irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
master
docker_file_analysis/data/generated/wiki/workflows/android-analysis-workflow.md
T
tobias e62a14dafc Add markdown wiki with 473 pages and zk browser 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 19:50:36 +01:00

2.0 KiB
Raw Permalink Blame History

Android Malware Analysis

Analyze suspicious Android APK files using static and dynamic techniques available in REMnux.

Steps

Step 1: APK Triage

Tools: tools/file, tools/apkid

Verify file type and check for packers/obfuscators. APKiD detects: known packers (DexGuard, Bangcle), obfuscators, anti-debug techniques.

file specimen.exe

Step 2: Manifest Analysis

Tools: tools/apktool

Decompile APK: apktool d -o output/. Examine AndroidManifest.xml for: excessive permissions, receivers, services, exported components, intent filters.

apktool d <app.apk> -o output/

Step 3: Source Code Recovery

Tools: tools/jadx

Decompile DEX to Java: jadx -d output/. Review source code for: C2 URLs, crypto operations, SMS interception, data exfiltration, root checks.

jadx <app.apk> -d output/

Step 4: Static Analysis

Tools: tools/androguard, tools/droidlysis

androguard: analyze APK structure, permissions, activities. droidlysis: automated static analysis with IOC extraction. Check for: hardcoded keys, URLs, suspicious API usage.

androguard analyze <app.apk>

Step 5: Native Library Analysis

Tools: tools/strings, tools/radare2

If APK contains .so libraries: extract from lib/ directory. Analyze with strings and radare2. Native code often hides C2 logic and crypto.

strings binary.exe
r2 specimen.exe

Step 6: Dynamic Instrumentation

Tools: tools/frida

Hook suspicious functions at runtime: frida -U -l hook.js . Intercept: crypto operations, network calls, file access, SMS operations.

frida -l hook.js <process_name>

Step 7: Document Findings

Record: package name, permissions abused, C2 infrastructure, data exfiltrated, persistence mechanism, targeted user data (SMS, contacts, location).

#android #apk #mobile #frida #jadx #apktool #workflow

Reference in New Issue View Git Blame Copy Permalink