APKXHunter is an Android Static Analysis Framework written entirely in C, purpose-built for Android security assessments, reverse engineering, bug bounty hunting, malware analysis, and penetration testing.

It combines multiple static analysis techniques — decompilation, secret detection, endpoint discovery, permission analysis, and native library detection — to uncover sensitive information inside Android applications, while producing clean, organized reports for security researchers.

APKXHunter also integrates a lightweight Machine Learning-based Secret Classification Engine, written entirely in C, which automatically classifies detected secrets by confidence and severity, helping researchers prioritize findings instead of manually reviewing every result.


Apkx-Hunter-Tool


🛡️ OWASP MASVS Scanning Support

Apkx-Hunter now includes OWASP MASVS security scanning with 15 categories and 166 detection patterns:

# Category Patterns
1 Weak Cryptography 28
2 Certificate Pinning 13
3 Root Detection 20
4 Anti Debugging 9
5 Anti Tamper 3
6 SharedPreferences 8
7 SQLite 9
8 External Storage 11
9 Dynamic Code Loading 10
10 Reflection 9
11 Runtime Command Execution 9
12 WebView Security 13
13 Network Security 10
14 SSL Validation 10
15 Native Library Loading 9
TOTAL 166

OWASP Validation

APKXHunter has been tested against the OWASP UnCrackable Level 4 application. The scan successfully identified multiple security findings, demonstrating the effectiveness of its OWASP MASVS scanning engine and Android static analysis capabilities.

OWASP_VALIDATION


✨ Features

  • 🛡️ OWASP MASVS Support — Apkx-Hunter now includes comprehensive OWASP MASVS security scanning with 14+ categories and 160+ detection patterns:
  • 🔍 JADX Decompilation — Fast and deep decompilation modes
  • 🛠️ APKTool Decompilation — Full APKTool-based decompilation and scanning
  • 📦 Archive Extraction — Support for APK, AAB, APKM, APKS, XAPK, and ZIP formats
  • 📁 Decompiled Folder Scanning — Scan any already-decompiled JADX source directory
  • 📁 APKTool Folder Scanning — Scan any already-decompiled APKTool directory
  • 🔑 Secret Detection — Discover API keys, tokens, passwords, and embedded secrets
  • 🌐 Endpoint Discovery — Identify URLs, endpoints, and security-relevant patterns
  • 🔐 Android Permission Analysis — Analyze permissions and exported activities
  • 📚 Native (.so) Library Detection — Detect native libraries bundled in the app
  • 🗂️ File Inventory Generation — Generate a complete file inventory report
  • 🤖 Machine Learning-based Secret Classification (Highlighted Feature) — ML-assisted confidence scoring for detected secrets to accelerate triage and reducing false positive in secrets finding

Machine Learning Model APKXHunter uses an offline machine learning classifier. model.bin contains only trained numerical weights used to calculate the confidence score of detected secrets. It is NOT executable. It contains no code. It is loaded as binary data only.

  • 📡 Offline ML Inference — All model inference runs locally, with no cloud APIs or internet connection required
  • 📊 Confidence Probability Scoring — Each detected secret receives a confidence probability from the trained model

Project Statistics

  • Language: C
  • Codebase: 3,800+ lines
  • Architecture: Modular
  • Platform: Linux

Platform Support

  • ✅ Linux (Supported)
  • ❌ Windows (Not Supported)
  • ❌ macOS (Not Supported)

Performance

The following results are based on testing performed during development.

Metric Tested Value
Operating System Kali Linux
RAM Used for Testing 8 GB
CPU Intel Core i3-2120
Largest APK Successfully Decompiled or Scanned 85 MB
Average Decompilation Time ~50 - 60 seconds

System Requirements

Minimum:

  • Linux
  • 4 GB RAM
  • JADX
  • APKTool
  • unzip

Recommended:

  • Linux
  • 8 GB RAM or higher
  • Quad-core CPU
  • SSD storage

⚙️ Installation

APKXHunter ships with an automated installer that checks for and installs only the dependencies that are missing on your system.

git https://github.com/SyscallX-18113/Apkx-Hunter.git
cd Apkx-Hunter
cd Apkx-Hunter
chmod +x install.sh
./install.sh

install.sh automatically checks for and installs required dependencies — it will not reinstall anything already present on your system.


🚀 Usage

USAGE
  ./apkxhunter <package/folder> [options] [options]

General Options

Flag Description
-h Show help message.

🎯 Scan Modes

Scanning Modes for JADX

Flag Description
--fast Perform a fast jadx decompilation and scan extracted folder.
--deep Perform a complete deep jadx decompilation and scan extracted folder.

Note: Use these flags only after giving apk file name

Examples:

./apkxhunter app.apk --fast
./apkxhunter app.apk --deep

Scanning Modes for APKTool

Flag Description
--apktool Perform a apktool decompilation and scan extracted folder.

Note: Use these flags only after giving apkfile name

Examples:

./apkxhunter app.apk --apktool

📁 Folder Scan

Flag Description
--folder-scan Scan an already decompiled JADX source directory or any directory
--apktool-folder-scan Scan an already decompiled Apktool directory — use this flag only for scanning decompiled apk folder which is decompiled by APKTOOL.

Note: Use these flags only after folder_name for scan

Examples:

./apkxhunter <folder_name> --folder-scan
./apkxhunter <folder_name_decompiled_by_apktool> --apktool-folder-scan
./apkxhunter <folder_name> --folder-scan --secrets
./apkxhunter <folder_name> --folder-scan --masvs
./apkxhunter <folder_name> --folder-scan --permissions
./apkxhunter <folder_name_decompiled_by_apktool> --apktool-folder-scan --secrets
./apkxhunter <folder_name_decompiled_by_apktool> --apktool-folder-scan --files

🧩 Individual Scanners

Flag Description
--secrets Scan for API keys, tokens, passwords, and other embedded secrets.
--permissions Analyze Android permissions or exported activity.
--endpoints Discover URLs, endpoints, and patterns.
--files Generate a file inventory report with .so name files extraction.
--masvs OWASP MASVS Scan.

Note: Use these flags only after scanning modes flags or folder analysis flags

Examples:

./apkxhunter app.apk --deep --secrets
./apkxhunter app.apk --deep --permissions
./apkxhunter app.apk --deep --endpoints
./apkxhunter app.apk --deep --masvs
./apkxhunter <folder_name> --folder-scan --secrets
./apkxhunter <folder_name> --folder-scan --permissions
./apkxhunter <folder_name_decompiled_by_apktool> --apktool-folder-scan --endpoints
./apkxhunter app.apk --deep --files

📄 Decompilation Only

Flag Description
--decompile Decompile APK using JADX or APKTOOL — doesn't run folder scan after decompilation

Note: Use these flags only after scanning modes flags

Examples:

./apkxhunter app.apk --deep --decompile
./apkxhunter app.apk --fast --decompile
./apkxhunter app.apk --apktool --decompile

📦 Archive Extraction

Flag Description
--extract Extract supported Android packages before analysis and save extracted apk to folder extracted_output_<apk_name>.

Supported Formats: APK, AAB, APKM, APKS, XAPK, ZIP

Example:

./apkxhunter app.apkm --extract

🤖 ML Secret Classification

APKXHunter integrates a lightweight Machine Learning-based Secret Classification Engine, written entirely in C, as part of its secret detection workflow. This is a statistical Machine Learning model — not a Large Language Model, ChatGPT, Generative AI, or Deep Learning system.

  • Secrets detected by APKXHunter are analyzed by the integrated Machine Learning classification engine.
  • The model estimates the probability that a detected secret is valid or security-sensitive.
  • Findings are prioritized using confidence-based severity scoring.
  • The ML engine assists researchers in triaging findings faster.
  • The ML engine is designed to assist human analysis rather than replace manual verification.

⚙️ How It Works

  1. Detect potential secret.
  2. Extract statistical features (entropy, character distribution, length, uppercase/lowercase ratios, digits, symbols, and other statistical token characteristics).
  3. Load trained model (model.bin).
  4. Perform ML inference.
  5. Produce a confidence probability.
  6. Present results to the user for manual verification.

🔒 Security Note

All Machine Learning inference is performed locally on the trained model.bin file. APKXHunter does not transmit scanned data, detected secrets, or any other analysis output externally — no cloud APIs are used, and no internet connection is required for ML inference.


🗃️ Output Directories

JADX Analysis

Jadx_output_<apk_name>/

Findings Reports:

Result_Jadx_output_<apk_name>/
  |- secrets_findings.txt        -> Embedded API keys, tokens, secrets
  |- permissions.txt             -> Android permission analysis
  |- pattern_findings.txt        -> URLs, endpoints and security patterns
  |- files.txt                   -> File inventory report
  |- native_library_files.txt    -> Detected native (.so) libraries
  |- masvs_findings.txt          -> OWASP MASVS Scann Result

Folder Scan Result

Findings Reports:

Folder-scan_Result_<folder_name>/
  |- secrets_findings.txt
  |- permissions.txt
  |- pattern_findings.txt
  |- files.txt
  |- native_library_files.txt
  |- masvs_findings.txt

APKTool Analysis

Apktool_output_<apk_name>/

Findings Reports:

Apktool_Result_<apk_name>/
  |- secrets_findings.txt
  |- permissions.txt
  |- endpoint_findings.txt
  |- files.txt
  |- native_library_files.txt
  |- masvs_findings.txt

APKTOOL Folder Scan Result

Findings Reports:

Apktool-folder-scan_Result_<folder_name>/
  |- secrets_findings.txt
  |- permissions.txt
  |- endpoint_findings.txt
  |- files.txt
  |- native_library_files.txt
  |- masvs_findings.txt

Archive Extraction

extracted_output_<package_name>/
  |- Extracted APK files

📑 Report Files

File Description
secrets_findings.txt Embedded API keys, tokens, secrets
permissions.txt Android permission analysis
pattern_findings.txt URLs, endpoints and security patterns (JADX / Folder Scan output)
endpoint_findings.txt URLs, endpoints and security patterns (APKTool output)
files.txt File inventory report
native_library_files.txt Detected native (.so) libraries
masvs_findings.txt OWASP MASVS Scann Result

📦 Supported Formats

APK, AAB, APKM, APKS, XAPK, ZIP


📋 Requirements

APKXHunter depends on the following external tools:

  • JADX
  • APKTool
  • unzip

install.sh automatically checks for these dependencies and installs only the ones that are missing — existing installations are left untouched.


💡 Example Commands

./apkxhunter app.apk --fast
./apkxhunter app.apk --deep
./apkxhunter app.apk --apktool
./apkxhunter <folder_name> --folder-scan
./apkxhunter <folder_name_decompiled_by_apktool> --apktool-folder-scan
./apkxhunter <folder_name> --folder-scan --secrets
./apkxhunter <folder_name> --folder-scan --permissions
./apkxhunter <folder_name_decompiled_by_apktool> --apktool-folder-scan --secrets
./apkxhunter <folder_name_decompiled_by_apktool> --apktool-folder-scan --files
./apkxhunter app.apk --deep --secrets
./apkxhunter app.apk --deep --permissions
./apkxhunter app.apk --deep --endpoints
./apkxhunter <folder_name_decompiled_by_apktool> --apktool-folder-scan --endpoints
./apkxhunter app.apk --deep --files
./apkxhunter app.apk --deep --masvs
./apkxhunter app.apk --deep --decompile
./apkxhunter app.apk --fast --decompile
./apkxhunter app.apk --apktool --decompile
./apkxhunter app.apkm --extract

🚀 Next Update

The following features are planned for the next major release:

Advanced CLI with flexible command parsing. Automatic update checking from GitHub. One-click self-update (--update). Dependency compatibility verification for JADX and APKTool. Improved error handling and stability.


📬 Feedback & Support

APKXHunter is an actively maintained open-source project.

If you:

  • 🐞 Found a bug
  • 💡 Have a feature request
  • ⚙️ Want to suggest improvements
  • 🔒 Found a security issue
  • 📝 Have documentation suggestions

Please open a GitHub Issue or contact me directly:

📧 [email protected]

Your feedback helps improve APKXHunter for everyone.


⚠️ Disclaimer

APKXHunter is intended strictly for:

  • Educational purposes
  • Authorized penetration testing
  • Defensive security research

Users are solely responsible for ensuring they have proper authorization before analyzing any application. Unauthorized use of this tool against applications or systems you do not own or have explicit permission to test may be illegal.