reverse-engineering-android-malware-with-jadx

What this skill does

# Reverse Engineering Android Malware with JADX

## When to Use

- A suspicious Android APK has been reported as malicious or flagged by mobile threat detection
- Analyzing Android banking trojans, spyware, SMS stealers, or adware samples
- Determining what data an app collects, where it sends it, and what permissions it abuses
- Extracting C2 server addresses, encryption keys, and configuration data from Android malware
- Understanding overlay attack mechanisms used by banking trojans

**Do not use** for analyzing obfuscated native (.so) libraries within APKs; use Ghidra or IDA for native ARM binary analysis.

## Prerequisites

- JADX 1.5+ installed (download from https://github.com/skylot/jadx/releases)
- Android SDK with `aapt2` and `adb` tools for APK inspection
- apktool for full APK disassembly including smali code and resources
- Python 3.8+ with `androguard` library for automated APK analysis
- Frida for dynamic instrumentation (optional, for runtime analysis)
- Isolated Android emulator (Genymotion or Android Studio AVD) without Google services

## Workflow

### Step 1: Extract APK Metadata and Permissions

Examine the APK structure and AndroidManifest.xml:

```bash
# Get APK basic info
aapt2 dump badging malware.apk

# Extract AndroidManifest.xml
apktool d malware.apk -o apk_extracted/ -f

# Analyze permissions with androguard
python3 << 'PYEOF'
from androguard.core.apk import APK

apk = APK("malware.apk")

print(f"Package:    {apk.get_package()}")
print(f"App Name:   {apk.get_app_name()}")
print(f"Version:    {apk.get_androidversion_name()}")
print(f"Min SDK:    {apk.get_min_sdk_version()}")
print(f"Target SDK: {apk.get_target_sdk_version()}")

# Dangerous permissions
dangerous_perms = {
    "android.permission.READ_SMS": "SMS theft",
    "android.permission.RECEIVE_SMS": "SMS interception",
    "android.permission.SEND_SMS": "Premium SMS fraud",
    "android.permission.READ_CONTACTS": "Contact harvesting",
    "android.permission.READ_CALL_LOG": "Call log theft",
    "android.permission.RECORD_AUDIO": "Audio surveillance",
    "android.permission.CAMERA": "Camera surveillance",
    "android.permission.ACCESS_FINE_LOCATION": "Location tracking",
    "android.permission.READ_PHONE_STATE": "Device fingerprinting",
    "android.permission.SYSTEM_ALERT_WINDOW": "Overlay attacks",
    "android.permission.BIND_ACCESSIBILITY_SERVICE": "Full device control",
    "android.permission.REQUEST_INSTALL_PACKAGES": "Sideloading apps",
    "android.permission.BIND_DEVICE_ADMIN": "Device admin abuse",
}

print("\nDangerous Permissions:")
for perm in apk.get_permissions():
    if perm in dangerous_perms:
        print(f"  [!] {perm}")
        print(f"      Risk: {dangerous_perms[perm]}")
    elif "android.permission" in perm:
        print(f"  [*] {perm}")

# Components
print("\nActivities:")
for act in apk.get_activities():
    print(f"  {act}")

print("\nServices:")
for svc in apk.get_services():
    print(f"  {svc}")

print("\nReceivers:")
for rcv in apk.get_receivers():
    print(f"  {rcv}")
PYEOF
```

### Step 2: Decompile with JADX

Open the APK in JADX for Java/Kotlin source analysis:

```bash
# Open in JADX GUI
jadx-gui malware.apk

# Command-line decompilation for scripted analysis
jadx -d jadx_output/ malware.apk --show-bad-code

# Decompile with all options
jadx -d jadx_output/ malware.apk \
  --deobf \
  --deobf-min 3 \
  --deobf-max 64 \
  --show-bad-code \
  --threads-count 4

# The output directory structure:
# jadx_output/
#   sources/           <- Decompiled Java source code
#     com/malware/app/
#       MainActivity.java
#       C2Service.java
#       SMSReceiver.java
#   resources/         <- Decoded resources (layouts, strings, assets)
#     AndroidManifest.xml
#     res/
#     assets/
```

### Step 3: Identify Malicious Functionality

Search for suspicious code patterns in decompiled sources:

```bash
# Search for network communication
grep -rn "HttpURLConnection\|OkHttpClient\|Retrofit\|Volley\|URL(" jadx_output/sources/

# Search for SMS operations
grep -rn "SmsManager\|getDefault().sendTextMessage\|SMS_RECEIVED" jadx_output/sources/

# Search for overlay attack code
grep -rn "SYSTEM_ALERT_WINDOW\|TYPE_APPLICATION_OVERLAY\|WindowManager.LayoutParams" jadx_output/sources/

# Search for accessibility service abuse
grep -rn "AccessibilityService\|onAccessibilityEvent\|performAction" jadx_output/sources/

# Search for data exfiltration
grep -rn "getDeviceId\|getSubscriberId\|getSimSerialNumber\|getLine1Number" jadx_output/sources/

# Search for crypto operations (key storage, encryption)
grep -rn "SecretKeySpec\|Cipher.getInstance\|AES\|DES\|RSA" jadx_output/sources/

# Search for dynamic code loading
grep -rn "DexClassLoader\|PathClassLoader\|loadDex\|loadClass" jadx_output/sources/

# Search for obfuscated strings and decryption
grep -rn "Base64.decode\|decrypt\|decipher\|xor" jadx_output/sources/
```

### Step 4: Analyze C2 Communication

Trace the network communication logic:

```python
# Automated C2 extraction from decompiled code
import os
import re

jadx_dir = "jadx_output/sources"

# Patterns for C2 URLs and IPs
url_pattern = re.compile(r'https?://[^\s"\'<>]+')
ip_pattern = re.compile(r'"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"')
base64_pattern = re.compile(r'"([A-Za-z0-9+/]{20,}={0,2})"')

urls = set()
ips = set()
b64_strings = set()

for root, dirs, files in os.walk(jadx_dir):
    for fname in files:
        if fname.endswith('.java'):
            filepath = os.path.join(root, fname)
            with open(filepath, 'r', errors='ignore') as f:
                content = f.read()

            for match in url_pattern.finditer(content):
                urls.add(match.group())
            for match in ip_pattern.finditer(content):
                ips.add(match.group(1))
            for match in base64_pattern.finditer(content):
                b64_strings.add(match.group(1))

print("URLs found:")
for u in urls:
    print(f"  {u}")

print("\nIP addresses:")
for ip in ips:
    print(f"  {ip}")

# Decode Base64 strings
import base64
print("\nDecoded Base64 strings:")
for b64 in b64_strings:
    try:
        decoded = base64.b64decode(b64).decode('utf-8', errors='ignore')
        if any(c.isprintable() for c in decoded) and len(decoded) > 3:
            print(f"  {b64[:30]}... -> {decoded[:100]}")
    except:
        pass
```

### Step 5: Examine Native Libraries

Check for native code that may contain additional malicious logic:

```bash
# List native libraries in the APK
unzip -l malware.apk | grep "\.so$"

# Extract native libraries
unzip malware.apk "lib/*" -d apk_native/

# Check native library properties
file apk_native/lib/armeabi-v7a/*.so
readelf -d apk_native/lib/armeabi-v7a/*.so | grep NEEDED

# Strings from native libraries
strings apk_native/lib/armeabi-v7a/libpayload.so | grep -iE "(http|url|key|encrypt|password)"

# For deep native analysis, import into Ghidra:
# File -> Import -> Select .so file -> Select ARM architecture
```

### Step 6: Document Analysis and Extract IOCs

Compile a comprehensive Android malware analysis report:

```
Analysis documentation should include:
- APK metadata (package name, version, signing certificate)
- Permission analysis with risk assessment
- Component analysis (activities, services, receivers, providers)
- Decompiled code walkthrough of malicious functions
- C2 communication protocol and endpoints
- Data exfiltration methods and targeted data types
- Persistence mechanisms (device admin, accessibility service)
- Evasion techniques (emulator detection, root detection)
- Extracted IOCs (C2 URLs, domains, IPs, signing certificate hash)
```

## Key Concepts

| Term | Definition |
|------|------------|
| **APK (Android Package)** | Android application package format containing compiled DEX bytecode, resources, manifest, and native libraries |
| **DEX Bytecode** | Dalvik Executable format containing compiled Java/Kotlin code; JADX converts this back to readable Java source |
| **Overlay Attac