Android Software Reverse Engineering & Decompilation

Reverse Engineering Android Manifests: A Step-by-Step Troubleshooting Script for Malicious Apps

By Antigravity Research Published May 29, 2026 ⏱️ 8 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: Unmasking Android Malware Through its Blueprint

The Android Manifest file, AndroidManifest.xml, serves as the central nervous system for any Android application. It’s an XML file that declares the app’s essential characteristics, permissions, components (activities, services, broadcast receivers, content providers), and hardware/software requirements. For security researchers and incident responders, reverse engineering this file is often the first and most critical step in understanding the behavior and capabilities of a suspicious or malicious Android application (APK).

Malware authors frequently try to obscure their intentions, but the manifest file, by its nature, must declare fundamental aspects of the app for the Android operating system to function correctly. This makes it an invaluable source of intelligence, revealing potential attack vectors, requested privileges, and how an app interacts with the system and other applications. This guide will walk you through a systematic approach to reverse engineering Android Manifests, focusing on indicators of malicious intent.

Essential Tools for Manifest Analysis

Before diving into the analysis, ensure you have the following tools set up in your environment:

  • Apktool: A command-line utility for reverse engineering Android APK files. It can decode resources to nearly original form and rebuild them after modifications. It’s crucial for extracting the human-readable AndroidManifest.xml.
  • AAPT (Android Asset Packaging Tool): Part of the Android SDK Build Tools, AAPT can display specific information about an APK, including its manifest in a compact form. Useful for quick checks without full decompilation.
  • Jadx or Dex2jar + JD-GUI: While not directly for manifest analysis, these tools convert DEX bytecode to Java code, which is often necessary to understand how manifest declarations are utilized programmatically.
  • Text Editor: Any capable text editor (VS Code, Sublime Text, Notepad++) will suffice for viewing and searching the XML.

Step 1: Obtaining and Decompiling the APK

The first step is to acquire the suspicious APK file. This might come from an infected device, a malware repository, or a suspicious download link. Once you have the APK, you need to decompile it to access its resources, including the manifest file.

Using Apktool to Decompile

Apktool is the go-to tool for this. Open your terminal or command prompt and execute the following command:

apktool d suspicious.apk -o suspicious_app_decoded

Replace suspicious.apk with the path to your APK file and suspicious_app_decoded with your desired output directory. Upon successful execution, Apktool will create the specified directory containing the decompiled resources, including AndroidManifest.xml, res/ (resources), and smali/ (smali code).

Alternatively, for a quick overview without full decompilation, you can use AAPT:

aapt dump badging suspicious.apk

This command outputs a summary of the package, including permissions, application label, activities, and other key manifest attributes, but in a less structured format than the raw XML.

Step 2: Deep Dive into AndroidManifest.xml

Navigate to the output directory (suspicious_app_decoded) and open the AndroidManifest.xml file in your preferred text editor. This is where the real investigation begins.

2.1 Analyzing Requested Permissions

Permissions are arguably the most critical section for identifying malicious behavior. Malware often requests an excessive number of permissions, especially dangerous ones, to gain unauthorized access to device resources or user data. Look for the <uses-permission> tags:

<uses-permission android:name="android.permission.INTERNET"/> <!-- Common, but check context --> <uses-permission android:name="android.permission.READ_SMS"/> <!-- Highly suspicious for a non-messaging app --> <uses-permission android:name="android.permission.RECEIVE_SMS"/> <!-- Enables intercepting SMS --> <uses-permission android:name="android.permission.SEND_SMS"/> <!-- Enables sending premium SMS --> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> <!-- Data exfiltration/modification --> <uses-permission android:name="android.permission.READ_CONTACTS"/> <!-- Data exfiltration --> <uses-permission android:name="android.permission.CALL_PHONE"/> <!-- Making unauthorized calls --> <uses-permission android:name="android.permission.BIND_DEVICE_ADMIN"/> <!-- Prevent uninstallation --> <uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/> <!-- Overlay attacks, phishing --> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/> <!-- Tracking user location --> <uses-permission android:name="android.permission.READ_PHONE_STATE"/> <!-- Device identifiers for tracking --> <uses-permission android:name="android.permission.RECORD_AUDIO"/> <!-- Eavesdropping --> <uses-permission android:name="android.permission.CAMERA"/> <!-- Spying --> <uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES"/> <!-- Sideloading other malware -->

Key Questions: Does the app’s declared functionality justify these permissions? Why would a flashlight app need SMS permissions? This discrepancy is a strong indicator of malicious behavior.

2.2 Examining Application Components

Android applications are built from four core components: Activities, Services, Broadcast Receivers, and Content Providers. Malware often abuses these components, especially by marking them as ‘exported’ or using specific intent filters to gain unauthorized entry points or persist on the device.

Activities

<activity> tags define user interface screens. Look for:

  • Launchers: An activity with an <intent-filter> containing <action android:name="android.intent.action.MAIN"/> and <category android:name="android.intent.category.LAUNCHER"/> indicates the app’s main entry point. Malicious apps might use deceptive launcher icons or hide their true main activity.
  • Exported Activities: An activity with android:exported="true" (or implicitly exported if it has an intent filter without specific permissions) can be launched by other applications. This can be a vulnerability if not properly secured.

Services

<service> tags define background processes without a user interface. Malicious services are common for persistence and performing actions stealthily.

  • Exported Services: android:exported="true" services can be bound to or started by other apps, potentially allowing remote control or data exfiltration.
  • Foreground Services: Starting with Android 9 (API 28), apps must declare <uses-permission android:name="android.permission.FOREGROUND_SERVICE"/> to run foreground services. While legitimate, malware uses them to stay alive longer and avoid termination by the system.

Broadcast Receivers

<receiver> tags allow apps to listen for system-wide broadcast announcements (e.g., boot completed, SMS received, battery low). This is a prime target for malware.

<receiver android:name=".MyMaliciousReceiver" android:exported="true"> <intent-filter> <action android:name="android.intent.action.BOOT_COMPLETED"/> <!-- Starts on boot --> <action android:name="android.provider.Telephony.SMS_RECEIVED"/> <!-- Intercepts SMS --> </intent-filter></receiver>

Malicious Indicators: Receivers listening for BOOT_COMPLETED (for persistence), SMS_RECEIVED (for intercepting messages), CONNECTIVITY_CHANGE (to react to network availability), or ACTION_PACKAGE_ADDED (to monitor newly installed apps) are highly suspicious if the app’s function doesn’t justify them.

Content Providers

<provider> tags manage access to structured data. If a provider is exported (android:exported="true") and not properly protected by permissions, it can lead to information disclosure or unauthorized data modification.

2.3 Scrutinizing the Application Tag

The main <application> tag also holds vital clues:

  • android:debuggable="true": While useful for development, this should always be false in production apps. If true in a suspicious app, it might allow attackers to attach a debugger for runtime analysis or code injection.
  • android:allowBackup="true": If true, user data can be backed up to a computer, potentially exposing sensitive information if not secured.
  • android:usesCleartextTraffic="true": Indicates the app allows unencrypted HTTP traffic. While sometimes legitimate, it’s a red flag for data exfiltration as it bypasses secure communication protocols.
  • android:icon and android:label: Malware often tries to impersonate legitimate apps by using similar icons and names.

2.4 Inspecting Metadata

The <meta-data> tag within <application> or individual components can store arbitrary key-value pairs. Malware might hide configuration details, API keys, or C2 (command and control) server URLs here to evade static analysis of code.

Step 3: Identifying Malicious Patterns and Next Steps

As you analyze, look for combinations of suspicious elements:

  • Excessive Permissions + Boot Receiver: An app requesting many dangerous permissions and automatically starting on device boot is a classic sign of malware attempting persistence and broad access.
  • Hidden Launcher + Dangerous Permissions: An app that installs without an obvious icon in the app drawer but has extensive permissions is likely performing covert operations.
  • Device Admin Rights: If the manifest implies the app requests device administrator privileges (e.g., through BIND_DEVICE_ADMIN permission and an associated receiver), it’s highly concerning as this can prevent uninstallation.

Once you identify suspicious patterns in the manifest, the next logical step is to cross-reference these findings with the application’s bytecode (smali or decompiled Java). Search for classes mentioned in the manifest (e.g., receivers, services) within the decompiled code to understand their functionality and how they utilize the declared permissions and components.

grep -r "MyMaliciousReceiver" suspicious_app_decoded/smali/

This command would search for the receiver class in the smali code, allowing you to trace its execution flow.

Conclusion: The Manifest as a Malicious Roadmap

Reverse engineering the Android Manifest is an indispensable first step in understanding the true nature of an Android application. It provides a high-level overview of an app’s capabilities, its interaction points with the operating system and other apps, and its requested privileges. By systematically analyzing permissions, components, and other crucial tags, security professionals can quickly identify red flags that indicate malicious intent, guiding further, more detailed code analysis and ultimately helping to protect users from mobile threats.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Reverse Engineering #AndroidManifest.xml #Apktool #Cybersecurity #Malware Analysis

Related Technical Guides

How to Inject Any Java Method into an Android App Using Smali: A Comprehensive Guide

May 29, 2026

Customizing JADX: Optimizing Decompiled Output for Readability and Accuracy in Android RE

May 29, 2026

Android String Encryption Reverse Engineering: A Complete Guide to Cracking Common Schemes

May 30, 2026