The cybersecurity landscape for mobile devices has reached a critical juncture as threat actors increasingly adopt sophisticated structural manipulation techniques to bypass automated security screenings. Recent findings from the Cleafy Threat Intelligence and Incident Response team have illuminated a burgeoning trend in the Android ecosystem: the use of malformed Android Package (APK) files. This technique, which involves the deliberate engineering of broken or non-standard file structures, has been identified in more than 3,000 malicious samples. These samples are tied to some of the most prolific mobile malware families currently in operation, including Teabot, TrickMo, Godfather, and SpyNote. By exploiting the discrepancies between how security analysis tools and the Android operating system process file data, attackers are successfully shielding their code from detection while maintaining full functionality on victim devices.
The Mechanics of APK Malformation and Structural Exploitation
To understand the efficacy of APK malformation, one must first understand the anatomy of an Android application. An APK is essentially a specialized ZIP archive that contains the application’s compiled code (DEX files), resources, assets, and the crucial AndroidManifest.xml file. In a standard ZIP structure, every individual file is preceded by a Local File Header (LFH). Toward the end of the archive, a Central Directory (CD) serves as a comprehensive table of contents, providing the offsets and metadata required for a parser to locate and extract the files.
The core of the malformation tactic lies in the introduction of intentional conflicts between the Local File Header and the Central Directory. While the ZIP specification is relatively rigid, the Android OS installer—designed for speed and compatibility across a vast range of hardware—is remarkably lenient. It often prioritizes certain headers over others or ignores minor inconsistencies to ensure that legitimate, albeit slightly "bruised," applications can still be installed.
In contrast, static analysis tools such as JADX, Apktool, and various automated sandboxes are built on strict parsing logic. When these tools encounter a discrepancy—such as a file size mismatch between the LFH and the CD, or an invalid entry in the table of contents—they typically fail to process the file. In many cases, the tool will crash or produce an error message, leading a security researcher or an automated system to conclude that the file is corrupted and therefore non-functional. However, the Android Runtime (ART) and the package installer service are programmed to bypass these errors, allowing the malicious payload to execute without hindrance once it reaches the user’s handset.
Cataloging the Evasion Tactics
Researchers have identified several distinct methods of malformation that are currently being utilized by threat actors to frustrate reverse engineering efforts. One of the most prevalent methods involves the manipulation of the "assets" directory. Attackers store malicious payloads under filenames that contain non-ASCII characters or specific control characters. These characters often trigger path traversal errors or buffer overflows in decompilation tools. When an analyst attempts to view the file tree, the tool may display a distorted version of the directory or fail to extract the payload entirely, forcing a time-consuming manual extraction process.
Another common technique involves the modification of the End of Central Directory (EOCD) record. By providing false information about the number of entries in the archive or the size of the central directory, attackers can "hide" certain files from parsers that rely on the EOCD for navigation. If a security scanner cannot see the DEX file containing the malicious logic because it is looking at a malformed table of contents, the malware effectively becomes invisible to that scanner.
The scale of this issue is significant. Of the 3,000 samples analyzed, many were found to use a combination of these techniques. This layering of evasion tactics suggests a high level of technical maturity among the developers of mobile banking trojans and Remote Access Trojans (RATs).
Profiles of the Malicious Families Utilizing Malformation
The adoption of APK malformation is not limited to a single group; it has become a standardized component of the "malware-as-a-service" (MaaS) toolkit. The following families have been most active in employing these techniques:
Teabot (Anatsa)
Teabot is a sophisticated banking trojan first identified in early 2021. It is designed to steal credentials and SMS messages to bypass two-factor authentication (2FA). Teabot often utilizes VNC (Virtual Network Computing) services to gain remote control over a victim’s screen. By employing APK malformation, Teabot developers have been able to keep their droppers on the Google Play Store for longer durations, as the initial automated scans often fail to unpack the malicious components.
TrickMo
Originally a variant of the TrickBot banking trojan adapted for mobile, TrickMo focuses on intercepting One-Time Passwords (OTPs) and recording screen activity. Recent iterations of TrickMo have been found to use highly distorted ZIP structures. In some instances, researchers found that earlier security reports had failed to classify TrickMo samples correctly because the malformation was so severe that standard static analysis could not even identify the file as an APK.
Godfather
Targeting over 400 financial applications, including banking apps and cryptocurrency wallets, Godfather is a successor to the Anubis malware. It uses overlay attacks to harvest login credentials. The integration of malformed structures into Godfather samples highlights the constant evolution of the threat, as its developers seek to protect their intellectual property (the source code) from being easily analyzed and "cloned" by rival cybercriminals.
SpyNote
SpyNote is a powerful RAT that provides attackers with comprehensive access to a device’s camera, microphone, and location data. Because SpyNote is often distributed through third-party websites and phishing links, its developers use malformation to ensure that even if the APK is uploaded to public scanning services like VirusTotal, the structural errors will prevent many antivirus engines from flagging the embedded malicious code.
A Chronology of Evasion in the Android Ecosystem
The shift toward APK malformation is part of a decade-long evolution in Android malware evasion. In the early 2010s, malware authors relied primarily on simple code obfuscation, such as renaming variables and methods to nonsensical strings. As security tools became better at de-obfuscation, attackers moved toward "packing" and "loading." This involved encrypting the main malicious payload and decrypting it in memory only when the app was running.
By 2020, the industry saw a rise in the use of native libraries (JNI) to hide malicious logic, making it harder for Java-based decompilers to follow the execution flow. The current era, beginning around 2023, is defined by structural corruption. Instead of just hiding the code inside the file, attackers are now breaking the container itself. This represents a fundamental shift from trying to hide the "what" (the payload) to hiding the "how" (the file structure), exploiting the inherent trust that security tools place in standardized file formats.
Defensive Innovation: The Launch of Malfixer
Recognizing that manual repair of thousands of malformed APKs is an impossible task for incident responders, the Cleafy team developed and released an open-source solution named Malfixer. Malfixer is a Python-based utility designed to bridge the gap between the Android installer’s leniency and the decompiler’s strictness.
The tool works by scanning the APK’s Local File Headers and Central Directory to identify inconsistencies. Once a conflict is detected—such as a mismatched CRC32 checksum or an invalid offset—Malfixer programmatically rebuilds the ZIP structure to adhere to standard specifications. By "healing" the APK, the tool allows conventional reverse engineering software like JADX to parse the file without crashing.
The development of Malfixer followed an intensive analysis of over 70 unique malformed samples. The decision to publish the tool on GitHub marks a significant move toward community-driven defense. By providing the broader cybersecurity community with the means to neutralize these evasion tactics, researchers hope to lower the barrier for entry for analysts who may not have deep expertise in ZIP file forensics.
Official Responses and Expert Analysis
While Google has not issued a specific statement regarding the Cleafy research, the company has historically addressed similar issues through updates to Google Play Protect. However, the challenge remains that many malformed APKs are distributed through "sideloading" or third-party app stores where Google’s oversight is limited.
Cybersecurity analysts suggest that the rise of malformed APKs points to a larger "arms race." As defenders deploy machine learning and advanced static analysis to catch malware, attackers respond by attacking the very foundations of those tools. "As defenders, we must evolve our tools and techniques to counter these evasive tactics," the Cleafy researchers noted in their report. They emphasized that the success of malware families like TrickMo is directly tied to their ability to remain "invisible" during the initial phases of an infection.
The implications of this trend are far-reaching. For financial institutions, it means that the mobile apps their customers use are under constant siege by malware that can bypass traditional endpoint security. For the broader public, it underscores the danger of sideloading applications from untrusted sources, as the visual appearance of a "working" app no longer guarantees that its underlying structure hasn’t been tampered with to hide malicious intent.
The Future of Mobile Security and Forensic Analysis
Looking forward, the industry is likely to see further refinements in structural evasion. Some researchers predict that attackers may begin to exploit vulnerabilities in the Android Runtime itself to execute code from even more exotic file formats. The ongoing battle will require a multi-layered defensive strategy that combines robust static analysis, dynamic behavioral monitoring, and the rapid sharing of threat intelligence.
The release of tools like Malfixer is a vital step, but it is not a silver bullet. As long as there is a discrepancy between how a file is "read" by a defender and "executed" by a processor, there will be a gap for attackers to exploit. The cybersecurity community’s ability to close this gap will depend on continued transparency, the development of more resilient parsing engines, and a proactive approach to identifying the next generation of evasion techniques before they become industry standards for cybercriminals.
