I don’t remember where I got this from but I’m storing it here as a remainder.

1 Static Analysis (No Execution)

###Analyze the APK without running it.

  • APK Inspection – Use tools like apktool, jadx, bytecode-viewer
  • Manifest Review – Look for suspicious permissions in AndroidManifest.xml (e.g., SEND_SMS, READ_CONTACTS, SYSTEM_ALERT_WINDOW)
  • Signature Verification – Detect altered or fake developer certificates
  • String Analysis – Search for hardcoded credentials, C2 URLs, commands, or hidden functions

2 Dynamic Analysis (Safe Environment)

Run and observe the app’s behavior in a sandbox.

  • Execution Platforms – Use Android Emulator, MobSF, or Genymotion
  • API Hooking – Implement Frida or Xposed to intercept API calls
  • Network Monitoring – Capture traffic via mitmproxy, Wireshark, tcpdump
  • System Activity Tracking – Watch for file system changes, new processes, or unusual activity

3 Behavioral Indicators

Look for suspicious runtime behaviors.

  • Excessive CPU or RAM usage
  • Frequent outbound connections to unknown domains
  • Attempts at root privilege escalation
  • Camera or microphone activation without consent

4 Threat Intelligence & IOCs

Document and cross-check indicators of compromise.

  • File Hashes – MD5/SHA256 of the APK
  • Network Indicators – IPs, domains, C2 URLs
  • Certificates – Suspicious fingerprints or mismatches
  • Database Check – Compare with VirusTotal, Hybrid

5 Defensive Actions

Contain and eliminate the threat.

  • Isolate the infected device from the network
  • Submit findings to MISP or other threat intelligence platforms
  • Remove the malicious APK and disable persistence mechanisms

QUICK TRIAGE

  • adb shell pm list packages -f | sort
  • adb shell cmd packages list packages --show-versioncode
  • adb shell appops query-op --user 0 RUN_IN_BACKGROUND
  • adb shell dumpsys package > /sdcard/pkg.txt
  • adb shell settings list secure | grep -i debug
  • adb shell logcat -v time -d | grep -iE \~dex2oat|zygote|frida|magisk\~
  • adb shell ls -la /data/local/tml
  • adb shell ip addr ; adb shell ip route
  • adb shell dumpsys activity processes | grep -i suspicious