Android malware analysis can be intimidating, especially when samples employ aggressive obfuscation, layered encryption, anti-analysis techniques, and native code to conceal their behavior. This workshop is designed to guide analysts beyond these barriers and into a disciplined, scientific approach to understanding what modern Android malware actually does. Rather than treating obfuscation as a blocker, the workshop focuses on identifying it, understanding its purpose, and actively defeating it. Participants will learn how to recognize common and advanced obfuscation patterns, isolate relevant logic, and reconstruct the overall malware execution flow. The methodology presented combines static reverse engineering with dynamic analysis and runtime instrumentation, reflecting real-world workflows used by professional malware analysts.

A core theme of the workshop is analyst efficiency and automation. Attendees will explore techniques to dynamically resolve encrypted code paths, automatically identify and neutralize encryption routines, and interact with malware at runtime. This includes injecting into the execution flow, patching binaries or memory on the fly, and forcing the execution of specific instructions to extract hidden behavior.

The workshop begins with a custom-built Android application and progressively introduces techniques commonly found in modern Android malware. These techniques are applicable across malware families, including banking trojans, spyware, and more advanced threats, and are not tied to a single campaign or actor. To make the overall learning experience effective, the workshop includes a custom Capture the Flag (CTF) designed specifically for attendees. The challenges mirror real-world analysis scenarios, allowing participants to apply the techniques covered during the sessions immediately.

APK malformation has ceased to be a niche evasion tactic; it is now the de facto standard for anti-analysis in the modern Android threat landscape. Implemented by default in the vast majority of Malware-as-a-Service (MaaS) builders and crypters, this technique allows families like TeaBot, TrickMo, and SpyNote to exploit Android's installation leniency while crippling traditional static analysis tools. By intentionally corrupting the APK structure, Threat Actors cause standard parsers (e.g., JADX) to crash or yield incomplete data, effectively blinding analysts and breaking automated triage pipelines.

In this session, we will present a comprehensive dissection of these techniques, categorized into three pillars:
- ZIP Structure Manipulation: Exploiting parser discrepancies via Unsupported Compression Methods and deliberate Local File Header/Central Directory mismatches.
- AXML Obfuscation: Corrupting the AndroidManifest binary XML through Attribute Size Violations and String Pool manipulation to exploit parser rigidity.
- Asset Directory Abuse: Leveraging non-ASCII characters to induce path traversal errors.

Critically, the defensive landscape lacks consolidated tools to reliably handle these malformations. To bridge this gap, we introduce Malfixer, a specialized utility that has been developed and refined over the past two years within our threat intelligence operations. We will demonstrate how Malfixer detects and surgically repairs structural corruptions, restoring file integrity without altering the payload, to unblock large-scale triage and classification pipelines.

Finally, Malfixer will be officially released as open-source during this talk. This contribution aims to provide analysts with a standard for APK repair and to foster a collaborative framework, enabling the community to extend capabilities against future, yet unknown, malformation techniques.