Android banking trojans are no longer a niche threat – with malware families like TeaBot (Anatsa) providing easy access to financial information, fraudulent logins, and long-term control of mobile devices.
In this blog, Trinity Cyber highlights BadPack as a method of hiding TeaBot mobile malware, along with protections deployed to customers through Trinity Cyber’s Active Network Defense platform. BadPack is a method of tampering with Android Package Kit (APK) file headers – allowing Android devices to run APK files (aka. apps) while hindering reverse engineering efforts. Several families of Android malware, including TeaBot (aka. Anatsa), utilize BadPack to evade detection.
Our technical brief provides a comprehensive analysis of Trinity Cyber's findings.
Understanding how techniques like BadPack work help explain why mobile malware campaigns remain effective — and why traditional detection approaches often struggle to keep up.
Android applications are distributed as APK files, which are essentially compressed archives containing application code, resources, and configuration data required for the application to run.
This structure is standardized, allowing analysts and automated security tools to inspect the behavior and capabilities of the application.
BadPack prevents this process by manipulating ZIP header values within the APK archive, creating inconsistencies that can cause many reverse-engineering tools to fail when extracting the application contents. Despite these modifications, Android phones can still install the application.
In other words: the app runs normally on a victim device, but security tools may struggle to analyze its contents.
This mismatch between runtime behavior and analysis behavior makes BadPack particularly useful for malware authors.
Although the technique was first documented in 2023, Trinity Cyber identified BadPack samples dating back to mid-2022 through VirusTotal retro-hunting. Other security research has also observed the technique delivering additional Android malware families, including Cerberus and BianLian in addition to TeaBot.
While BadPack focuses on evasion, the malware delivered by the technique — TeaBot — is itself a significant threat. First observed in 2021, TeaBot is an Android banking trojan designed to steal financial information and facilitate fraudulent transactions.
Once installed on a device, TeaBot can:
TeaBot campaigns often distribute malicious apps disguised as utilities such as document readers or system tools. Victims install the application believing it to be legitimate, unknowingly granting access to sensitive financial information.
Techniques like BadPack increase the likelihood of success by making it harder for defenders to detect and analyze mobile malware before it reaches users.
Trinity Cyber’s Active Network Defense platform stopped command-and-control activity associated with TeaBot malware. Investigating this traffic led researchers to an Android application that used the BadPack technique to conceal its payload.
When analyzed using standard reverse engineering tools, several expected files — including AndroidManifest.xml — failed to extract, causing the tools to be unable to load the APK. This outcome is consistent with BadPack’s goal of disrupting automated analysis.
Using the tool apkInspector, we recovered the contents of the APK and identified additional layers of encryption which hid TeaBot source code.
Within the APK’s “/assets/” directory, TeaBot was stored using a randomly generated filename. The file itself was compressed and encrypted, requiring multiple stages of decompression and decryption before revealing the final malware payload.
Further analysis revealed that the encryption routine used SPECK 64/128, a lightweight crypto block cipher designed for encryption on resource-constrained devices.
Earlier research had suggested that the encryption algorithm used by BadPack samples was custom-built. However, our analysis found that the implementation matches the standard SPECK 64/128 algorithm operating in Output Feedback (OFB) mode.
The malware decrypts the second stage payload, itself a DEX file, at runtime which is then loaded and executed on the device to deliver TeaBot.
This layered approach — packing, compression, encryption, and runtime execution — creates multiple obstacles for malware analysts.
BadPack illustrates a broader trend in modern malware campaigns: attackers increasingly focus on hindering analysis and breaking automated analysis pipelines in addition to simply evading detection.
Several characteristics make the technique effective.
Archive Manipulation
BadPack alters APK archive headers, so security tools may fail to correctly extract the Android application.
Scrambled Payload Names and Locations
Malicious files are stored in random places with random filenames.
Encryption and Compression
Payloads may require multiple steps of unpacking — including decompression and decryption — before they can be analyzed.
Runtime Decryption
The malware decrypts its payload only after the application executes on the victim’s device.
Together, these techniques delay analysis and reduce the effectiveness of traditional security controls that rely on signatures or static inspection.
Trinity Cyber customers are protected against BadPack APK samples traversing the network, including those delivering TeaBot malware. Additionally, customers are protected from C2 traffic in TeaBot and other mobile malware campaigns.
Protection is provided through Full Content Inspection, the core technology behind Trinity Cyber’s Active Network Defense platform.
FCI reconstructs and analyzes the content objects moving through live network sessions to uncover attacker techniques and malicious behavior. When malicious elements are identified, they are removed from the session in real time — allowing legitimate traffic to continue uninterrupted while preventing the attack from reaching endpoints.
By stopping threats before they execute on user devices, this approach reduces reliance on reactive detection and incident response.
BadPack demonstrates how Android malware continues to evolve to evade security analysis and automated tools.
Key findings from this research include:
As mobile malware continues to evolve, defenders must account not only for malicious payloads but also for the evasion techniques attackers use to hide them.
BadPack is a reminder that effective defense requires visibility into the actual content moving through network traffic, not just indicators or signatures.