Attack Chain

1. An attacker crafts a malicious Android APK file.
2. The attacker embeds ../ sequences within the resources.arsc Type String Pool of the APK.
3. A user attempts to decode the malicious APK file using a vulnerable version of Apktool (3.0.0 or 3.0.1) via the command apktool d malicious.apk.
4. During the decoding process, the ResFileDecoder.java component processes the resources.arsc file.
5. Due to the missing BrutIO.sanitizePath() call, the ../ sequences are not sanitized, allowing path traversal.
6. Apktool attempts to write a resource file to a location outside the intended output directory.
7. The resource file is written to an arbitrary location on the filesystem, potentially overwriting critical system files (e.g., ~/.bashrc, ~/.ssh/config).
8. If a file like ~/.bashrc is overwritten, subsequent shell sessions execute malicious code, achieving remote code execution. If a Windows Startup folder is targeted, the code executes on the next reboot.

Impact

Successful exploitation of this vulnerability allows attackers to write arbitrary files to the filesystem of the machine running Apktool. This can lead to various malicious outcomes, including remote code execution, privilege escalation, and data exfiltration. The impact is particularly severe if Apktool is run with elevated privileges or if sensitive files are overwritten. While specific victim numbers are not available, developers and security researchers who rely on Apktool for APK analysis are at risk.

Recommendation

• Upgrade to Apktool version 3.0.2 or later to remediate CVE-2026-39973.
• Implement file integrity monitoring on sensitive files like ~/.bashrc and ~/.ssh/config to detect unauthorized modifications.
• Enable process monitoring to detect the execution of apktool d with suspicious arguments, particularly targeting unexpected output directories.
• Deploy the Sigma rule “Detect Apktool Path Traversal Attempt” to identify potential exploitation attempts based on command-line arguments.