Android Package (APK) malformation has emerged as a standard Android malware evasion tactic, with the technique identified in more than 3000 malicious samples across families including Teabot, TrickMo, Godfather and SpyNote.
According to new research from Cleafy’s Threat Intelligence and Incident Response team, the APK malformation involves the deliberate creation of broken or non-standard APK structures that still install and run on devices but cause static analysis tools to crash or misinterpret the file.
The researchers said attackers are exploiting the leniency of an Android installer that tolerates inconsistencies strict parsers cannot, allowing malicious apps to function normally while frustrating reverse engineering efforts.
How APK Malformation Bypasses Static Analysis
An APK is essentially a ZIP archive containing the code, resources and manifest required to run an Android app.
Each file inside the archive sits behind a Local File Header, and a Central Directory near the end of the package acts as a table of contents. Attackers introduce conflicts between those two structures. Tools such as JADX crash on the inconsistency, while the Android installer quietly proceeds with the app.
In their analysis, the researchers cataloged several techniques currently in active use:
-
Directory-file name collisions that confuse parsers about which entry to load
-
Unsupported compression methods that Android safely treats as uncompressed, but cause analysis tools to fail
-
False password protection flags placed inconsistently across headers
-
Mismatched checksums, file sizes and offset references between header structures
-
AndroidManifest.xml corruption through magic header changes, string pool manipulation and malicious offset injection
Read more on Android malware evasion: New Android Malware Uses .NET MAUI to Evade Detection
Another method abuses the assets/directory by storing payloads under filenames containing non-ASCII or control characters, triggering path traversal errors during decompilation. Researchers said the technique forces analysts to manually extract and inspect archive contents.
Defenders Push Back With Open-Source Tooling
In response, the Cleafy team has released Malfixer, a Python utility that detects and repairs malformed APKs and rebuilds them into a form conventional reverse engineering tools can parse.
The project, published on GitHub, was developed after the analysis of more than 70 malformed samples drawn primarily from the TrickMo, Teabot, Godfather and SpyNote families.
The release reflects a wider arms race between Android malware developers and analysts. Cleafy noted that earlier incidents had failed to classify samples later linked to TrickMo precisely because malformation techniques prevented standard static analysis from processing the file.
“As defenders, we must evolve our tools and techniques to counter these evasive tactics,” the researchers wrote, urging the community to contribute new samples and malformation methods as they emerge in the wild.
