July 17, 2026
Android Infostealer Malware Analysis | Let’sDefend Walkthrough
Introduction

By Anshuman Thakur
4 min read
Introduction
Hello everyone!
In this write-up, we'll analyze an Android Infostealer sample from the Let'sDefend platform.
This was my first experience reverse engineering an Android application, making it an excellent opportunity to understand how Android malware is structured, how it requests permissions, and how to identify its capabilities through static analysis.
Rather than executing the malware, we'll inspect its source code and configuration to answer the challenge questions while learning how Android malware analysis works.
Let's get started.
Challenge Overview
As always, the first step is to read the challenge description.
Although the description is brief, it provides useful context about the malware and helps us understand what kind of behavior we should expect during the investigation.
After connecting to the lab machine, extract the provided ZIP archive.
Inside the archive, you'll find the Android application package (APK) that we'll analyze throughout this challenge.
Analysis Tool — JADX
To analyze the APK, I used JADX GUI, one of the most popular tools for Android reverse engineering.
tools/jadx-gui-1.5.1-with-jre-win/jadx-guitools/jadx-gui-1.5.1-with-jre-win/jadx-guiJADX converts Dalvik bytecode (classes.dex) into a readable Java-like representation and also extracts important application resources such as:
AndroidManifest.xml- Java classes
- Resources
- Package structure
This allows us to inspect the application's behavior without executing it.
Step 1 — Analyze AndroidManifest.xml
The first file I inspected was AndroidManifest.xml because it provides a high-level overview of the application.
During malware analysis, this file is one of the most valuable sources of information.
Here we can identify:
- Package name
- Requested permissions
- Activities
- Services
- Broadcast receivers
- Content providers
- Intent filters
These components often reveal the malware's capabilities before even looking at the source code.
Question 1 — What is the package name?
The package name can be found at the top of AndroidManifest.xml.
Answer
com.example.appcode.appcodecom.example.appcode.appcode
Question 2 — Which background service is declared?
Background services are declared using the <service> tag inside the manifest.
The service declared in this sample is:
Answer
com.example.appcode.appcode.CMDServicecom.example.appcode.appcode.CMDService
Why is this important?
Malware frequently uses background services to continue running even when the application isn't actively being used.
Question 3 — Which permission allows access to Wi-Fi information?
The required permission is:
android.permission.ACCESS_WIFI_STATEandroid.permission.ACCESS_WIFI_STATEThis permission allows the application to obtain information about the device's Wi-Fi connection.
Question 4 — Which permission allows approximate location access?
The permission requested is:
android.permission.ACCESS_COARSE_LOCATIONandroid.permission.ACCESS_COARSE_LOCATIONUnlike ACCESS_FINE_LOCATION, this permission provides an approximate device location based on network sources such as Wi-Fi and cellular towers.
Both Question 3 and Question 4 can be answered directly from the permissions listed in AndroidManifest.xml.
Question 5 — Which method retrieves call logs?
Next, I explored the application's Java classes.
Inside the CallLogLister class, I found the method responsible for retrieving the device's call history.
Answer
listCallLoglistCallLogQuestion 6 — How many fields are included in the call log information?
While analyzing the same class, I counted the fields collected from each call log entry.
Answer
77This demonstrates that the malware collects multiple attributes from the victim's call history rather than just phone numbers.
Question 7 — What is the last battery information field collected?
Inside the SystemInfo class, the malware gathers various battery-related details.
The final field collected is:
voltagevoltageQuestion 8 — Which command retrieves SMS messages?
Searching inside the CMDService class reveals the command responsible for collecting SMS data.
Answer
smslogsmslogQuestion 9 — Which command updates the malware?
The update command implemented by the malware is:
updateAppupdateAppThis suggests that the malware can download and install newer versions without requiring a completely new infection.
Question 10 — Which command captures screenshots?
The command responsible for taking screenshots is:
capscreencapscreenQuestion 11 — Which command records audio?
The malware uses the following command to activate microphone recording:
recordmicrecordmicQuestions 8–11 can all be answered by inspecting the CMDService class. I found them quickly using JADX's Text Search feature.
Question 12 — What is the build type?
Using the Text Search feature, I searched for BuildConfig.
The build type specified is:
releasereleaseQuestion 13 — What is the malware's Command-and-Control (C2) server?
To locate the C2 server, I searched the project for the keyword:
httphttpThis revealed the endpoint used by the malware to communicate with its backend.
Answer
http://android[.]viral91[.]xyz/admin/webserviceshttp://android[.]viral91[.]xyz/admin/webservicesNote:_ The domain has been partially defanged for safety._
Indicators of Compromise (IOCs)
Package Name
com.example.appcode.appcodecom.example.appcode.appcodeBackground Service
com.example.appcode.appcode.CMDServicecom.example.appcode.appcode.CMDServiceC2 Server
http://android[.]viral91[.]xyz/admin/webserviceshttp://android[.]viral91[.]xyz/admin/webservicesInteresting Commands
smslog
updateApp
capscreen
recordmicsmslog
updateApp
capscreen
recordmicInvestigation Summary
This challenge provided a great introduction to Android malware analysis.
Without executing the malware, we were able to identify:
- The application's package structure.
- Requested Android permissions.
- Background services.
- Data collection methods.
- Supported malware commands.
- The command-and-control server.
- Device information targeted by the malware.
Most importantly, this challenge demonstrated how much information can be obtained through static analysis alone.
Final Thoughts
Although this was labeled as an easy challenge, it introduced several important concepts used in Android malware analysis.
By inspecting the manifest, exploring Java classes, and using JADX's search functionality, we were able to understand the malware's behavior and answer every challenge question without executing the APK.
For anyone beginning Android malware analysis, this is an excellent challenge to practice navigating APKs, understanding Android components, and identifying malicious functionality through reverse engineering.