The file path for the app icon that displays in the Android device menu.

The name of the app that displays on the interface of an Android device.

The hash value of the public key embedded in the digital certificate of the APK file.

The file path for the certificate(s) embedded in the APK file, information about the certificate owner and issuer such as name and location (if provided by the owner/issuer), and the MD5, SHA1, and SHA256 hashes used to sign the certificate. The owner or issuer may provide the following information:

The class name of activities defined in the APK file. An activity is a component of the app that provides a screen users can interact with to perform a task.

An intent filter, found in an app’s manifest file, lists the type of intents that the components of the app can respond to. An intent is a request an app sends to other apps to perform an action. For example, the YouTube app needs to use a messaging app on your Android device to share videos.

Broadcast receivers for the APK file. Broadcast receivers allow the app to receive intents broadcast by itself, by the Android device, or by other apps on the device. An example of a broadcast that an app can receive is an indication that the device battery is low.

Sensors for motion, orientation, or environmental conditions that the app uses when it is running. For example, an app might need to receive sensor readings from the device’s GPS for to perform location-based tasks.

Services configured for the APK file. Services are operations that run in the background while the app is running, and do not provide a user interface screen. An example of a service is a notification service for an email app that alerts users when they have new messages.

Third-party libraries that are included in the APK file. A third-party library, which app developers can reuse across multiple apps, contains files of code that accomplish a specific task. An example of an embedded library is Google’s mobile ads software development kit (SDK), AdMob.

URLs that are part of an APK file. The Path column contains the path for the section of the app where the URL is located.

The file format, file path, and SHA256 hash of files included in the APK file.

The unique name that identifies an app on an Android device. The general format for a package name is domain.company.application (for example, com.tamapps.learnjapanese).

An indication of whether an APK file has been repackaged (True) or not (False). AutoFocus marks a repackaged APK file as suspicious because an attacker can repackage a benign file to contain malicious functionality.

The permissions that the APK file requests from users to perform processes and to access data on their Android device. Examples include permissions to access the camera on the device or to change the audio settings of the device.

API calls embedded in the APK file that access restricted services or resources.

Personal information that the app owner provided when he/she signed the app certificate:

API calls embedded in the APK file that access restricted services or resources. Unlike APK Sensitive API Call, the APK Suspicious API Call lists all instances of an API call and the location of the files where the API call was found.

An action that the APK file performed when it was executed in the WildFire analysis environment that may be an indicator of compromise. The Value column contains a description of the action and supporting evidence. For example, if the suspicious action associated with an APK file sends SMS messages while running in the background, the value includes the text message content that the file sent. If the action is loading another APK, DEX, or JAR file, the value includes the path for the file that the APK file loaded.

A sequence of actions that the APK file exhibits, the target of the actions (if there is one), and the location of the files that exhibited the actions. For example, for the suspicious behavior “APK files sends an SMS to a fixed number,” the target is the phone number that received the SMS.

Suspicious files found in the APK file and their file type. An example of a suspicious file is one that contains malicious native code or an executable file in .dex format.

A class of patterns observed in the APK file, a description what the pattern does, and the location of the files where the pattern occurred.

Suspicious strings of code found in the APK file. For example, a suspicious string can indicate that an app contains shell commands that installs or uninstalls other apps, or the string can be a suspicious phone number. For each string, you can view the location of the file that contains the string.