Back to Details

reverse-engineering-android-malware-with-jadx

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Reverse Engineering Android Malware with JADX

使用JADX逆向分析Android恶意软件

When to Use

适用场景

  • A suspicious Android APK has been reported as malicious or flagged by mobile threat detection
  • Analyzing Android banking trojans, spyware, SMS stealers, or adware samples
  • Determining what data an app collects, where it sends it, and what permissions it abuses
  • Extracting C2 server addresses, encryption keys, and configuration data from Android malware
  • Understanding overlay attack mechanisms used by banking trojans
Do not use for analyzing obfuscated native (.so) libraries within APKs; use Ghidra or IDA for native ARM binary analysis.
  • 可疑Android APK被报告为恶意文件或被移动威胁检测工具标记
  • 分析Android银行木马、间谍软件、短信窃取程序或广告软件样本
  • 确定应用收集的数据类型、数据发送目标以及滥用的权限
  • 从Android恶意软件中提取C2服务器地址、加密密钥和配置数据
  • 了解银行木马使用的叠加攻击机制
请勿用于分析APK中经过混淆的原生(.so)库;原生ARM二进制文件分析请使用Ghidra或IDA。

Prerequisites

前置条件

  • JADX 1.5+ installed (download from https://github.com/skylot/jadx/releases)
  • Android SDK with 
    aapt2
    and 
    adb
    tools for APK inspection
  • apktool for full APK disassembly including smali code and resources
  • Python 3.8+ with 
    androguard
    library for automated APK analysis
  • Frida for dynamic instrumentation (optional, for runtime analysis)
  • Isolated Android emulator (Genymotion or Android Studio AVD) without Google services
  • 安装JADX 1.5及以上版本(可从https://github.com/skylot/jadx/releases下载)
  • 搭载
    aapt2
    adb
    工具的Android SDK,用于APK检查
  • apktool,用于完整APK反汇编,包括smali代码和资源文件
  • Python 3.8及以上版本,搭配
    androguard
    库用于自动化APK分析
  • Frida用于动态插桩(可选,用于运行时分析)
  • 无谷歌服务的隔离Android模拟器(Genymotion或Android Studio AVD)

Workflow

工作流程

Step 1: Extract APK Metadata and Permissions

步骤1:提取APK元数据和权限

Examine the APK structure and AndroidManifest.xml:
bash
undefined
检查APK结构和AndroidManifest.xml:
bash
undefined

Get APK basic info

获取APK基础信息

aapt2 dump badging malware.apk
aapt2 dump badging malware.apk

Extract AndroidManifest.xml

提取AndroidManifest.xml

apktool d malware.apk -o apk_extracted/ -f
apktool d malware.apk -o apk_extracted/ -f

Analyze permissions with androguard

使用androguard分析权限

python3 << 'PYEOF' from androguard.core.apk import APK
apk = APK("malware.apk")
print(f"Package: {apk.get_package()}") print(f"App Name: {apk.get_app_name()}") print(f"Version: {apk.get_androidversion_name()}") print(f"Min SDK: {apk.get_min_sdk_version()}") print(f"Target SDK: {apk.get_target_sdk_version()}")
python3 << 'PYEOF' from androguard.core.apk import APK
apk = APK("malware.apk")
print(f"Package: {apk.get_package()}") print(f"App Name: {apk.get_app_name()}") print(f"Version: {apk.get_androidversion_name()}") print(f"Min SDK: {apk.get_min_sdk_version()}") print(f"Target SDK: {apk.get_target_sdk_version()}")

Dangerous permissions

危险权限

dangerous_perms = { "android.permission.READ_SMS": "SMS theft", "android.permission.RECEIVE_SMS": "SMS interception", "android.permission.SEND_SMS": "Premium SMS fraud", "android.permission.READ_CONTACTS": "Contact harvesting", "android.permission.READ_CALL_LOG": "Call log theft", "android.permission.RECORD_AUDIO": "Audio surveillance", "android.permission.CAMERA": "Camera surveillance", "android.permission.ACCESS_FINE_LOCATION": "Location tracking", "android.permission.READ_PHONE_STATE": "Device fingerprinting", "android.permission.SYSTEM_ALERT_WINDOW": "Overlay attacks", "android.permission.BIND_ACCESSIBILITY_SERVICE": "Full device control", "android.permission.REQUEST_INSTALL_PACKAGES": "Sideloading apps", "android.permission.BIND_DEVICE_ADMIN": "Device admin abuse", }
print("\nDangerous Permissions:") for perm in apk.get_permissions(): if perm in dangerous_perms: print(f" [!] {perm}") print(f" Risk: {dangerous_perms[perm]}") elif "android.permission" in perm: print(f" [*] {perm}")
dangerous_perms = { "android.permission.READ_SMS": "SMS theft", "android.permission.RECEIVE_SMS": "SMS interception", "android.permission.SEND_SMS": "Premium SMS fraud", "android.permission.READ_CONTACTS": "Contact harvesting", "android.permission.READ_CALL_LOG": "Call log theft", "android.permission.RECORD_AUDIO": "Audio surveillance", "android.permission.CAMERA": "Camera surveillance", "android.permission.ACCESS_FINE_LOCATION": "Location tracking", "android.permission.READ_PHONE_STATE": "Device fingerprinting", "android.permission.SYSTEM_ALERT_WINDOW": "Overlay attacks", "android.permission.BIND_ACCESSIBILITY_SERVICE": "Full device control", "android.permission.REQUEST_INSTALL_PACKAGES": "Sideloading apps", "android.permission.BIND_DEVICE_ADMIN": "Device admin abuse", }
print("\nDangerous Permissions:") for perm in apk.get_permissions(): if perm in dangerous_perms: print(f" [!] {perm}") print(f" Risk: {dangerous_perms[perm]}") elif "android.permission" in perm: print(f" [*] {perm}")

Components

组件

print("\nActivities:") for act in apk.get_activities(): print(f" {act}")
print("\nServices:") for svc in apk.get_services(): print(f" {svc}")
print("\nReceivers:") for rcv in apk.get_receivers(): print(f" {rcv}") PYEOF
undefined
print("\nActivities:") for act in apk.get_activities(): print(f" {act}")
print("\nServices:") for svc in apk.get_services(): print(f" {svc}")
print("\nReceivers:") for rcv in apk.get_receivers(): print(f" {rcv}") PYEOF
undefined

Step 2: Decompile with JADX

步骤2:使用JADX反编译

Open the APK in JADX for Java/Kotlin source analysis:
bash
undefined
在JADX中打开APK进行Java/Kotlin源代码分析:
bash
undefined

Open in JADX GUI

在JADX GUI中打开

jadx-gui malware.apk
jadx-gui malware.apk

Command-line decompilation for scripted analysis

命令行反编译用于脚本化分析

jadx -d jadx_output/ malware.apk --show-bad-code
jadx -d jadx_output/ malware.apk --show-bad-code

Decompile with all options

全选项反编译

jadx -d jadx_output/ malware.apk
--deobf
--deobf-min 3
--deobf-max 64
--show-bad-code
--threads-count 4
jadx -d jadx_output/ malware.apk
--deobf
--deobf-min 3
--deobf-max 64
--show-bad-code
--threads-count 4

The output directory structure:

输出目录结构:

jadx_output/

jadx_output/

sources/ <- Decompiled Java source code

sources/ <- 反编译后的Java源代码

com/malware/app/

com/malware/app/

MainActivity.java

MainActivity.java

C2Service.java

C2Service.java

SMSReceiver.java

SMSReceiver.java

resources/ <- Decoded resources (layouts, strings, assets)

resources/ <- 解码后的资源(布局、字符串、资产文件)

AndroidManifest.xml

AndroidManifest.xml

res/

res/

assets/

assets/

undefined
undefined

Step 3: Identify Malicious Functionality

步骤3:识别恶意功能

Search for suspicious code patterns in decompiled sources:
bash
undefined
在反编译后的源代码中搜索可疑代码模式:
bash
undefined

Search for network communication

搜索网络通信相关代码

grep -rn "HttpURLConnection|OkHttpClient|Retrofit|Volley|URL(" jadx_output/sources/
grep -rn "HttpURLConnection|OkHttpClient|Retrofit|Volley|URL(" jadx_output/sources/

Search for SMS operations

搜索短信操作相关代码

grep -rn "SmsManager|getDefault().sendTextMessage|SMS_RECEIVED" jadx_output/sources/
grep -rn "SmsManager|getDefault().sendTextMessage|SMS_RECEIVED" jadx_output/sources/

Search for overlay attack code

搜索叠加攻击相关代码

grep -rn "SYSTEM_ALERT_WINDOW|TYPE_APPLICATION_OVERLAY|WindowManager.LayoutParams" jadx_output/sources/
grep -rn "SYSTEM_ALERT_WINDOW|TYPE_APPLICATION_OVERLAY|WindowManager.LayoutParams" jadx_output/sources/

Search for accessibility service abuse

搜索无障碍服务滥用相关代码

grep -rn "AccessibilityService|onAccessibilityEvent|performAction" jadx_output/sources/
grep -rn "AccessibilityService|onAccessibilityEvent|performAction" jadx_output/sources/

Search for data exfiltration

搜索数据外带相关代码

grep -rn "getDeviceId|getSubscriberId|getSimSerialNumber|getLine1Number" jadx_output/sources/
grep -rn "getDeviceId|getSubscriberId|getSimSerialNumber|getLine1Number" jadx_output/sources/

Search for crypto operations (key storage, encryption)

搜索加密操作相关代码(密钥存储、加密)

grep -rn "SecretKeySpec|Cipher.getInstance|AES|DES|RSA" jadx_output/sources/
grep -rn "SecretKeySpec|Cipher.getInstance|AES|DES|RSA" jadx_output/sources/

Search for dynamic code loading

搜索动态代码加载相关代码

grep -rn "DexClassLoader|PathClassLoader|loadDex|loadClass" jadx_output/sources/
grep -rn "DexClassLoader|PathClassLoader|loadDex|loadClass" jadx_output/sources/

Search for obfuscated strings and decryption

搜索混淆字符串和解密相关代码

grep -rn "Base64.decode|decrypt|decipher|xor" jadx_output/sources/
undefined
grep -rn "Base64.decode|decrypt|decipher|xor" jadx_output/sources/
undefined

Step 4: Analyze C2 Communication

步骤4:分析C2通信

Trace the network communication logic:
python
undefined
追踪网络通信逻辑:
python
undefined

Automated C2 extraction from decompiled code

从反编译代码中自动提取C2信息

import os import re
jadx_dir = "jadx_output/sources"
import os import re
jadx_dir = "jadx_output/sources"

Patterns for C2 URLs and IPs

C2 URL和IP的匹配模式

url_pattern = re.compile(r'https?://[^\s"'<>]+') ip_pattern = re.compile(r'"(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"') base64_pattern = re.compile(r'"([A-Za-z0-9+/]{20,}={0,2})"')
urls = set() ips = set() b64_strings = set()
for root, dirs, files in os.walk(jadx_dir): for fname in files: if fname.endswith('.java'): filepath = os.path.join(root, fname) with open(filepath, 'r', errors='ignore') as f: content = f.read()
        for match in url_pattern.finditer(content):
            urls.add(match.group())
        for match in ip_pattern.finditer(content):
            ips.add(match.group(1))
        for match in base64_pattern.finditer(content):
            b64_strings.add(match.group(1))
print("URLs found:") for u in urls: print(f" {u}")
print("\nIP addresses:") for ip in ips: print(f" {ip}")
url_pattern = re.compile(r'https?://[^\s"'<>]+') ip_pattern = re.compile(r'"(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"') base64_pattern = re.compile(r'"([A-Za-z0-9+/]{20,}={0,2})"')
urls = set() ips = set() b64_strings = set()
for root, dirs, files in os.walk(jadx_dir): for fname in files: if fname.endswith('.java'): filepath = os.path.join(root, fname) with open(filepath, 'r', errors='ignore') as f: content = f.read()
        for match in url_pattern.finditer(content):
            urls.add(match.group())
        for match in ip_pattern.finditer(content):
            ips.add(match.group(1))
        for match in base64_pattern.finditer(content):
            b64_strings.add(match.group(1))
print("URLs found:") for u in urls: print(f" {u}")
print("\nIP addresses:") for ip in ips: print(f" {ip}")

Decode Base64 strings

解码Base64字符串

import base64 print("\nDecoded Base64 strings:") for b64 in b64_strings: try: decoded = base64.b64decode(b64).decode('utf-8', errors='ignore') if any(c.isprintable() for c in decoded) and len(decoded) > 3: print(f" {b64[:30]}... -> {decoded[:100]}") except: pass
undefined
import base64 print("\nDecoded Base64 strings:") for b64 in b64_strings: try: decoded = base64.b64decode(b64).decode('utf-8', errors='ignore') if any(c.isprintable() for c in decoded) and len(decoded) > 3: print(f" {b64[:30]}... -> {decoded[:100]}") except: pass
undefined

Step 5: Examine Native Libraries

步骤5:检查原生库

Check for native code that may contain additional malicious logic:
bash
undefined
检查可能包含额外恶意逻辑的原生代码:
bash
undefined

List native libraries in the APK

列出APK中的原生库

unzip -l malware.apk | grep ".so$"
unzip -l malware.apk | grep ".so$"

Extract native libraries

提取原生库

unzip malware.apk "lib/*" -d apk_native/
unzip malware.apk "lib/*" -d apk_native/

Check native library properties

检查原生库属性

file apk_native/lib/armeabi-v7a/.so readelf -d apk_native/lib/armeabi-v7a/.so | grep NEEDED
file apk_native/lib/armeabi-v7a/.so readelf -d apk_native/lib/armeabi-v7a/.so | grep NEEDED

Strings from native libraries

提取原生库中的字符串

strings apk_native/lib/armeabi-v7a/libpayload.so | grep -iE "(http|url|key|encrypt|password)"
strings apk_native/lib/armeabi-v7a/libpayload.so | grep -iE "(http|url|key|encrypt|password)"

For deep native analysis, import into Ghidra:

深度原生分析可导入到Ghidra中:

File -> Import -> Select .so file -> Select ARM architecture

File -> Import -> Select .so file -> Select ARM architecture

undefined
undefined

Step 6: Document Analysis and Extract IOCs

步骤6:记录分析结果并提取IOC

Compile a comprehensive Android malware analysis report:
Analysis documentation should include:
- APK metadata (package name, version, signing certificate)
- Permission analysis with risk assessment
- Component analysis (activities, services, receivers, providers)
- Decompiled code walkthrough of malicious functions
- C2 communication protocol and endpoints
- Data exfiltration methods and targeted data types
- Persistence mechanisms (device admin, accessibility service)
- Evasion techniques (emulator detection, root detection)
- Extracted IOCs (C2 URLs, domains, IPs, signing certificate hash)
生成完整的Android恶意软件分析报告:
分析文档应包含:
- APK元数据(包名、版本、签名证书)
- 权限分析及风险评估
- 组件分析(Activity、服务、广播接收器、内容提供器)
- 恶意功能的反编译代码详解
- C2通信协议和端点
- 数据外带方法和目标数据类型
- 持久化机制(设备管理员、无障碍服务)
- 规避技术(模拟器检测、Root检测)
- 提取的IOC(C2 URL、域名、IP、签名证书哈希)

Key Concepts

核心概念

TermDefinition
APK (Android Package)Android application package format containing compiled DEX bytecode, resources, manifest, and native libraries
DEX BytecodeDalvik Executable format containing compiled Java/Kotlin code; JADX converts this back to readable Java source
Overlay AttackBanking trojan technique displaying a fake UI layer over a legitimate banking app to steal credentials using SYSTEM_ALERT_WINDOW permission
Accessibility Service AbuseMalware registering as an accessibility service to capture screen content, perform actions, and prevent uninstallation
SmaliHuman-readable representation of DEX bytecode; intermediate representation between bytecode and Java used by apktool
Dynamic Code LoadingLoading additional DEX code at runtime using DexClassLoader to hide malicious functionality from static analysis
Device Admin AbuseMalware requesting device administrator privileges to prevent uninstallation and perform device wipe threats
术语定义
APK (Android Package)Android应用安装包格式,包含编译后的DEX字节码、资源文件、清单文件和原生库
DEX BytecodeDalvik可执行文件格式,包含编译后的Java/Kotlin代码;JADX可将其转换为可读的Java源代码
Overlay Attack银行木马技术,通过SYSTEM_ALERT_WINDOW权限在合法银行应用上方显示伪造UI层以窃取凭证
Accessibility Service Abuse恶意软件注册为无障碍服务,以捕获屏幕内容、执行操作并阻止卸载
SmaliDEX字节码的人类可读表示形式;是apktool使用的字节码和Java之间的中间表示
Dynamic Code Loading运行时使用DexClassLoader加载额外DEX代码,以对静态分析隐藏恶意功能
Device Admin Abuse恶意软件请求设备管理员权限,以阻止卸载并实施设备擦除威胁

Tools & Systems

工具与系统

  • JADX: Open-source DEX to Java decompiler providing GUI and CLI for Android APK analysis with deobfuscation support
  • apktool: Tool for reverse engineering Android APK files to smali code and decoded resources
  • androguard: Python framework for automated Android APK analysis including permission, component, and code analysis
  • Frida: Dynamic instrumentation toolkit for hooking Java methods and native functions at runtime on Android
  • MobSF (Mobile Security Framework): Automated mobile application security testing framework for static and dynamic analysis
  • JADX: 开源DEX转Java反编译器,提供GUI和CLI用于Android APK分析,支持去混淆
  • apktool: 用于逆向Android APK文件为smali代码和解码资源的工具
  • androguard: Python框架,用于自动化Android APK分析,包括权限、组件和代码分析
  • Frida: 动态插桩工具包,用于在Android运行时Hook Java方法和原生函数
  • MobSF (Mobile Security Framework): 自动化移动应用安全测试框架,支持静态和动态分析

Common Scenarios

常见场景

Scenario: Analyzing an Android Banking Trojan

场景:分析Android银行木马

Context: A banking trojan APK is distributed via SMS phishing targeting customers of a specific bank. The sample needs analysis to identify targeted banks, C2 infrastructure, and data theft mechanisms.
Approach:
  1. Extract APK metadata and identify requested permissions (SMS, accessibility, overlay, device admin)
  2. Decompile with JADX and search for overlay activity classes that mimic banking app UIs
  3. Identify the list of targeted banking apps by searching for package name lists in the code
  4. Trace the SMS interception receiver to understand how 2FA codes are stolen
  5. Follow the C2 communication code to extract server URLs and command protocol
  6. Check for web injection configuration files in assets/ directory
  7. Extract all IOCs and document the complete attack chain
Pitfalls:
  • Not deobfuscating class and method names before analysis (use JADX --deobf flag)
  • Missing dynamically loaded DEX files downloaded after installation
  • Ignoring native .so libraries that may contain the actual C2 logic or encryption routines
  • Overlooking assets/ directory which may contain encrypted configuration or web injects
背景: 一款银行木马APK通过短信钓鱼分发,目标是特定银行的客户。需要分析样本以识别目标银行、C2基础设施和数据窃取机制。
方法:
  1. 提取APK元数据并识别请求的权限(短信、无障碍、叠加、设备管理员)
  2. 使用JADX反编译,搜索模拟银行应用UI的叠加Activity类
  3. 通过搜索代码中的包名列表识别目标银行应用列表
  4. 追踪短信拦截接收器,了解2FA验证码的窃取方式
  5. 跟进C2通信代码,提取服务器URL和命令协议
  6. 检查assets/目录中的Web注入配置文件
  7. 提取所有IOC并记录完整攻击链
注意事项:
  • 分析前未对类和方法名去混淆(请使用JADX --deobf参数)
  • 遗漏安装后下载的动态加载DEX文件
  • 忽略可能包含实际C2逻辑或加密例程的原生.so库
  • 忽视可能包含加密配置或Web注入的assets/目录

Output Format

输出格式

ANDROID MALWARE ANALYSIS REPORT
==================================
APK File:         update_bank.apk
Package:          com.android.systemupdate
SHA-256:          e3b0c44298fc1c149afbf4c8996fb924...
Version:          1.2.3
Min SDK:          21 (Android 5.0)
Signing Cert:     SHA-256: abc123... (self-signed)

CLASSIFICATION
Family:           Anubis Banking Trojan
Type:             Banking Trojan / SMS Stealer / Keylogger

DANGEROUS PERMISSIONS
[!] RECEIVE_SMS          - Intercepts incoming SMS (2FA theft)
[!] READ_SMS             - Reads SMS messages
[!] SEND_SMS             - Sends premium SMS
[!] SYSTEM_ALERT_WINDOW  - Overlay attacks on banking apps
[!] BIND_ACCESSIBILITY   - Full device control
[!] BIND_DEVICE_ADMIN    - Prevents uninstallation

MALICIOUS COMPONENTS
Service:    com.android.systemupdate.C2Service (C2 communication)
Receiver:   com.android.systemupdate.SmsReceiver (SMS interception)
Activity:   com.android.systemupdate.OverlayActivity (credential overlay)

TARGETED APPS (23 banking apps)
com.bank.example1, com.bank.example2, ...

C2 INFRASTRUCTURE
Primary:    hxxps://c2-server[.]com/api/bot
Fallback:   hxxps://backup-c2[.]net/api/bot
Protocol:   HTTPS POST with JSON body
Bot ID:     MD5(IMEI + Build.SERIAL)

EXTRACTED IOCs
Domains:    c2-server[.]com, backup-c2[.]net
IPs:        185.220.101[.]42
URLs:       hxxps://c2-server[.]com/api/bot
            hxxps://c2-server[.]com/api/injects
Cert Hash:  abc123def456...
ANDROID MALWARE ANALYSIS REPORT
==================================
APK File:         update_bank.apk
Package:          com.android.systemupdate
SHA-256:          e3b0c44298fc1c149afbf4c8996fb924...
Version:          1.2.3
Min SDK:          21 (Android 5.0)
Signing Cert:     SHA-256: abc123... (self-signed)

CLASSIFICATION
Family:           Anubis Banking Trojan
Type:             Banking Trojan / SMS Stealer / Keylogger

DANGEROUS PERMISSIONS
[!] RECEIVE_SMS          - Intercepts incoming SMS (2FA theft)
[!] READ_SMS             - Reads SMS messages
[!] SEND_SMS             - Sends premium SMS
[!] SYSTEM_ALERT_WINDOW  - Overlay attacks on banking apps
[!] BIND_ACCESSIBILITY   - Full device control
[!] BIND_DEVICE_ADMIN    - Prevents uninstallation

MALICIOUS COMPONENTS
Service:    com.android.systemupdate.C2Service (C2 communication)
Receiver:   com.android.systemupdate.SmsReceiver (SMS interception)
Activity:   com.android.systemupdate.OverlayActivity (credential overlay)

TARGETED APPS (23 banking apps)
com.bank.example1, com.bank.example2, ...

C2 INFRASTRUCTURE
Primary:    hxxps://c2-server[.]com/api/bot
Fallback:   hxxps://backup-c2[.]net/api/bot
Protocol:   HTTPS POST with JSON body
Bot ID:     MD5(IMEI + Build.SERIAL)

EXTRACTED IOCs
Domains:    c2-server[.]com, backup-c2[.]net
IPs:        185.220.101[.]42
URLs:       hxxps://c2-server[.]com/api/bot
            hxxps://c2-server[.]com/api/injects
Cert Hash:  abc123def456...