Skip to content

AWAKE

Android Wiki of Attacks, Knowledge & Exploits

Structured reference for Android security research. How malware works, how attacks exploit the platform, and how to reverse engineer protected applications. Built for practitioners -- offense-focused, cross-referenced, and maintained.

Start Here

Start with the family catalog and timeline for historical context. Use naming conventions to map between vendor detection names. For analysis methodology, follow static analysis then dynamic analysis. If the sample is packed, identify the packer first -- the analysis decision tree walks through identification by native library, asset structure, and APKiD signature.

Key topics: C2 techniques, persistence mechanisms, dynamic code loading, threat actors, grayware

Start with packer identification. The comparison matrix ranks all documented protectors across DEX encryption, virtualization, anti-Frida, RASP, and unpacking difficulty. For runtime work, hooking and patching cover Frida, Xposed, and smali modification. The development frameworks section covers 28 frameworks -- each with its own page covering architecture, analysis workflow, hooking strategy, and SSL pinning bypass.

Key topics: dynamic analysis environment setup, network interception, SSL pinning bypass, anti-analysis check catalog

Start with the attack techniques catalog -- 31 techniques organized by attack surface with technique combination matrix. The permissions section documents what each Android permission unlocks and how it can be abused, with escalation patterns showing how malware moves from auto-granted normal permissions to full device control.

Key topics: deep link exploitation, WebView exploitation, content provider attacks, intent hijacking, overlay attacks

Start with threat actors for MaaS operator attribution and pricing models. The timeline tracks evolution from 2010 to present. The grayware section covers data broker SDKs, predatory lending, and the gray area between aggressive monetization and malware. The industry section maps security companies, AV engines, naming conventions, and distribution channels.

Key topics: naming conventions, periodic reports, geographic hotspots

Trend What Changed
NFC relay attacks Contactless payment cards cloned via NFC relay for ATM cash withdrawal. Bypasses traditional banking security entirely.
OCR-based crypto theft Photos scanned for cryptocurrency seed phrases via on-device OCR. First seen on both Play Store and App Store simultaneously.
On-device virtualization Real banking apps installed inside VirtualApp sandbox on the infected device, intercepting all interactions transparently.
Reduced permission footprints Full banking trojan functionality with as few as 5 permissions by routing everything through accessibility services.
Fake lockscreen PIN capture Fake lockscreens steal device unlock PINs. Used alongside VNC for complete device takeover.
Human behavior mimicry Automated transfers typed with natural delays and randomized touch coordinates to evade behavioral biometric fraud detection.
Commercial packer adoption Malware authors increasingly use commercial packers (Virbox, DexGuard) rather than custom solutions.
Firebase as C2 Firebase Cloud Messaging, Firestore, and Remote Config abused for C2 delivery. Traffic indistinguishable from legitimate app telemetry.
Framework evasion .NET MAUI and Xamarin used to hide malicious code in C# blobs that DEX scanners never inspect.
India threat surge Rapid growth in MaaS phishing platforms and SpyLoan predatory lending apps targeting Indian banking users.

Attack Kill Chain

How attacks chain together in a typical Android banking trojan operation. Each stage builds on the previous. Full technique catalog with combination matrix in Attack Techniques.

Stage Objective How
1. Delivery Get on device Phishing, sideloading, Play Store dropper
2. Dropper Install payload Dynamic code loading, staged download from C2
3. Persistence Survive reboots Boot receivers, foreground services, scheduled jobs
4. Privilege escalation Gain control Accessibility service grant via social engineering, device admin
5. Credential theft Steal logins Overlay injection, keylogging, screen capture
6. 2FA bypass Intercept OTPs SMS interception, notification listener
7. On-device fraud Move money ATS fills transfer fields via accessibility
8. Exfiltration Send to C2 C2 techniques: HTTP, WebSocket, Telegram Bot API, Firebase, SFTP
9. Anti-analysis Avoid detection Emulator checks, Frida detection, device admin anti-uninstall, post-fraud device wipe

What's Covered

Packer Quick Reference

Run APKiD on the sample. Check the analysis decision tree for the next step. For universal unpacking, hook DexClassLoader or InMemoryDexClassLoader at runtime, or use frida-dexdump to scan process memory for DEX magic bytes.

Difficulty What Makes It Hard Examples
Easy-Medium Whole-DEX encryption with known structure. Generic memory dump recovers the payload. Chinese packers, AppSealing
Medium-Hard Class-level encryption, native anti-Frida, integrity checks. Targeted bypass needed. DexGuard, DexProtector, Appdome
Hard Aggressive anti-hooking, Magisk-aware root detection, server-side verification. LIAPP, Arxan, Promon
Expert DEX virtualization -- bytecode translated to proprietary VM instructions. Virbox