APK Malformation: How Attackers Are Bypassing Android Security Checks

When it comes to APK malformation, the numbers are staggering. Researchers from Cleafy’s Threat Intelligence and Incident Response team have identified this evasion technique in over 3,000 malicious Android samples. Families like Teabot, TrickMo, Godfather, and SpyNote are all leveraging broken APK structures to slip past static analysis tools.

At its core, APK malformation is a deliberate act: attackers craft non-standard or corrupted Android Package files that still install and run on devices. The trick lies in the Android installer’s leniency. It tolerates inconsistencies that strict parsers cannot, allowing malicious apps to function normally while frustrating reverse engineering efforts.

How APK Malformation Bypasses Static Analysis

An APK is essentially a ZIP archive containing code, resources, and a manifest. Each file sits behind a Local File Header, and a Central Directory acts as a table of contents. Attackers introduce conflicts between these structures. Tools like JADX crash on the inconsistency, but the Android installer quietly proceeds.

Cleafy’s team catalogued several active techniques:

• Directory-file name collisions that confuse parsers about which entry to load
• Unsupported compression methods that Android treats as uncompressed, but analysis tools fail on
• False password protection flags placed inconsistently across headers
• Mismatched checksums, file sizes, and offset references between header structures
• AndroidManifest.xml corruption through magic header changes, string pool manipulation, and malicious offset injection

Another method abuses the assets/directory by storing payloads under filenames with non-ASCII or control characters. This triggers path traversal errors during decompilation, forcing analysts to manually extract and inspect archive contents.

Defenders Push Back With Open-Source Tooling

In response, Cleafy released Malfixer, a Python utility that detects and repairs malformed APKs. It rebuilds them into a form conventional reverse engineering tools can parse. The project, published on GitHub, was developed after analyzing more than 70 malformed samples from the TrickMo, Teabot, Godfather, and SpyNote families.

This release reflects a wider arms race. Cleafy noted that earlier incidents failed to classify samples later linked to TrickMo precisely because malformation techniques prevented standard static analysis. “As defenders, we must evolve our tools and techniques to counter these evasive tactics,” the researchers wrote, urging the community to contribute new samples and methods.

Practical Implications for Android Security

For security teams, this means that static analysis alone is no longer sufficient. Combining it with dynamic analysis and behavior monitoring is essential. Organizations should also consider integrating tools like Malfixer into their malware analysis pipelines to catch malformed APKs early.

As malware authors refine their techniques, defenders must keep pace. The battle over APK malformation is just one front in a larger war for mobile security. Staying informed and updating toolkits is critical.

For more on Android malware evasion, check out our guide on Android Malware Evasion Techniques and learn about Static Analysis Limitations.