Android Software Reverse Engineering & Decompilation

Beyond AXML: Advanced Techniques for Reverse Engineering Dynamically Loaded Android Manifests

By Antigravity Research Published May 29, 2026 ⏱️ 8 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: The Elusive Android Manifest

The AndroidManifest.xml file is the heart of any Android application, declaring its components (activities, services, receivers, providers), permissions, hardware features, and more. For reverse engineers, it’s often the first point of analysis, providing a high-level overview of an app’s functionality and potential attack surface. Traditional reverse engineering workflows typically involve extracting the APK, decompiling it, and then using tools like AXMLPrinter2 or Android’s own `aapt` to parse the binary XML manifest into a human-readable format.

However, modern malware and sophisticated applications often employ techniques to obscure or dynamically load their manifest declarations, bypassing standard static analysis. When a tool like `apktool` or `jadx` fails to produce a complete or accurate manifest, it’s a strong indicator that you’re dealing with a dynamically loaded or obfuscated manifest. This article delves into advanced techniques to uncover and analyze these hidden manifest declarations, moving beyond simple AXML parsing.

The Challenge of Dynamically Loaded Manifests

Why would an application dynamically load a manifest? Common reasons include:

  • Anti-Analysis: To complicate static analysis and automated sandbox environments.
  • Modularity: Loading different components or features based on runtime conditions, A/B testing, or geographical location.
  • Malware Droppers: A small initial APK might download and load a secondary DEX file containing the actual malicious payload and its manifest components.
  • Plugin Architectures: Allowing third-party plugins to define their own components.

The core problem is that the `AndroidManifest.xml` you initially see in the APK might not be the *effective* manifest used at runtime. Components can be declared and registered programmatically, or entire manifest files can be loaded from external sources or embedded within DEX files.

How Android Loads Manifests (Briefly)

At a high level, the Android system (specifically the `PackageManagerService` and `ActivityThread`) parses the `AndroidManifest.xml` during package installation and application launch. It relies on the `AssetManager` to access application resources, including the manifest. Dynamic loading often involves manipulating these core system components or creating new `ApplicationInfo` objects at runtime.

Static Analysis: Hunting for Dynamic Loading Clues

Even dynamically loaded manifests leave traces. The first step is to perform thorough static analysis on the decompiled code (Smali or Java) looking for specific API calls that indicate runtime manifest manipulation.

Keywords and API Calls to Watch For:

  • `android.content.pm.PackageManager` and its methods, especially `getPackageInfo`, `getApplicationInfo`.
  • `android.content.res.AssetManager.addAssetPath`: This method is crucial. It allows an application to add new asset paths (like APKs or ZIP files) that contain resources, *including* manifests.
  • `dalvik.system.PathClassLoader` or `dalvik.system.DexClassLoader`: These are used to load DEX files at runtime. These DEX files might contain the dynamic manifest logic or even the manifest itself as an embedded resource.
  • `android.app.ActivityThread`: Key methods like `handleBindApplication` are involved in the initial application setup and manifest parsing.
  • `parsePackage` or `parseAndroidManifest`: Though internal and not directly accessible to apps, references might exist in highly modified runtimes or custom frameworks.

Example: Grepping for `addAssetPath`

After decompiling the APK (e.g., using `jadx -d output_dir your_app.apk`), navigate to the output directory and use `grep`:

grep -rn "addAssetPath" output_dir/sources/com/your/package/

Or, for Smali code:

grep -rn "Landroid/content/res/AssetManager;->addAssetPath" output_dir/smali/com/your/package/

If you find calls to `addAssetPath`, investigate the source of the path argument. It might point to a downloaded APK, an encrypted file, or an asset embedded within the application.

Smali/Java Code Pattern Example:

You might see code similar to this in Smali:

.method private loadDynamicManifest(Ljava/lang/String;)V    .locals 3    .param p1, "apkPath"    .prologue    new-instance v0, Landroid/content/res/AssetManager;    invoke-direct {v0}, Landroid/content/res/AssetManager;-><init>()V    .local v0, "assetManager":Landroid/content/res/AssetManager;    invoke-virtual {v0, p1}, Landroid/content/res/AssetManager;->addAssetPath(Ljava/lang/String;)I    move-result v1    .local v1, "cookie":I    if-eqz v1, :cond_0    .line 15    const-string v2, "DynamicManifest"    const-string v0, "Successfully added asset path!"    invoke-static {v2, v0}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I    .line 16    :cond_0    return-void.end method

In Java, this translates to:

private void loadDynamicManifest(String apkPath) {    AssetManager assetManager = new AssetManager();    int cookie = assetManager.addAssetPath(apkPath);    if (cookie != 0) {        Log.d("DynamicManifest", "Successfully added asset path!");    }}

The `apkPath` variable is what you need to track. It might be hardcoded, generated, or retrieved from a remote server.

Dynamic Analysis: Unveiling the Runtime Configuration with Frida

Static analysis helps identify *where* dynamic loading might occur. Dynamic analysis, using tools like Frida, allows you to observe these actions in real-time, often revealing the exact paths or data being loaded.

Setting Up for Dynamic Analysis:

  1. Rooted Device or Emulator: You’ll need a rooted environment to run Frida.
  2. Frida CLI: Install Frida on your host machine (`pip install frida-tools`).
  3. Frida Server: Push the Frida server to your Android device and run it.

Hooking `AssetManager.addAssetPath` with Frida:

This is a powerful technique to intercept attempts to load new resource paths. When `addAssetPath` is called, you can log the path argument.

Java.perform(function() {    var AssetManager = Java.use("android.content.res.AssetManager");    AssetManager.addAssetPath.implementation = function(path) {        console.log("[+] AssetManager.addAssetPath called with path: " + path);        var result = this.addAssetPath(path);        console.log("    Return value (cookie): " + result);        return result;    };    console.log("[+] Hooked AssetManager.addAssetPath");});

Save this as `hook.js` and run it with `frida -U -f com.your.package –no-pause -l hook.js`. This will attach to the target application and print any paths added to the `AssetManager`. Look for paths that resemble APKs, ZIPs, or other archives.

Observing Package Parsing:

If the manifest is truly dynamic and not just loaded from a separate file, you might need to go deeper by hooking into the Android framework’s package parsing mechanisms. This is more complex and might involve hooking system services directly. For instance, in `PackageManagerService`, methods like `parsePackage` or `parsePackageLite` could be targets, though these are more difficult to instrument from an app’s context.

Extracting and Decoding the Dynamic Manifest

Once you’ve identified the source of the dynamic manifest (e.g., a file path from `addAssetPath`, or an embedded resource), the next step is extraction and decoding.

Scenario 1: Manifest as a separate file (APK/ZIP)

  1. Locate the File: The Frida hook or static analysis should give you the path (e.g., `/data/data/com.your.package/files/dynamic.apk`).
  2. Pull the File: Use `adb pull` to get it from the device: 
    adb pull /data/data/com.your.package/files/dynamic.apk .
  3. Analyze the File: Treat this extracted file as a new APK. Use `apktool d dynamic.apk` or `jadx` to decompile it. The `AndroidManifest.xml` found within this extracted file is likely your dynamic manifest.

Scenario 2: Manifest embedded within a DEX/JAR

If the manifest isn’t a standalone file but bytes within a DEX, you’ll need to locate and extract those bytes.

  1. Memory Dump: If the manifest is constructed in memory, a memory dump (e.g., using `frida-trace` for specific function returns, or a full process dump) might be necessary.
  2. Hook File I/O: Hooking `java.io.FileInputStream` or similar classes can reveal if the app is reading a custom manifest resource.
  3. AXML Format: Remember that Android Manifests are binary XML (AXML). Once you have the raw bytes, you’ll need an AXML parser. Libraries like android-binary-xml-parser (Python) or Androguard can parse these bytes.

Example: Pythonic AXML Parsing Snippet (Conceptual)

from androguard.core.axml import AXMLPrinter    def parse_axml_bytes(axml_bytes):        printer = AXMLPrinter(axml_bytes)        return printer.get_xml()    # Assuming you have the raw AXML bytes, e.g., from a file or memory    # with open("dynamic_manifest.xml", "rb") as f:    #     raw_axml = f.read()    # If raw_axml is obtained, for example, by hooking a read function    # decoded_manifest = parse_axml_bytes(raw_axml)    # print(decoded_manifest)

The `AXMLPrinter` will attempt to convert the binary AXML into a readable XML string, revealing the dynamically declared components.

Common Obfuscation Techniques and Countermeasures

  • Encryption/Compression: The dynamic manifest might be encrypted or compressed. Look for common cryptographic functions (AES, RSA, XOR) or compression libraries (GZIP, Zlib) being used on the manifest’s byte stream. Frida hooks on `Cipher` or `Inflater` methods can reveal keys or decrypted data.
  • Split Manifests: Some applications might split manifest declarations across multiple resources or even reconstruct them entirely from code. This requires meticulous static and dynamic analysis to piece together the full picture. Look for String concatenation building component names.
  • Custom Class Loaders: Sophisticated apps might implement their own `ClassLoader` to control how classes and resources are loaded, potentially bypassing standard `AssetManager` hooks. In such cases, you need to understand the custom class loader’s logic.

Conclusion

Reverse engineering dynamically loaded Android Manifests demands a blend of static and dynamic analysis. By meticulously examining API calls like `AssetManager.addAssetPath`, `DexClassLoader`, and employing powerful instrumentation frameworks like Frida, you can uncover the hidden manifest declarations that evade traditional decompilation. Remember that the goal is to understand the application’s true runtime configuration, which often differs significantly from what’s initially presented. Mastering these advanced techniques is crucial for comprehensive Android security analysis and malware investigation.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Reverse Engineering #AndroidManifest #Dynamic Analysis #Frida #Static Analysis

Related Technical Guides

Reverse Engineering resources.arsc from Scratch: A Byte-Level Guide to Android Resource Parsing

May 29, 2026

Reverse Engineering Android Apps with MobSF: A Practical Lab on Vulnerability Identification

May 29, 2026

Advanced Smali: Dynamic Code Loading & RCE in Protected Android Applications

May 29, 2026