Android malware analysis can be intimidating, especially when samples employ aggressive obfuscation, layered encryption, anti-analysis techniques, and native code to conceal their behavior. This workshop is designed to guide analysts beyond these barriers and into a disciplined, scientific approach to understanding what modern Android malware actually does. Rather than treating obfuscation as a blocker, the workshop focuses on identifying it, understanding its purpose, and actively defeating it. Participants will learn how to recognize common and advanced obfuscation patterns, isolate relevant logic, and reconstruct the overall malware execution flow. The methodology presented combines static reverse engineering with dynamic analysis and runtime instrumentation, reflecting real-world workflows used by professional malware analysts.

A core theme of the workshop is analyst efficiency and automation. Attendees will explore techniques to dynamically resolve encrypted code paths, automatically identify and neutralize encryption routines, and interact with malware at runtime. This includes injecting into the execution flow, patching binaries or memory on the fly, and forcing the execution of specific instructions to extract hidden behavior.

The workshop begins with a custom-built Android application and progressively introduces techniques commonly found in modern Android malware. These techniques are applicable across malware families, including banking trojans, spyware, and more advanced threats, and are not tied to a single campaign or actor. To make the overall learning experience effective, the workshop includes a custom Capture the Flag (CTF) designed specifically for attendees. The challenges mirror real-world analysis scenarios, allowing participants to apply the techniques covered during the sessions immediately.

APK malformation has ceased to be a niche evasion tactic; it is now the de facto standard for anti-analysis in the modern Android threat landscape. Implemented by default in the vast majority of Malware-as-a-Service (MaaS) builders and crypters, this technique allows families like TeaBot, TrickMo, and SpyNote to exploit Android's installation leniency while crippling traditional static analysis tools. By intentionally corrupting the APK structure, Threat Actors cause standard parsers (e.g., JADX) to crash or yield incomplete data, effectively blinding analysts and breaking automated triage pipelines.

In this session, we will present a comprehensive dissection of these techniques, categorized into three pillars:
- ZIP Structure Manipulation: Exploiting parser discrepancies via Unsupported Compression Methods and deliberate Local File Header/Central Directory mismatches.
- AXML Obfuscation: Corrupting the AndroidManifest binary XML through Attribute Size Violations and String Pool manipulation to exploit parser rigidity.
- Asset Directory Abuse: Leveraging non-ASCII characters to induce path traversal errors.

Critically, the defensive landscape lacks consolidated tools to reliably handle these malformations. To bridge this gap, we introduce Malfixer, a specialized utility that has been developed and refined over the past two years within our threat intelligence operations. We will demonstrate how Malfixer detects and surgically repairs structural corruptions, restoring file integrity without altering the payload, to unblock large-scale triage and classification pipelines.

Finally, Malfixer will be officially released as open-source during this talk. This contribution aims to provide analysts with a standard for APK repair and to foster a collaborative framework, enabling the community to extend capabilities against future, yet unknown, malformation techniques.

Threat intelligence sharing is one of the cornerstones of the security community. Disclosing findings publicly helps defenders act, raises collective awareness, and advances the field. But sharing is not a cost-free operation and this talk is about one case where the cost became visible in an unexpected way.
In early 2026, Cleafy TIR published a full technical analysis of Mirax, a novel Android RAT capable of turning infected devices into residential proxy nodes. The report included C2 indicators, malware capabilities, and delivery infrastructure details. One element was deliberately withheld: the URL of an attacker-controlled GitHub repository actively distributing new APK variants on a daily basis. The decision to blur it was intentional, the repository represented a live intelligence source, and burning it would mean losing visibility into an ongoing campaign.

This talk presents that case as a concrete example of a recurring tension in threat intelligence sharing: the gap between the intent of a disclosure and the downstream actions it enables. We examine the decision to blur rather than redact, the signal that blurring carries, and what it means when that signal is not recognised or respected.

The talk does not offer a verdict. It asks a question the community should be discussing openly: how do we share intelligence without becoming collateral in our own disclosures?