Static code analyzer for malicious Android applications
To detect and warn the user about potential malicious behaviours developped by an Android application.
Structural and data flow analysis of the bytecode targeting different malicious behaviours categories
- Telephony identifiers exfiltration: IMEI, IMSI, MCC, MNC, LAC, CID, operator’s name…
- Device settings exfiltration: software version, usage statistics, system settings, logs…
- Geolocation information leakage: GPS/WiFi geolocation…
- Connection interfaces information exfiltration: WiFi credentials, Bluetooth MAC adress…
- Telephony services abuse: premium SMS sending, phone call composition…
- Audio/video flow interception: call recording, video capture…
- Remote connection establishment: socket open call, Bluetooth pairing, APN settings edit…
- PIM data leakage: contacts, calendar, SMS, mails, clipboard…
- External memory operations: file access on SD card…
- PIM data modification: add/delete contacts, calendar events…
- Arbitrary code execution: native code using JNI, UNIX command, privilege escalation…
- Denial of Service: event notification deactivation, file deletion, process killing, virtual keyboard disable, terminal shutdown/reboot…
Download : https://github.com/maaaaz/androwarn
Join Our Club
It was built focused on security issues and tricks that malware researcher have on they every day work. For those situations on where the malware has anti-analysis routines, Droidefense attemps to bypass them in order to get to the code and ‘bad boy’ routine. Sometimes those techniques can be virtual machine detection, emulator detection, self certificate checking, pipes detection. tracer pid check, and so on.
Droidefense uses an innovative idea in where the code is not decompiled rather than viewed. This allow us to get the global view of the execution workflow of the code with a 100% accuracy on gathered information. With this situation, Droidefense generates a fancy html report with the results for an easy understanding.
- .apk unpacker
- .apk resource decoder
- .apk file enumeration
- .apk file classification and identification
- binary xml decoder
- in-memory processing using a virtual filesystem
- resource fuzzing and hashing
- entropy calculator
- native code dump
- certificate analysis
- debug certificate detection
- opcode analysis
- unused opcode detection
- androidManifest.xml analysis
- internal structure analysis
- dalvik bytecode flow analysis
- multipath analysis implementation (not tested)
- CFG generation
- simple reflection resolver
- String classification
- simulated workflow generation
- dynamic rules engine
Download : https://github.com/droidefense/engine
Reverse engineering, Malware and goodware analysis of Android applications … and more
Androguard is a full python suite to play with Android files.
- DEX, ODEX
- Android’s binary xml
- Android resources
- Disassemble DEX/ODEX bytecodes
- Decompiler for DEX/ODEX files
Runtime memory analysis framework to identify Android malware.
Uitkyk is a framework that allows you to identify Android malware according to the instantiated objects on the heap for a specific Android process.
What does it do
Uitkyk scans the heap of a specific Android process using custom Frida scripts to identify malicous behaviour according to the objects instantiated by a specific Android process.
How to use Uitkyk?
Uitkyk can be used in multiple ways. Firstly as a Android library with existing Android applications which can be done by adding the code in the “Android Library” folder or the AAR release as a library to your Android application. Secondly as a standalone application which can be done by building and running the Android application located in the “UitkykDemoApp” folder. Thirdly, Uitkyk can implemented using the Frida CLI by running the Frida scripts located in the “FridaScripts” folder.
QUARK: Quick Android Review Kit
Quark is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs. It is also capable of creating “Proof-of-Concept” deployable APKs and/or ADB commands, capable of exploiting many of the vulnerabilities it finds. There is no need to root the test device, as this focuses on vulnerabilities that can be exploited under otherwise secure conditions.
QARK is an easy to use, capable of finding common security vulnerabilities in Android applications. Unlike commercial products, it is 100% free to use. QARK features educational information allowing security reviewers to locate precise, in-depth explanations of the vulnerabilities.
QARK automates the use of multiple decompilers, leveraging their combined outputs, to produce superior results, when decompiling APKs. Finally, the major advantage QARK has over traditional software, that just point you to possible vulnerabilities, is that it can produce ADB commands, or even fully functional APKs, that turn hypothetical vulnerabilities into working “POC” exploits.
Included in the types of security vulnerabilities this software attempts to find are:
- Inadvertently exported components
- Improperly protected exported components
- Intents which are vulnerable to interception or eavesdropping
- Improper x.509 certificate validation
- Creation of world-readable or world-writeable files
- Activities which may leak data
- The use of Sticky Intents
- Insecurely created Pending Intents
- Sending of insecure Broadcast Intents
- Private keys embedded in the source
- Weak or improper cryptography use
- Potentially exploitable WebView configurations
- Exported Preference Activities
- Apps which enable backups
- Apps which are debuggable
- Apps supporting outdated API versions, with known vulnerabilities
Android Security Suite for APK reversing, in-depth reconnaissance and static bytecode analysis based on Ghera benchmarks
Adhrit is an open source Android APK reversing and analysis suite. It is an effort to find an efficient solution to all the needs of mobile security testing and automation. Adhrit has been built with a focus on flexibility and mudularization.
Adhrit currently uses the Ghera benchmarks to identify vulnerability patterns in Android applications. The project is subject to continuous updations and will incorporate the latest available methodologies.
You can check more Android articles here:
- Android Root Detection Bypass – Tutorial
- GDA- Android Reverse Engineering Suite
- Tor Browser For Android Officially Launched
- How To Root Android Devices and Act As Administrator?