Malware analysis tools

androwarn v1.5 releases: static code analyzer for malicious Android applications

Androwarn

Androwarn is a tool whose main aim is to detect and warn the user about potential malicious behaviours developed by an Android application.

The detection is performed with the static analysis of the application’s Dalvik bytecode, represented as Smali, with the androguardlibrary.

This analysis leads to the generation of a report, according to a technical detail level chosen from the user.

androwarn

Features

  • Structural and data flow analysis of the bytecode targeting different malicious behaviours categories
    • Telephony identifiers exfiltration: IMEI, IMSI, MCC, MNC, LAC, CID, operator’s name…
    • Device settings exfiltration: software version, usage statistics, system settings, logs…
    • Geolocation information leakage: GPS/WiFi geolocation…
    • Connection interfaces information exfiltration: WiFi credentials, Bluetooth MAC adress…
    • Telephony services abuse: premium SMS sending, phone call composition…
    • Audio/video flow interception: call recording, video capture…
    • Remote connection establishment: socket open call, Bluetooth pairing, APN settings edit…
    • PIM data leakage: contacts, calendar, SMS, mails…
    • External memory operations: file access on SD card…
    • PIM data modification: add/delete contacts, calendar events…
    • Arbitrary code execution: native code using JNI, UNIX command, privilege escalation…
    • Denial of Service: event notification deactivation, file deletion, process killing, virtual keyboard disable, terminal shutdown/reboot…
  • Report generation according to several detail levels
    • Essential (-v 1) for newbies
    • Advanced (-v 2)
    • Expert (-v 3)
  • Report generation according to several formats
    • Plaintext txt
    • Formatted html from a Bootstrap template

Changelog v1.5

  • 2019/01/05: few fixes

Install

pip install androwarn

Usage

usage: androwarn.py [-h] -i INPUT [-o OUTPUT] [-v {1,2,3}] [-r {txt,html}]
                    [-d]
                    [-L {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}]
                    [-w]

optional arguments:
  -h, --help            show this help message and exit
  -i INPUT, --input INPUT
                        APK file to analyze
  -o OUTPUT, --output OUTPUT
                        Output report file (default
                        "./<apk_package_name>.<report_type>")
  -v {1,2,3}, --verbose {1,2,3}
                        Verbosity level { 1-3 } (ESSENTIAL, ADVANCED, EXPERT)
                        (default 1)
  -r {txt,html}, --report {txt,html}
                        Report type { "txt", "html" } (default "html")
  -d, --display-report  Display analysis results to stdout
  -L {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}, --log-level {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}
                        Log level { DEBUG, INFO, WARN, ERROR, CRITICAL }
                        (default "ERROR")
  -w, --with-playstore-lookup
                        Enable online lookups on Google Play

Copyright (C) 2018 maaaaz

Source: https://github.com/maaaaz/

Read more…

Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Malware analyst || Malware Investigator || Reverse Engineering

Leave a Reply