Androwarn – Yet Another Static Code Analyzer For Malicious Android Applications
Androwarn is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.
The detection is performed with theĀ static analysisĀ of the application's Dalvik bytecode, represented as Smali, with theĀ
androguardlibrary.This analysis leads to the generation of a report, according to a technical detail level chosen from the user.
Features
- Structural and data flow analysis of the bytecode targeting different malicious behaviours categories
- Telephony identifiers exfiltration: IMEI, IMSI, MCC, MNC, LAC, CID, operator's name...
- Device settings exfiltration: software version, usage statistics, system settings, logs...
- Geolocation information leakage: GPS/WiFi geolocation...
- Connection interfaces information exfiltration: WiFi credentials,Ā BluetoothĀ MAC adress...
- Telephony services abuse: premium SMS sending, phone call composition...
- Audio/video flow interception: call recording, video capture...
- Remote connection establishment: socket open call, Bluetooth pairing, APN settings edit...
- PIM data leakage: contacts, calendar, SMS, mails, clipboard...
- External memory operations: file access on SD card...
- PIM data modification: add/delete contacts, calendar events...
- Arbitrary code execution: native code using JNI, UNIX command, privilege escalation...
- Denial of Service: event notification deactivation, file deletion, process killing, virtual keyboard disable, terminal shutdown/reboot...
- Report generation according to several detail levels
- Essential (
-v 1) for newbies - Advanced (
-v 2) - Expert (
-v 3)
- Essential (
- Report generation according to several formats
- PlaintextĀ
txt - FormattedĀ
htmlĀ from a Bootstrap template - JSON
- PlaintextĀ
Usage
Options
usage: androwarn [-h] -i INPUT [-o OUTPUT] [-v {1,2,3}] [-r {txt,html,json}]
[-d]
[-L {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}]
[-w]
version: 1.4
optional arguments:
-h, --help show this help message and exit
-i INPUT, --input INPUT
APK file to analyze
-o OUTPUT, --output OUTPUT
Output report file (default
"./<apk_package_name>_<timestamp>.<report_type>")
-v {1,2,3}, --verbose {1,2,3}
Verbosity level (ESSENTIAL 1, ADVANCED 2, EXPERT 3)
(default 1)
-r {txt,html,json}, --report {txt,html,json}
Report type (default "html")
-d, --display-report Display analysis results to stdout
-L {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}, --log-level {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}
Log level (default "ERROR")
-w, --with-playstore-lookup
Enable online lookups on Google Play[adsense size='1']
Common usage
$ python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3By default, the report is generated in the current folder.
An HTML report is now contained in a standalone file, CSS/JS resources are inlined.
Sample application
A sample application has been built, concentrating several malicious behaviours.
The APK is available in theĀ _SampleApplication/bin/Ā folder and the HTML report is available in theĀ _SampleReportsĀ folder.
Dependencies and installation
- Python 2.7 +Ā androguardĀ + jinja2 + play_scraper + argparse
- TheĀ easiest wayĀ to setup everything:Ā
pip install androwarnĀ and then directly useĀ$ androwarn - Or git clone that repository andĀ
pip install -r requirements.txt
[adsense size='1']
Changelog
- version 1.5 - 2019/01/05: few fixes
- version 1.4 - 2019/01/04: code cleanup and use of the latest androguard version
- version 1.3 - 2018/12/30: few fixes
- version 1.2 - 2018/12/30: few fixes
- version 1.1 - 2018/12/29: fixing few bugs, removing Chilkat dependencies and pip packaging
- version 1.0 - from 2012 to 2013
Contributing
You're welcome, any help is appreciated š
Contact
- Thomas Debize < tdebize at mail d0t com >
- Join #androwarn on Freenode
Greetings
- StƩphane Coulondre, for supervising my Final Year project
- Anthony Desnos, for his amazingĀ AndroguardĀ project and his help through my Final Year project
Gloss