APK Malformation: A Rising Threat in Android Malware Evasion Tactics
Severity: Medium (Score: 57.8)
Sources: Infosecurity-Magazine, www.cleafy.com
Summary
APK malformation has become a prevalent anti-analysis technique in Android malware, identified in over 3,000 samples from various families, including Teabot, TrickMo, Godfather, and SpyNote. Attackers exploit the leniency of the Android installation system by creating broken or non-standard APK structures that still function on devices but cause static analysis tools to crash or misinterpret the files. This technique involves manipulating the internal structure of APKs, such as introducing directory-file name collisions and corrupting the AndroidManifest.xml. In response to this evolving threat, Cleafy has released Malfixer, an open-source tool designed to detect and repair malformed APKs, enhancing malware analysis capabilities. The release of Malfixer reflects an ongoing arms race between malware developers and security analysts. Previous incidents have shown that malformation techniques can prevent the classification of malware samples, complicating detection efforts. As APK malformation becomes more common, the cybersecurity community is urged to adapt and share new detection methods. Key Points: • APK malformation is identified in over 3,000 Android malware samples. • Attackers exploit APK structure inconsistencies to evade detection by analysis tools. • Cleafy has released Malfixer, a tool to detect and repair malformed APKs.