Resources¶
External resources for Android security research. Blogs, tools, frameworks, and link collections.
Blogs & Research¶
Malware Research¶
| Source | Focus |
|---|---|
| CheckPoint Research | Android malware campaigns, Play Store threats, mobile APT tracking. |
| Cleafy Labs | Banking malware, financial fraud, mobile threat intelligence. |
| Cyble CRIL | Dark web intelligence, mobile malware sold on underground forums. |
| Fortinet FortiGuard | Android malware write-ups, mobile threat landscape. |
| IBM Security Trusteer | Mobile banking fraud, overlay attack research, financial malware analysis. |
| Sophos X-Ops | Cross-platform threat research including Android malware families. |
| ThreatFabric | Android banking trojans. Most prolific mobile malware research team. |
| Trellix (FireEye) | Advanced mobile threats, nation-state campaigns. |
Vulnerability Research¶
| Source | Focus |
|---|---|
| 8kSec | App and kernel-level Android security. Battlegrounds CTF. |
| Google Android Offensive Security | Kernel exploitation, Binder fuzzing, driver analysis from Google's red team. |
| Google Project Zero | 0-day research. Android exploit chains, Pixel vulnerabilities. |
| NowSecure Blog | Mobile app security testing, practical vulnerability analysis. |
| Oversecured Blog | Android app vulnerabilities. Systematic disclosure in Google, Samsung, TikTok apps. Top resource. |
Vendor Security Blogs¶
| Source | Focus |
|---|---|
| Avast Decoded | Android malware, adware campaign analysis. |
| ESET WeLiveSecurity | Android malware publications, regional threat analysis. |
| Group-IB Blog | Threat intelligence, fraud prevention, APT campaigns. |
| Intel 471 Blog | Underground marketplace monitoring, MaaS tracking. |
| Kaspersky Securelist | Mobile malware analysis, APT campaigns targeting Android. |
| Lookout Threat Intelligence | Mobile endpoint threats, surveillance software, state-sponsored spyware. |
| McAfee Mobile Research | Mobile malware, adware, PUPs. Part of McAfee Labs. |
| NCC Group Research | Offensive security research, Android malware lineage analysis. |
| PRODAFT Blog | Threat intelligence, underground infrastructure analysis. |
| Trend Micro Blog | Mobile ransomware, enterprise mobile threats. |
| Zimperium Blog | Mobile threat defense research, zero-day discoveries. |
Platform / Ecosystem¶
| Source | Focus |
|---|---|
| Android Developers Blog | New API changes, security feature announcements. |
| Android Security Bulletins | Monthly CVE patches for Android. |
| Google Security Blog | Play Protect updates, platform security changes. |
Frameworks & Standards¶
| Resource | What It Is |
|---|---|
| bazaar.abuse.ch | Malware sample database with multi-vendor tagging and YARA rule matching. |
| Malpedia | Malware reference database. Cross-vendor name mapping. |
| MISP Galaxy | Open threat intelligence knowledge base. Threat actors, malware families, tools, and ATT&CK clusters. |
| MITRE ATT&CK Mobile | Adversary technique taxonomy. High-level classification, not operational detail. |
| OWASP MAS | Mobile application security testing guide. Compliance-oriented. |
| OWASP Mobile Top 10 | Top 10 mobile security risks. |
Tools¶
Analysis & Detection¶
| Tool | Purpose |
|---|---|
| Androguard | Python framework for Android app analysis |
| APKiD | Packer, protector, obfuscator identification |
| APKLeaks | Extract URLs, endpoints, and secrets from APK files |
| dex2jar | DEX to JAR conversion |
| Droidlysis | Automated Android malware property extraction (permissions, receivers, services) |
| Drozer | Android security assessment framework. IPC probing, provider testing. |
| MobSF | Automated mobile security analysis |
| Quark Engine | Android malware scoring and behavior analysis |
| SUPER | Secure, Unified, Powerful and Extensible Rust Android Analyzer |
| VirusTotal | Multi-engine malware scanning. 70+ AV engines. See Naming Conventions for detection name formats. |
Device¶
| Tool | Purpose |
|---|---|
| LSPosed | Xposed framework for modern Android |
| Magisk | Root management with detection bypass |
Network¶
| Tool | Purpose |
|---|---|
| Burp Suite | HTTP/HTTPS proxy and traffic interception |
| mitmproxy | Scriptable HTTPS proxy |
Reverse Engineering¶
| Tool | Purpose |
|---|---|
| apktool | APK disassembly and reassembly |
| Bytecode Viewer | Multi-decompiler view (Procyon, CFR, FernFlower, jadx side-by-side) |
| Frida | Dynamic instrumentation: hooking, tracing, modifying runtime behavior |
| frida-dexdump | Dump DEX files from packed apps at runtime |
| Ghidra | Native code reverse engineering (NSA, free) |
| jadx | DEX to Java decompiler |
| medusa | Extensible framework combining Frida scripts for Android dynamic analysis |
| Objection | Frida-powered runtime exploration |
| reFrida | Browser-based Frida IDE with Monaco editor, disassembler, memory search, Stalker tracing, and visual interceptor builder |
| r2frida | Radare2 + Frida integration |
| radare2 | Open-source reverse engineering framework |
Emulation & Sandboxing¶
| Tool | Purpose |
|---|---|
| Android Emulator | Official Android emulator with AVD manager |
| Genymotion | High-performance Android emulator for testing |
| rootAVD | Root Android Virtual Devices for Frida and dynamic analysis |
| Cuckoo Droid | Automated Android malware sandbox |
| Joe Sandbox Mobile | Commercial automated malware analysis sandbox |
Link Collections¶
| Resource | What It Is |
|---|---|
| android-security-awesome | Curated list of Android security tools and resources |
| awesome-android-security | Pentester and bug bounty focused links |
| Awesome Android Reverse Engineering | RE tools and techniques |
| Awesome-Android-Vulnerability-Research | Vulnerability research focused |
Periodic Reports¶
| Report | Publisher | Cadence |
|---|---|---|
| Financial Threat Report | Kaspersky Securelist | Annual |
| Mobile Threat Landscape 2024 | Kaspersky Securelist | Annual |
| Consumer Mobile Threat Report 2023 | McAfee Labs | Annual |
| Mobile Threat Statistics Q1 2025 | Kaspersky Securelist | Quarterly |
| Mobile Threat Statistics Q2 2025 | Kaspersky Securelist | Quarterly |
| Mobile Threat Statistics Q3 2025 | Kaspersky Securelist | Quarterly |
| ESET Threat Report H1 2024 | ESET | Semi-annual |
| ESET Threat Report H2 2025 | ESET | Semi-annual |
| Year in Review: 0-days | Google Project Zero | Annual |
| Global Mobile Threat Report | Zimperium | Annual |
| Mobile Banking Heists Report | Zimperium | Annual |
| Mobile Threat Intelligence Report | Lookout | Annual |
| Global Threat Landscape Report | Fortinet | Semi-annual |
Notable Research¶
Key technical research publications from security teams. For vendor-specific malware analysis, see individual malware family pages.
| Research | Publisher | Topic |
|---|---|---|
| A 0-click exploit chain for the Pixel 9 (3-part series) | Google Project Zero | Dolby decoder integer overflow + kernel driver sandbox escape. 139-day patch gap. |
| Bad Binder: Android In-The-Wild Exploit | Google Project Zero | CVE-2019-2215 Binder use-after-free. Linked to NSO Group's Pegasus. |
| In-the-Wild Series: Android Exploits | Google Project Zero | Chrome RCE + Android n-day privilege escalation from watering hole. |
| Multiple Internet-to-Baseband RCE in Exynos Modems | Google Project Zero | 18 zero-days in Samsung Exynos modems. 4 allow RCE with just a phone number. |
| Samsung In-the-Wild Exploit Chain | Google Project Zero | Logic bugs exploited against Samsung devices. CVE-2021-25337, CVE-2021-25369, CVE-2021-25370. |
| Analyzing a Modern In-the-Wild Android Exploit | Google Project Zero | CVE-2023-0266 (ALSA 0-day) + CVE-2023-26083 (Mali GPU 0-day). Commercial spyware. |
| .NET MAUI Evasion | McAfee Labs | Malware using C#/.NET MAUI framework to bypass DEX-based analysis. |
| Xamalicious Backdoor | McAfee Labs | Xamarin-based backdoor in 25 Google Play apps (327K downloads). Xamarin build process acts as packer hiding malicious code. |
| SpyAgent OCR Crypto Theft | McAfee Labs | 280+ fake apps using image recognition to steal crypto wallet seed phrases from device photos. |
| Invisible Adware | McAfee Labs | 43 Play Store apps (2.5M downloads) loading ads only when screen is off, weeks-long activation delay. |
| India MaaS Phishing | McAfee Labs | MaaS platform with 800+ apps targeting Indian banking users, 3,700+ infected devices. |
| Disclosure of 7 Android and Pixel Vulnerabilities | Oversecured | WebView file theft, Bluetooth permission bypass, VPN bypass, system component access. |
| Two Weeks of Securing Samsung Devices | Oversecured | 60+ Samsung vulnerabilities. Path traversal via Uri.getLastPathSegment(), SMS database access. |
| 20 Security Issues in Xiaomi Devices | Oversecured | Intent redirection, content provider, and privilege escalation in Xiaomi system apps. |
| Exploiting Memory Corruption on Android | Oversecured | Native memory corruption via VirtualRefBasePtr. PayPal vulnerability example. |
| Play Core Library Code Execution | Oversecured | Persistent code execution through dynamic module loading. Automated discovery. |
| NGate: NFC Relay Attacks | ESET | First Android NFC relay malware. Clones payment cards via NFCGate for ATM cash withdrawal. |
| EvilVideo: Telegram Zero-Day | ESET | Zero-day exploit for Telegram for Android. APKs disguised as video previews. Sold on underground forums. |
| 525,600 Assessments: Top Mobile App Risks | NowSecure | 75% of apps have misconfigured crypto, 85% have SDK vulnerabilities, 1 in 5 has hardcoded keys. |
| Dangerous Mobile App Permissions | NowSecure | Analysis of 378,000+ Android apps: 62% request dangerous permissions. |
| AI-Assisted Decompilation | NowSecure | Using language models to optimize decompiled Android app code. |
Conference Talks¶
Notable Android security presentations from major conferences.
Black Hat / DEF CON¶
| Talk | Speaker | Event | Topic |
|---|---|---|---|
| Android Packers: Separating from the Pack | Maddie Stone | Black Hat USA 2020 | Packer identification, unpacking methodology, APKiD development |
| Strandhogg: Attacking Android Through Task Affinity | Promon Research | DEF CON 27 | Task affinity hijacking (CVE-2020-0096), UI spoofing |
| Breaking Secure Messaging on Android | Various | Black Hat USA 2023 | Accessibility-based message exfiltration from E2E encrypted apps |
| The Art of Android Malware Analysis | Various | Black Hat USA 2024 | Modern banking trojan analysis, ATS reverse engineering |
| Pixel 0-Click Exploit Chain | Google Project Zero | Associated research | Dolby decoder overflow + kernel sandbox escape on Pixel 9 |
HITB / OffensiveCon / Other¶
| Talk | Speaker | Event | Topic |
|---|---|---|---|
| Breaking Android's Verified Boot | Various | HITB | AVB bypass, bootloader exploitation, firmware persistence |
| Frida for Android Malware Analysis | Eduardo Novella | Various | Dynamic instrumentation for banking trojan analysis |
| DexProtector Internals | Romain Thomas | Associated research | vtable hooking, asset encryption, native bridge analysis |
YouTube Channels¶
| Channel | Focus | Notable Content |
|---|---|---|
| LaurieWired | Android malware analysis, reverse engineering | Malware deep-dives, assembly analysis, practical RE walkthroughs |
| 8kSec | Mobile security research | Android kernel exploitation, app security testing |
| Maddie Stone | 0-day research, Android exploitation | Google Project Zero research presentations |
| stacksmashing | Hardware hacking, reverse engineering | Hardware-adjacent Android security, Flipper Zero integration |
| John Hammond | General security, CTF walkthroughs | Occasional mobile security and malware analysis content |
| IppSec | HTB walkthroughs | Android challenge walkthroughs and mobile exploitation |
| Corellium | Mobile security platform | Android reverse engineering tutorials, virtualization-based analysis |
Training Platforms¶
| Platform | Description |
|---|---|
| 8kSec Battlegrounds | Free mobile security challenges (CTF-style). Android challenges include deep link exploitation, client-side bypass, malicious app creation. Community writeups available. |
| OWASP MASTG Test Apps | Standardized vulnerable Android and iOS apps for practicing MASVS testing. |
| OVAA | Oversecured Vulnerable Android App. Practice exploiting common Android vulnerabilities. |
| InsecureBankv2 | Vulnerable banking app for practicing common Android app vulnerabilities. |
| DIVA | Damn Insecure and Vulnerable App. Covers 13 common Android vulnerability categories. |
| AndroGoat | Open-source vulnerable Android app for practicing OWASP Top 10 Mobile risks. |
| hpAndro | Kotlin-based vulnerable app with multiple challenge categories. |
Courses¶
| Course | Provider | Notes |
|---|---|---|
| SEC575: Mobile Device Security and Ethical Hacking | SANS | Comprehensive mobile security course covering Android and iOS. GMOB certification. |
| Android App Security with Frida | 8kSec | Focused on dynamic instrumentation for Android app testing and malware analysis. |
| Mobile Application Penetration Testing | INE/eLearnSecurity | Covers Android and iOS pentesting methodology. eMAPT certification. |
| Android Security Internals | Various (Udemy) | Budget-friendly courses on Android RE fundamentals. |
CTF Resources¶
Android-Specific CTFs¶
| Platform | Description |
|---|---|
| 8kSec Battlegrounds | Dedicated mobile security CTF with Android challenges |
| MOBISEC | University of California course with Android security challenges (public materials) |
| Android CTF by BSides | Open-source Android security challenges |
| Injured Android | CTF-style vulnerable Android app with progressive difficulty |
CTF Writeup Collections¶
| Resource | Content |
|---|---|
| CTFtime Mobile Challenges | Filter by "mobile" tag for Android-specific writeups from global CTF events |
| HackTricks Android | Android pentesting methodology used in CTF contexts |
Community¶
Forums and Chat¶
| Platform | Description |
|---|---|
| Android Security subreddit | Discussion of Android vulnerabilities, patches, and research |
| Mobile Hacking Discord | Community server for mobile security researchers |
| Frida Discord | Official Frida community for dynamic instrumentation help |
| OWASP Slack #mobile-security | OWASP community channel for mobile security discussion |
Bug Bounty Programs¶
| Program | Scope | Max Payout |
|---|---|---|
| Google VRP | Android OS, Pixel devices, Google apps | $1,000,000 for full exploit chains. Up to $15,000 for critical single bugs. |
| Google Mobile VRP | First-party Android apps (Google, Fitbit, Waymo, Waze) | $30,000 for RCE without interaction. $7,500 for sensitive data theft. |
| Samsung Mobile Security Rewards | Samsung mobile devices, Knox, Galaxy Store | Up to $1,000,000 for critical chain on flagship devices |
| Qualcomm Bug Bounty | Snapdragon chipsets, modem firmware | Varies; covers baseband and TEE vulnerabilities |
| HackerOne Mobile Programs | Various mobile app vendors | Varies by program; filter by "mobile" scope |
Researchers to Follow¶
| Researcher | Affiliation | Focus |
|---|---|---|
| Maddie Stone | Google Project Zero | Android 0-days, exploit chains, packer analysis |
| Sergey Toshin | Oversecured | Android app vulnerabilities, systematic vuln discovery |
| Lukas Stefanko | ESET | Android malware tracking, Play Store threats |
| Federico Valentini / Alessandro Strino | Cleafy | Banking trojan analysis, ATS research |
| Cengiz Han Sahin | ThreatFabric | Android banking malware naming and tracking |