# Android Malware Analysis
> Analyze suspicious Android APK files using static and dynamic techniques available in REMnux.

## Steps

### Step 1: APK Triage
**Tools:** [[tools/file|file]], [[tools/apkid|apkid]]

Verify file type and check for packers/obfuscators. APKiD detects: known packers (DexGuard, Bangcle), obfuscators, anti-debug techniques.

```bash
file specimen.exe
```

### Step 2: Manifest Analysis
**Tools:** [[tools/apktool|apktool]]

Decompile APK: apktool d <apk> -o output/. Examine AndroidManifest.xml for: excessive permissions, receivers, services, exported components, intent filters.

```bash
apktool d <app.apk> -o output/
```

### Step 3: Source Code Recovery
**Tools:** [[tools/jadx|jadx]]

Decompile DEX to Java: jadx <apk> -d output/. Review source code for: C2 URLs, crypto operations, SMS interception, data exfiltration, root checks.

```bash
jadx <app.apk> -d output/
```

### Step 4: Static Analysis
**Tools:** [[tools/androguard|androguard]], [[tools/droidlysis|droidlysis]]

androguard: analyze APK structure, permissions, activities. droidlysis: automated static analysis with IOC extraction. Check for: hardcoded keys, URLs, suspicious API usage.

```bash
androguard analyze <app.apk>
```

### Step 5: Native Library Analysis
**Tools:** [[tools/strings|strings]], [[tools/radare2|radare2]]

If APK contains .so libraries: extract from lib/ directory. Analyze with strings and radare2. Native code often hides C2 logic and crypto.

```bash
strings binary.exe
r2 specimen.exe
```

### Step 6: Dynamic Instrumentation
**Tools:** [[tools/frida|frida]]

Hook suspicious functions at runtime: frida -U -l hook.js <package>. Intercept: crypto operations, network calls, file access, SMS operations.

```bash
frida -l hook.js <process_name>
```

### Step 7: Document Findings

Record: package name, permissions abused, C2 infrastructure, data exfiltrated, persistence mechanism, targeted user data (SMS, contacts, location).

#android #apk #mobile #frida #jadx #apktool #workflow