Android APK malformation that evades static analysis
Technical Analysis
Summary
Hide ▲
Show ▼
Android APK malformation has become a widely used malware evasion technique, affecting more than 3000 samples and undermining static analysis workflows. The tactic keeps malicious apps runnable while causing tools such as JADX to crash or misread package contents. That raises the cost of reverse engineering and increases the need for repair and normalization tooling.
Related Happenings
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Google GTIG analysis of adversary AI use for exploit development and attack orchestration
Technical Analysis
First: 11.05.2026 16:00
Last: 11.05.2026 16:00
Sources 1
About this happening:
**Google Threat Intelligence Group** published findings showing **adversaries using AI** for **exploit development** and **attack orchestration**, signaling that model-assisted tr...
Google GTIG analysis of adversary AI use for exploit development and attack orchestration
Technical AnalysisAbout this happening: **Google Threat Intelligence Group** published findings showing **adversaries using AI** for **exploit development** and **attack orchestration**, signaling that model-assisted tr...
Mirax Android banking trojan with residential proxy nodes
Malware Activity
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Mirax Android banking trojan with residential proxy nodes
Malware ActivityAbout this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Android RAT campaign using Hugging Face dropper lure
Campaign
First: 16.02.2026 12:24
Last: 16.02.2026 12:24
Sources 1
About this happening:
In recent weeks, a **live Android RAT campaign** has used **Hugging Face** to deliver malicious APKs through a fake-update lure. The operation starts with a dropper app, such as *...
Android RAT campaign using Hugging Face dropper lure
CampaignAbout this happening: In recent weeks, a **live Android RAT campaign** has used **Hugging Face** to deliver malicious APKs through a fake-update lure. The operation starts with a dropper app, such as *...
Timeline
-
16.04.2026 18:45 2 articles · 1mo ago
Cleafy reports APK malformation as an Android malware evasion tactic
Technical Analysis UpdateCleafy's Threat Intelligence and Incident Response team says APK malformation uses broken or non-standard APK structures to keep malicious Android apps installable and runnable while causing static analysis tools such as JADX to crash or misinterpret the file; the technique has been identified in more than 3000 malicious samples across Teabot, TrickMo, Godfather and SpyNote, and the team released Malfixer on GitHub to detect, repair and rebuild malformed APKs for conventional reverse engineering tools.
Show sources
- APK Malformation Found in Thousands of Android Malware Samples — www.infosecurity-magazine.com — 16.04.2026 18:45
- APK Malformation Found in Thousands of Android Malware Samples — www.infosecurity-magazine.com — 16.04.2026 18:45