Add content from: MalFixer: Toolkit for Inspecting and Recovering Malformed An...

Author: HackTricks News Bot

src/mobile-pentesting/android-app-pentesting/README.md

@@ -165,6 +165,41 @@ firmware-level-zygote-backdoor-libandroid_runtime.md
 First of all, for analysing an APK you should **take a look to the to the Java code** using a decompiler.\
 Please, [**read here to find information about different available decompilers**](apk-decompilers.md).
 
+### APK anti-analysis via malformed containers, manifests, and asset names
+
+Some malicious APKs are not merely obfuscated: they are **deliberately malformed** so common tooling (`unzip`, `apktool`, `jadx`, AV scanners, CI pipelines) cannot enumerate files reliably or aborts early. A useful mental model is **parser differential anti-analysis**: Android may still accept enough of the package to install or partially process it, while desktop ZIP/APK parsers disagree about what entries exist or where they start.
+
+Common patterns:
+
+- **Malformed ZIP/APK metadata**: inconsistent **local file headers** and **central directory** records can make tools resolve different offsets, sizes, or filenames for the same entry.
+- **Corrupted binary `AndroidManifest.xml`**: if the manifest cannot be decoded, many static-analysis pipelines stop before inspecting components, permissions, exported surfaces, or embedded resources.
+- **Malformed asset filenames**: suspicious names inside `assets/` can break extraction, path handling, or downstream file processing and hide secondary payloads.
+
+Practical workflow when a sample "looks empty" or decompilers crash:
+
+1. Compare how multiple parsers see the archive:
+   ```bash
+   unzip -l app.apk
+   zipinfo -v app.apk
+   jadx app.apk -d out-jadx
+   apktool d app.apk -o out-apktool
+   ```
+2. If the file list differs across tools, or `jadx` / `apktool` fails on `AndroidManifest.xml`, treat the APK as intentionally malformed instead of assuming corruption in transit.
+3. Rebuild a **normalized APK** that rewrites ZIP metadata, repairs the manifest, and sanitises hostile asset names before deeper reversing.
+
+One purpose-built tool for this is **MalFixer**:
+
+```bash
+python malfixer.py /path/to/app.apk
+python malfixer.py /path/to/app.apk --output-dir /path/to/output
+python malfixer.py /path/to/app.apk -l DEBUG
+```
+
+The resulting `*-fixed.apk` is intended to be **standard enough for static tooling**, especially `jadx`. This is useful when triaging Android malware or packers that hide payloads behind malformed container metadata rather than only string/code obfuscation.
+
+> [!NOTE]
+> The MalFixer README describes the ZIP repair module as `zipzixer.py`, while the repository file listing currently exposes `zipfixer.py`. If you inspect or import the project manually, verify the actual filename in the checked-out tree.
+
 ### Looking for interesting Info
 
 Just taking a look to the **strings** of the APK you can search for **passwords**, **URLs** ([https://github.com/ndelphit/apkurlgrep](https://github.com/ndelphit/apkurlgrep)), **api** keys, **encryption**, **bluetooth uuids**, **tokens** and anything interesting... look even for code execution **backdoors** or authentication backdoors (hardcoded admin credentials to the app).
@@ -971,6 +1006,7 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
 - [CoRPhone — Android in-memory JNI execution and packaging pipeline](https://github.com/0xdevil/corphone)
 - [justapk — multi-source APK downloader with Cloudflare bypass](https://github.com/TheQmaks/justapk)
 - [Jezail rooted Android pentesting toolkit (REST API + Flutter UI)](https://github.com/zahidaz/jezail)
+- [MalFixer](https://github.com/Cleafy/Malfixer)
 - [BeatBanker: A dual‑mode Android Trojan](https://securelist.com/beatbanker-miner-and-banker/119121/)
 
 {{#include ../../banners/hacktricks-training.md}}