The whole malware lab on localhost — static, dynamic, and ML, in one binary.
APK · DEX · Smali · PE · ELF · Mach-O · React Native · JAR · Firmware · Secrets · Web
English · Русский · Quick start · What it detects · Comparison · Docs · Donate
Drop in an APK. Get a risk verdict, a live device detonation, decrypted traffic, and a patch plan — without a single byte leaving your machine.
Built by a solo dev · runs at 100% with the network cable pulled
Note
Private by design. Fully offline — no cloud, no external APIs, no telemetry, no update checks. Built-in proxies, DNS, and servers bind to localhost only. Pull the network cable and it still works at 100%.
Mega-Analyzer is an all-in-one, local-first platform for software security research. It fuses a Go static analyzer for Android bytecode, the low-level OmniSec engine in Rust (39 crates) for machine-code analysis (PE · ELF · Mach-O · DEX), a SIMD-optimized ML runtime in Zig, a dynamic sandbox for Windows and Android, a browser-based Web UI with an ANY.RUN-style live device view, and an optional Elixir/Phoenix server for distributed processing.
One binary. No cloud. No external server. No mandatory Docker, WSL, JDK, or apktool.
|
No external APIs, parsers, telemetry, or update pings. Your samples never leave the box. |
A plain |
Targets a 2012-era quad-core with 8 GB RAM. CPU-only. No LLMs, no gigabyte weights, no GPU. |
|
Bytecode, machine code, behavioral detonation, and an offline ML ensemble in one pipeline. |
Mirror a real device or emulator in your browser over H.264, drive it, and watch it detonate. |
Findings flow into Security → Code scanning and onto pull requests via a drop-in Action. |
- Quick start
- See it in action
- Web UI & live sandbox
- What it detects
- How it compares
- Under the hood
- The toolkits
- Reports & output
- Architecture
- Machine learning
- GitHub code scanning
- Principles
- Documentation
- Project status
- Full comparison (docs)
- Support the project
Tip
In a hurry? Skip everything below and run the bundled demo — it produces real findings in seconds with zero setup. Jump to See it in action.
Download the archive for your OS/arch from Releases, unpack, and run:
./analyzer -t my_app.apk -report all# Requires Go 1.26.4+ — nothing else
go build -trimpath -ldflags "-s -w" -o analyzer ./pkg/cmd/analyzerThe default build is the pure-Go core — a complete, self-contained analyzer. The native engines (OmniSec / Zig / GNN) are optional. See docs/BUILD.md.
docker build -t mega-analyzer .
docker run --rm -v "$PWD:/work" mega-analyzer -t /work/my_app.apk -report all./analyzer -web # opens on http://localhost:7474
./analyzer -web -web-port 8080 # custom portDrag a file in, watch the analysis stream live, then explore the report in your browser. See Web UI & live sandbox.
A bundled, intentionally vulnerable sample gives you real findings immediately — no Android SDK, emulator, or real APK required:
$ ./analyzer -t demo/vulnerable-app -report all -sarif
Mega-Analyzer · target: demo/vulnerable-app
─────────────────────────────────────────────
▸ manifest audit ........ exported components, debuggable, cleartext, StrandHogg
▸ smali scan ............ hardcoded AWS key, Runtime.exec, reflection, weak crypto
▸ secret triage ......... AWS · Stripe · Slack · GitHub (entropy-gated)
▸ correlation ........... 6 risk chains linked
─────────────────────────────────────────────
VERDICT: CRITICAL · 29 findings · SARIF: 67 rules
→ analysis_output/REPORT.htmlOpen analysis_output/REPORT.html for the interactive report, or feed analysis_output/analysis.sarif to any SARIF viewer (VS Code, GitHub, GitLab, SonarQube). See demo/ for exactly what's planted inside.
Run analyzer -web and you get a full local dashboard in the browser — drag-and-drop analysis, live progress over Server-Sent Events, and an ANY.RUN-style live Android device view. No cloud, no upload: everything stays on localhost.
| Feature | What it does |
|---|---|
| Drag-and-drop analysis | Drop an APK/DEX/PE/ELF and watch findings stream in live. Final report, artifact browser, and per-file download all in the page. |
| Live Android device view | Real device or emulator mirrored in the browser via H.264 over WebCodecs (smooth), with an MJPEG/screenshot fallback. Tap, swipe, long-press, and key input are injected back — drive the app while it's analyzed. |
| ANY.RUN-style sandbox | Detonate an APK on a device and watch processes, network connections, DNS queries, file changes, API calls, and behavioral alerts appear in real time. Pick the environment (device / emulator / AVD) from a built-in picker. |
| In-browser Frida REPL | Push & start frida-server, list processes, and run an interactive Frida REPL over WebSocket — or repack the APK with a Frida Gadget injected, signed and ready. |
| Live MITM & traffic capture | Stream decrypted HTTP(S) requests as they happen (mitmproxy), or capture full PCAP via PCAPdroid / on-device tcpdump — DNS, HTTP, and TLS SNI extracted automatically. |
| Mobile mode | The whole dashboard is responsive with a dedicated mobile menu — analyze from your phone against a device on the same LAN. |
Note
The web UI is just another face on the same engine — every tool (decode, machine-code, firmware, diff, JS deobf, sandbox, MITM) is reachable at its own slug (/sandbox, /mitm, …) and produces the exact same reports as the CLI. A separate REST API (analyzer-api, /api/v1/* with Swagger docs) exposes the web-scan and pentest tooling for automation.
Each finding carries a stable rule-id, severity, confidence, and a context snippet. A false-positive suppression layer (entropy-gated secret triage, library-vs-app-code context, hardening-aware suppression) keeps the signal clean.
| Format | What it surfaces |
|---|---|
 APK / DEX |
Manifest audit (exported components, debuggable, cleartext, backup), task-hijacking / StrandHogg (custom taskAffinity, singleTask/singleInstance), grantUriPermissions leaks, deep links without assetlinks.json, sharedUserId, dangerous permissions, reflection and native loading in Smali, crack points and patchable methods |
 React Native / Hermes |
Full scan of index.android.bundle as application code (not "noisy framework"): the eval family, addJavascriptInterface, prototype pollution, obfuscation; WebView leaks (setAllowUniversalAccessFromFileURLs, injectedJavaScript), disabled TLS (rejectUnauthorized:false, trust-all), cordova.exec; secrets via entropy-gated provider detection |
 JAR / Java / WAR |
RCE deserialization (readObject, XMLDecoder, SnakeYAML, XStream), dynamic code (URLClassLoader, ScriptEngine, Groovy), injection (JNDI/Log4Shell, SpEL, OGNL, SQL), XXE (suppressed when hardening is present), trust-all TLS (X509TrustManager/HostnameVerifier), weak ciphers (ECB/DES/RC4) and hashes, vulnerable dependencies by CVE |
 PE (Windows) |
ASLR, DEP/NX, CFG, SafeSEH, stack canaries (/GS), AppContainer, digital signature, localized section entropy (packed/encrypted pockets) |
 ELF / Mach-O (Linux · Android .so · macOS) |
PIE, NX, RELRO (full/partial), stack canaries (SSP), Fortify Source, unsafe RPATH/RUNPATH, JNI boundaries |
 Firmware / IoT |
rootfs hints, telnet/ssh/ftp/upnp services, web panels, hardcoded key/password markers |
 Secrets (any text) |
~25 provider rules (AWS, GitHub, GitLab, Stripe, Slack, Telegram, Discord, OpenAI/Anthropic, Google, private keys, JWT…) with entropy and charset triage — real keys pass at full strength; placeholder/low-entropy matches are demoted, not allowed to drown the report |
Important
On false positives: findings are never silently dropped — low-confidence ones are demoted in priority. Context (library or app code, parser already hardened, key looks like a placeholder) changes severity, but never hides the signal.
Mega-Analyzer's niche is being the only tool that is 100% offline, a single binary, and covers mobile + native + dynamic + ML + CI at once. The tools below are excellent and often complementary — this table is about where each one shines, not a knock on any of them.
| Mega-Analyzer | MobSF | JADX | Ghidra | ANY.RUN | VirusTotal | |
|---|---|---|---|---|---|---|
| 100% offline / local | ✅ | ✅ | ✅ | ❌ cloud | ❌ cloud | |
| Single binary, no JDK/SDK | ✅ | ❌ | n/a | n/a | ||
| APK / DEX static audit | ✅ | ✅ |  decompile |
➖ | ➖ | ➖ |
| Native PE / ELF / Mach-O | ✅ | ➖ | ➖ | 🥇 deep RE | ➖ | ➖ |
| Dynamic sandbox | ✅ Win + Android | ➖ | ➖ | 🥇 cloud scale | ||
| Live device view + input | ✅ | ➖ | ➖ | ➖ | ✅ | ➖ |
| Decrypted traffic / MITM | ✅ | ➖ | ➖ | ✅ | ➖ | |
| Offline ML scoring | ✅ | ➖ | ➖ | ➖ | ➖ | |
| SARIF / code scanning | ✅ | ➖ | ➖ | ➖ | ➖ | ➖ |
| Binary size | ~60 MB | ~500 MB+ | ~120 MB | ~1 GB+ | n/a (cloud) | n/a (cloud) |
| License | Apache 2.0 | GPL v3 | Apache 2.0 | Apache 2.0 | proprietary | proprietary |
| Price | free | free | free | free | paid | freemium |
Where the others win: Ghidra is the gold standard for deep native reverse engineering; ANY.RUN has cloud-scale dynamic infrastructure; MobSF has a mature ecosystem and integrations. Use them together — Mega-Analyzer plays nicely as the offline, single-binary first pass. Full breakdown: docs/COMPARISON.md.
The native side is a 39-crate Rust workspace doing the heavy lifting on machine code:
- HDC auto-naming (Hyperdimensional Computing) — recovers meaningful variable/function names locally with 2048-bit sparse hypervectors. <10 MB RAM, microseconds, no neural nets, no cloud.
- OmniIR / CFG / SSA / dataflow — a unified IR with dominators, loops, SSA construction, and inter-procedural dataflow across PDG/IPDG.
- Deobfuscation pipeline — constant propagation, dead-code elimination, opaque-predicate removal, variable recovery, loop reconstruction.
- Symbolic & concolic execution — untangles obfuscated logic and proves path reachability (DPLL/SMT) to cut false positives.
- Micro-emulators (x86 / ARM64) — run code in isolated memory with page permissions to auto-unpack XOR/RC4 strings and hidden payloads.
- Hyperion v3 — virtualization detection & devirt — spots VM-dispatcher patterns and lifts handler semantics back to readable code.
- eBPF syscall tracer — hooks
openat/execve/connectin the Linux/Android kernel viaaya, with a simulator for Windows/macOS. - GDB-like debugger with replay — disassembly, breakpoints/watchpoints, patch-and-continue, YARA-like memory scanning, and time-travel debugging (
reverse_step/reverse_continue) with incremental snapshots.
▸ All 39 OmniSec crates
omnisec-analysis-symbolic omnisec-analysis-virt omnisec-arsc
omnisec-callgraph omnisec-cfg omnisec-cli
omnisec-core omnisec-dataflow omnisec-debugger
omnisec-debugger-ffi omnisec-deobfuscator omnisec-disasm
omnisec-disasm-arm64 omnisec-ebpf omnisec-emu-arm64
omnisec-emu-x86 omnisec-forge omnisec-hdc
omnisec-intel-pt omnisec-ipdg omnisec-ir
omnisec-lifter-dalvik omnisec-loader omnisec-loader-dex
omnisec-loader-elf omnisec-loader-macho omnisec-loader-pe
omnisec-metrics omnisec-micro-emu omnisec-mitm
omnisec-ml-gnn omnisec-ml-graph omnisec-ml-inference
omnisec-net-obfs omnisec-pdg omnisec-scan-native
omnisec-smt omnisec-ssa omnisec-z3-worker
- Content-addressed cache keyed by method SHA-256 — repeat scans up to 10× faster (CFG/SSA/taint/metrics reused).
- SIMD ULEB128 batch decoder (Plan 9 assembly) for the DEX parser hot path — +30% throughput (400 vs 310 MB/s on an i5-3340), with a portable fallback.
- Adaptive worker scheduler scales the pool by live CPU/heap/GC pressure instead of a static
NumCPU×2, so huge APKs don't OOM.
Beyond static detection, Mega-Analyzer ships a set of focused, offline sidecar toolkits — each writes its own Markdown + JSON into the output directory and never blocks the main pipeline.
 Toolkit |
What it gives you |
|---|---|
| Dynamic sandbox | Detonate on Windows (Job Objects, optional kernel/syscall monitor, WFP network rules, file/registry/API/network evidence) or Android (real device/emulator over ADB, install + launch, live process/network/file capture, traffic capture, downloaded-file pull). |
| Private Server Toolkit | Built-in MITM proxy & protocol dissector (Protobuf/MsgPack/JSON), smart client patcher (IP/domain rewrite in APK and .so, SSL-pinning bypass), Go server-stub generator from a captured session, an Elixir/OTP server skeleton generator, and a Lab DNS server (sinkhole + DGA detection). |
| Crack Point Discovery | Finds gate checks (isPremium, checkLicense, isRooted, isDebuggable), ranks them by impact, and proposes Smali patches — with a CFG-aware apply that rewrites the right basic block, not a blind line swap. |
| ML Patch Predictor | 150+ patch patterns (license, billing v5–v7, premium, ads, root, SSL pinning, Play Integrity, JWT, anti-cheat) ranked by Risk × Impact / (Cost × Detection × Breakage), cross-language (Kotlin · React Native · Flutter · Unity), with SHA-256-verified .original backups. |
| TOP-5 Insights | JNI Boundary Analyzer, Privacy Analyzer, Version Diff, Interactive Graph Explorer (HTML), and Firmware/IoT Analyzer. |
| MobSF-style analyzers, built from scratch | SAST rule scanner (105 rules, CVSS/CWE/OWASP/MASVS), Exodus trackers (431 signatures), Network Security Config auditor, deep manifest audit, APKiD packer/obfuscator fingerprinting (30 signatures). |
| Web Vulnerability Scanner | Active HTTP scanner (cmd/vulnscan) with curl/raw-HTTP (Burp) import: security headers, CORS, open redirect, JWT (none-bypass + offline brute), IDOR, SSRF, XSS, SQLi, prototype pollution, GraphQL, and more. Active modes require explicit --i-own-this-target. |
| Media Forensics | Polyglot/steganography detection, Exif/GPS metadata analysis, and auto-generated extraction scripts. |
▸ Medium-priority sidecar analyzers (7 more)
Seven additional offline modules write to <output>/medium/: Play Store metadata, SBOM extraction, Permission-to-Code mapping, Certificate deep analysis (v1/v2/v3 signing, debug-key), Malware-domain checks, Icon analysis, and NIAP compliance.
One run can emit everything below. Pick a depth with -profile {quick|balanced|deep|paranoid} and a verbosity with -report {short|default|full|all}.
analysis_output/
├── REPORT.html # interactive report (open this first)
├── REPORT.md # Markdown for issues / wikis
├── analysis.json # machine-readable findings
├── analysis.sarif # optional: -sarif → GitHub/GitLab code scanning
├── PATCHES.md # proposed patches
├── PATCHES_WITH_FIX.md # patches with applied fixes
├── correlation_report.{md,json}# findings linked into risk chains
├── insights/ # JNI_BRIDGE · PRIVACY · VERSION_DIFF · GRAPH_EXPLORER · FIRMWARE
├── mobsf/ # SAST_RULES · EXODUS_TRACKERS · NSC_AUDIT · MANIFEST_AUDIT · APKID
└── medium/ # SBOM · PERMISSION_MAP · CERT_AUDIT · MALWARE_DOMAINS · ICON · NIAP · PLAYSTORE
| Format | Use it for |
|---|---|
| HTML | Reading with your eyes — risk scoring, finding breakdown, artifact browser, crack-point view |
| Markdown | Pasting into issues, PRs, and wikis |
| JSON / CSV | Scripting and dashboards |
| SARIF | GitHub/GitLab code scanning, VS Code SARIF Viewer, SonarQube |
A full flag reference lives in docs/USAGE.md and FlagiFiles.md.
flowchart TD
IN["APK · DEX · Smali · PE · ELF · Mach-O · RN · JAR · Firmware · Web"]
UI["CLI · TUI · Web UI (:7474) · REST API"]
IN --> UI
UI --> A["Android / bytecode<br/>Go pipeline"]
UI --> B["OmniSec native<br/>Rust · 39 crates"]
UI --> C["Dynamic sandbox<br/>Windows + Android"]
UI --> D["Toolkits<br/>privsrv · crack · insights · mobsf"]
UI --> E["ML pipeline<br/>GNN · GBT · RF · LR · HDC"]
A --> COR["Correlation engine<br/>risk chains"]
B --> COR
C --> COR
D --> COR
E --> COR
COR --> OUT["Reports<br/>HTML · MD · JSON · CSV · SARIF"]
| Layer | Language | Where |
|---|---|---|
| CLI / TUI / Web UI / REST API | Go | pkg/cmd/analyzer, pkg/api |
| Static pipeline · taint · SMT · SSA IR | Go | pkg/internal/{pipeline,taint,smt,ssair} |
| Dynamic sandbox (Windows + Android) | Go + Zig | pkg/internal/sandbox, zig/sandbox |
| OmniSec native engine (39 crates) | Rust | rust/crates/omnisec-* |
| SIMD ML runtime (XNOR-GEMM · Hamming · SpMV) | Zig | zig/src |
| Distributed analysis server (optional) | Elixir/OTP | server/ |
More detail: docs/ARCHITECTURE.md.
ML assists the audit — deliberately lightweight, CPU-only, and fully offline (no LLMs, no gigabyte model weights):
HDC auto-naming — recovers obfuscated variable/function names locally using sparse associative memory.
Smart risk scoring — an ensemble (GNN, GBT, Random Forest, Logistic Regression) for spotting dangerous patterns, with Platt-calibrated confidence and SHAP-inspired feature attribution.
ML Patcher — 150+ patch patterns ranked by Risk × Impact / (Cost × Detection × Breakage), with CFG-aware apply and SHA-256-verified backups.
The longer-term plan (conformal prediction, on-device incremental learning, drift monitoring) lives in docs/ML_ROADMAP.md.
Mega-Analyzer emits SARIF, so its findings appear directly in your repo's Security → Code scanning tab and inline on pull requests. Drop in the reusable action:
- name: Mega-Analyzer scan
id: scan
uses: Promastergame/mega-analyzer@v1
with:
target: app-release.apk
report: full
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif-file }}Full guide: docs/CODE_SCANNING.md.
These constraints are non-negotiable and define what the project is:
- 100% offline-first. No external APIs, cloud parsers, telemetry, or update checks. Built-in proxies/DNS/servers bind to
localhostonly. - Lightweight by mandate. Targets modest hardware (a 2012-era quad-core, 8 GB RAM). Peak RAM within ~1.5–2 GB; normal runs fit in 500–800 MB. No heavy LLMs or gigabyte model weights.
- Free and open (Apache 2.0). No paywalls, "Pro" tiers, trials, or file-size limits. Ever.
- Defensive only. For security research, auditing, and defense. Not for building or distributing malware.
| QUICKSTART.md | The 60-second version |
| FlagiFiles.md | Complete flag reference — every flag, env var, and build command |
| docs/USAGE.md | Flags, profiles, and recipes (cheat sheet) |
| docs/BUILD.md | Core build vs full native, toolchains, testing |
| docs/ARCHITECTURE.md | Directory layout, Go/Rust/Zig/Elixir interaction, adaptive scheduler |
| docs/COMPARISON.md | Honest comparison vs MobSF / JADX / Ghidra / ANY.RUN / VirusTotal |
| docs/FAQ.md | Common questions, gotchas, and design choices |
| docs/CODE_SCANNING.md | SARIF output and GitHub Action integration |
| docs/DOCKER_DEPLOYMENT.md | Docker / Compose / Kubernetes deployment |
| docs/ROADMAP.md | Project roadmap (sandbox, ML, detection) |
| docs/ML_ROADMAP.md | Machine-learning strategy and roadmap |
| docs/RELEASING.md | Release workflow and signature verification |
| docs/SECURITY.md | How to report vulnerabilities (private advisory) |
| docs/CONTRIBUTING.md | How to report bugs and suggest ideas (no PRs) |
| docs/SUPPORT.md | Where to get help |
| docs/CODE_OF_CONDUCT.md | Community standards |
| docs/DONATION.md | Support the project |
Mega-Analyzer is 100% free and open source (Apache 2.0) — no paid tiers, no ads, no file-size limits, ever. It's built and maintained by a single developer.
Donations go straight into the things that don't run offline: CI/CD build infrastructure and compute to train the offline GNN/HDC models. See docs/DONATION.md for ways to support, or use the DonationAlerts page.
| Version | v1.0.0-beta.1 |
| Maintainer | @Promastergame — designed and written by a single developer, using AI tools |
| Contributions | Solo project — pull requests are not accepted. Bug reports and ideas via Issues. Security vulnerabilities: private advisory. |
| License | Apache 2.0 — completely free, no paywalls, no limits |
Mega-Analyzer · a whole malware lab on localhost
Released under the Apache 2.0 license · runs at 100% with the network cable pulled