Repackaged Malware

Description

Attackers modify legitimate apps to include malicious payloads and redistribute them. If servers do not verify app identity, repackaged clients can access production APIs with the same privileges as the official app.

Examples

Demonstrate Repackaging (Android)

apktool d app-release.apk -o app-src
# (Modify code/resources, e.g., add logging or inject a payload)
apktool b app-src -o app-modded.apk
apksigner sign --ks debug.keystore --ks-pass pass:android --key-pass pass:android --out app-modded-signed.apk app-modded.apk
apksigner verify --print-certs app-modded-signed.apk

If backend APIs do not reject requests from unknown signatures/package names, the app is susceptible.

Server‑Side Proof

Call an authenticated endpoint from the repackaged client; if accepted, app identity verification is missing.

Remediation

Verify client identity server‑side
- Enforce package name, signing certificate pinning, and version checks before issuing tokens.
Attestation and integrity
- Use Play Integrity/SafetyNet or App Attest; detect runtime hooking/tampering and refuse service.
Distribution hygiene
- Promote official stores, monitor for imposters, and file takedowns quickly; warn users in‑app if integrity checks fail.

Haxoris Wiki

Repackaged Malware

Description

Examples

Demonstrate Repackaging (Android)

Server‑Side Proof

Remediation