MalFixer Toolkit for Inspecting and Recovering Malformed And...#2134
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
MalFixer Toolkit for Inspecting and Recovering Malformed And...#2134carlospolop wants to merge 1 commit intomasterfrom
carlospolop wants to merge 1 commit intomasterfrom
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://github.com/Cleafy/Malfixer Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android Applications Pentesting (new subsection: "APK Anti-Analysis: Malformed ZIP/APK, Corrupted AndroidManifest.xml, Malformed Asset Names"; include MalFixer as a tooling reference)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Title/Scope: MalFixer is a Python toolkit (Python 3.8+; tested on Linux and macOS) for malware analysts / reverse engineers / mobile security researchers to inspect and recover intentionally malformed Android APKs. These APKs attempt to evade static analysis by abusing ZIP/APK container structure weaknesses, corrupting
AndroidMa...🔧 Technical DetailsAPK anti-analysis via malformed ZIP structures: Attackers can craft APKs (ZIP containers) with inconsistent/corrupted local headers and central directory metadata so that different ZIP parsers disagree on file offsets/sizes, causing decompilers/extractors/scanners to crash or skip entries. A robust response is to parse both views (local headers vs central directory), detect inconsistencies, and rewrite/normalize ZIP metadata so file enumeration and extraction become deterministic again.
Anti-analysis via corrupted binary
AndroidManifest.xml: Because many Android analysis pipelines require a valid decoded manifest, attackers can break the manifest encoding/structure to halt processing. A recovery approach is to decode what is salvageable, reconstruct a minimally correct manifest representation, and reinsert it into a rebuilt APK so tooling can proceed.Anti-analysis via malformed asset filenames: ...
🤖 Agent Actions
I’m mapping the Android/mobile sections first, then I’ll read several candidate pages to decide whether this belongs in an existing APK-analysis page or requires a new one.
I found the Android app pentesting section. Next I’m reading the index plus several APK/reversing/deobfuscation pages to see whether malformed-APK anti-analysis already has a natural home.
The existing content already covers APK basics, decompilers, and deobfuscation, but I haven’t seen malformed-container anti-analysis documented yet. I’m now searching the repo for direct coverage of corrupted ZIP/APK structures, broken binary manifests, and hostile asset names before I choose the target file.
There’s no existing MalFixer or malformed-APK recovery coverage in the repo. The strongest fit is the main Android applications page, inside static analysis / deobfuscation, because this is an analysis-enablement technique rather than an app vulnerability class.
I’ve narrowed the edit to a single file: src/mobile-pentesting/android-app-pentesting/README.md. I’m locating the exact subsection now so the addition stays short and consistent with the page’s existing static-analysis workflow.
I’m editing the Android applications page now. The addition will be a short static-analysis subsection covering malformed ZIP/APK containers, corrupted binary manifests, hostile asset names, and a concrete MalFixer workflow plus references.
Updated README.md in
src/mobile-pentesting/android-app-pentesting/with a new static-analysis subsection on APK anti-analysis through malformed ZIP/APK metadata, corrupted binaryAndroidManifest.xml, and malformed asset filenames. I placed it in the main Android applications page because this is an analysis-enablement technique, not a standalone app vuln class, and there was no existing direct coverage of malformed-APK recovery in the repo.The new section adds a practical triage workflow, explains the parser-differential angle, includes MalFixer usage examples, and adds the MalFixer GitHub URL to the file’s final
## Referencesblock. I verified the inserted section and reviewed the final diff.This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.