APK Repackaging.

An Android attack technique that unpacks a legitimate APK, modifies its code or resources (ads, trackers, malware, license bypass), repacks and re-signs it, then redistributes the trojanized app through unofficial stores or sideload campaigns. It belongs to the Mobile Security category of cybersecurity.

An Android attack technique that unpacks a legitimate APK, modifies its code or resources (ads, trackers, malware, license bypass), repacks and re-signs it, then redistributes the trojanized app through unofficial stores or sideload campaigns.

APK repackaging is one of the foundational Android malware techniques and remains common in 2024–2026 despite App Bundle distribution. The basic workflow is: download a legitimate APK (or AAB), decompile it with apktool/jadx, modify the smali code or resources to inject ad SDKs, info-stealer payloads, banking-trojan overlays, or license-check removals, repack it, and re-sign with the attacker's key (or a stolen key for sideload-trust). The trojanized APK is then redistributed through alternative app stores, file-sharing sites, SMS-phishing links, or malvertising. Repackaged Android banking trojans (Anatsa, Hydra, GodFather, Cerberus successors) and crack-laden 'modded' apps account for a substantial share of Android malware. Google's mitigations include Play Protect signing comparison, Play Integrity 'app integrity' verdicts that detect that the running APK is not the Play-distributed one, key attestation on developer signing keys, and the broader move to Play Asset Delivery and App Bundles which complicate offline repacking. For developers, defenses include obfuscation (R8/ProGuard), native-code anti-tamper checks, server-side attestation, and behavioral fraud signals.

Defences for APK Repackaging typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: APK trojanization, App repackaging.