reverse-engineering-android-malware-with-jadx

# Reverse Engineering Android Malware with JADX ## When to Use - A suspicious Android APK has been reported as malicious or flagged by mobile threat detection - Analyzing Android banking trojans, spyware, SMS stealers, or adware samples - Determining what data an app collects, where it sends it, and what permissions it abuses - Extracting C2 server addresses, encryption keys, and configuration data from Android malware - Understanding overlay attack mechanisms used by banking trojans **Do not use** for analyzing obfuscated native (.so) libraries within APKs; use Ghidra or IDA for native ARM binary analysis. ## Prerequisites - JADX 1.5+ installed (download from https://github.com/skylot/jadx/releases) - Android SDK with `aapt2` and `adb` tools for APK inspection - apktool for full APK disassembly including smali code and resources - Python 3.8+ with `androguard` library for automated APK analysis - Frida for dynamic instrumentation (optional, for runtime analysis) - Isolated Android emulator (Genymotion or Android Studio AVD) without Google services ## Workflow ### Step 1: Extract APK Metadata and Permissions Examine the APK structure and AndroidManifest.xml: ```bash # Get APK basic info aapt2 dump badging malware.apk # Extract AndroidManifest.xml apktool d malware.apk -o apk_extracted/ -f # Analyze permissions with androguard python3 << 'PYEOF' from androguard.core.apk import APK apk = APK("malware.apk") print(f"Package: {apk.get_package()}") print(f"App Name:...