Evasion via APK malformation observed across major Android malware families
Summary
Hide ▲
Show ▼
A widespread evasion technique involving deliberate APK malformation has been documented in more than 3,000 malicious Android samples spanning families such as Teabot, TrickMo, Godfather, and SpyNote. The technique manipulates APK structure (e.g., Local File Header vs Central Directory inconsistencies) to break static analysis pipelines while remaining installable and functional on Android devices. Static analysis tools including JADX crash or misinterpret malformed APKs, whereas the native Android installer tolerates inconsistencies, enabling malware to evade detection and complicate reverse engineering efforts.
Timeline
-
16.04.2026 18:45 1 articles · 3h ago
APK malformation technique documented across thousands of Android malware samples
A documented technique of APK malformation has been identified in over 3,000 malicious samples spanning Teabot, TrickMo, Godfather, and SpyNote. The technique leverages inconsistencies between APK Local File Header and Central Directory structures to crash or mislead static analysis tools, while Android’s installer processes the package normally. Multiple tactics including malformed compression flags, checksum mismatches, and non-ASCII path obfuscation are used to evade automated detection and complicate reverse engineering workflows.
Show sources
- APK Malformation Found in Thousands of Android Malware Samples — www.infosecurity-magazine.com — 16.04.2026 18:45
Information Snippets
-
Over 3,000 malicious APK samples across Teabot, TrickMo, Godfather, and SpyNote families exhibit intentional APK malformation to frustrate static analysis.
First reported: 16.04.2026 18:451 source, 1 articleShow sources
- APK Malformation Found in Thousands of Android Malware Samples — www.infosecurity-magazine.com — 16.04.2026 18:45
-
Malformation tactics exploit inconsistencies between APK Local File Headers and the Central Directory, causing static analysis tools (e.g., JADX) to crash or misparse the package.
First reported: 16.04.2026 18:451 source, 1 articleShow sources
- APK Malformation Found in Thousands of Android Malware Samples — www.infosecurity-magazine.com — 16.04.2026 18:45
-
Android’s installer tolerates malformed APKs (e.g., mismatched checksums, invalid compression flags, directory-file collisions) while still allowing installation and execution.
First reported: 16.04.2026 18:451 source, 1 articleShow sources
- APK Malformation Found in Thousands of Android Malware Samples — www.infosecurity-magazine.com — 16.04.2026 18:45
-
Specific malformation techniques include: directory-file name collisions, unsupported compression methods, inconsistent password flags, mismatched checksums/offsets, APK manifest corruption, and payload obfuscation via non-ASCII or control characters in the assets directory.
First reported: 16.04.2026 18:451 source, 1 articleShow sources
- APK Malformation Found in Thousands of Android Malware Samples — www.infosecurity-magazine.com — 16.04.2026 18:45