/
  directory. Analyze with strings and radare2. Native
  code often hides C2 logic and crypto.

    $ strings binary.exe
    $ r2 specimen.exe

  Step 6: Dynamic Instrumentation
  Tools: frida
  Hook suspicious functions at runtime: frida -U -l
  hook.js <package>. Intercept: crypto operations,
  network calls, file access, SMS operations.

    $ frida -l hook.js <process_name>

  Step 7: Document Findings
  Record: package name, permissions abused, C2
  infrastructure, data exfiltrated, persistence
  mechanism, targeted user data (SMS, contacts,
  location).

────────────────────────────────────────────────────────────
  Tip: 'fhelp cheat <tool>' for full examples
       'Ctrl+G' for interactive cheatsheet browser
