A structured, cross-referenced knowledge base for Android security research.
How malware works. How attacks exploit the platform. How protections are broken.
Android security knowledge is scattered across vendor blog posts, conference talks, academic papers, and dead links. Understanding a single malware family means reading five different reports from five different vendors, each using different names for the same thing.
AWAKE puts it in one place with cross-references that individual writeups cannot provide. Technique pages link to families that use them. Families link to packers that protect them. Packers link to reversing workflows that break them.
Important
This is not a compliance checklist or a defense guide. AWAKE documents how things work and how they break. Offense-first.
Techniques organized by attack surface: overlays, accessibility abuse, automated fraud, NFC relay, supply chain attacks, and more. Kill chain showing how techniques combine in real operations. Technique combination matrix showing the most common pairings across active malware families.
Individual family write-ups covering capabilities, C2 infrastructure, campaign history, and code lineage. Timeline from 2010 to present. Naming conventions for mapping between vendor detection names. Threat actor profiles with MaaS pricing and attribution.
Every major Android packer documented: identification, protection mechanisms, and unpacking methodology. Head-to-head comparison matrix across all documented protectors. Decision tree for approaching unknown samples. Universal unpacking toolkit.
Android permissions documented from an abuse perspective. What each permission unlocks, how malware uses it, and escalation patterns showing how malware moves from auto-granted normal permissions to full device control.
Static analysis, dynamic analysis, hooking, patching, and network interception. Development framework pages covering Flutter, React Native, Unity, .NET MAUI, and more, each with framework-specific architecture, analysis workflow, and hooking strategy.
The gray area between legitimate software and malware. Data broker SDKs, ad fraud, stalkerware, predatory lending apps, firmware grayware, commercial surveillance, and the data trade ecosystem that funds it all.
Android's security mechanisms from the offense side. App sandbox, SELinux, verified boot, keystore, Play Integrity, and biometric authentication: what they protect and where they fall short.
uv pip install -e .
mkdocs serveContributions welcome: malware analysis, attack techniques, packer analysis, reversing methodology, corrections.
All contributions must be technically accurate and verifiable. No active exploit code for unpatched vulnerabilities.
MIT License. See LICENSE for details.