Androwarn : Static Code Analyzer for Malicious Android Applications

Androwarn is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.

The detection is performed with the static analysis of the application’s Dalvik bytecode, represented as Smali, with the androguard library.

This analysis leads to the generation of a report, according to a technical detail level chosen from the user.

Features

  • Structural and data flow analysis of the bytecode targeting different malicious behaviours categories
    • Telephony identifiers exfiltration: IMEI, IMSI, MCC, MNC, LAC, CID, operator’s name…
    • Device settings exfiltration: software version, usage statistics, system settings, logs…
    • Geolocation information leakage: GPS/WiFi geolocation…
    • Connection interfaces information exfiltration: WiFi credentials, Bluetooth MAC adress…
    • Telephony services abuse: premium SMS sending, phone call composition…
    • Audio/video flow interception: call recording, video capture…
    • Remote connection establishment: socket open call, Bluetooth pairing, APN settings edit…
    • PIM data leakage: contacts, calendar, SMS, mails, clipboard…
    • External memory operations: file access on SD card…
    • PIM data modification: add/delete contacts, calendar events…
    • Arbitrary code execution: native code using JNI, UNIX command, privilege escalation…
    • Denial of Service: event notification deactivation, file deletion, process killing, virtual keyboard disable, terminal shutdown/reboot…
  • Report generation according to several detail levels
    • Essential (-v 1) for newbies
    • Advanced (-v 2)
    • Expert (-v 3)
  • Report generation according to several formats
    • Plaintext txt
    • Formatted html from a Bootstrap template
    • JSON

Also Read – Lynis : Security Auditing Tool for Unix/Linux Systems

Usage

Options

usage: androwarn [-h] -i INPUT [-o OUTPUT] [-v {1,2,3}] [-r {txt,html,json}]
[-d]
[-L {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}]
[-w]
version: 1.4
optional arguments:
-h, –help show this help message and exit
-i INPUT, –input INPUT
APK file to analyze
-o OUTPUT, –output OUTPUT
Output report file (default
“./_.”) -v {1,2,3}, –verbose {1,2,3}
Verbosity level (ESSENTIAL 1, ADVANCED 2, EXPERT 3)
(default 1)
-r {txt,html,json}, –report {txt,html,json}
Report type (default “html”)
-d, –display-report Display analysis results to stdout -L {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}, –log-level
{debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}
Log level (default “ERROR”)
-w, –with-playstore-lookup
Enable online lookups on Google Play{debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}
Log level (default “ERROR”)
-w, –with-playstore-lookup
Enable online lookups on Google Play

Common usage

$ python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3

By default, the report is generated in the current folder.
An HTML report is now contained in a standalone file, CSS/JS resources are inlined.

Sample application

A sample application has been built, concentrating several malicious behaviours.

The APK is available in the _SampleApplication/bin/ folder and the HTML report is available in the _SampleReports folder.

Dependencies and installation

  • Python 2.7 + androguard + jinja2 + play_scraper + argparse
  • The easiest way to setup everything: pip install androwarn and then directly use $ androwarn
  • Or git clone that repository and pip install -r requirements.txt

Changelog

  • version 1.5 – 2019/01/05: few fixes
  • version 1.4 – 2019/01/04: code cleanup and use of the latest androguard version
  • version 1.3 – 2018/12/30: few fixes
  • version 1.2 – 2018/12/30: few fixes
  • version 1.1 – 2018/12/29: fixing few bugs, removing Chilkat dependencies and pip packaging
  • version 1.0 – from 2012 to 2013
R K

Recent Posts

Install and Configure Squid Proxy on Ubuntu 18.04: Setup Guide

Squid is a full-featured caching proxy server that supports HTTP, HTTPS, and FTP. It is most…

11 hours ago

Install Chromium on Ubuntu 18.04: The Open-Source Browser Guide

Chromium is a fast, lightweight, open-source web browser developed primarily by Google. It serves as the…

11 hours ago

Install MySQL Workbench on Ubuntu 18.04: SSH Connections Guide

MySQL Workbench is a cross-platform graphical tool for MySQL database administration. It brings together everything a…

11 hours ago

Configure NFS Server on Ubuntu 18.04: Setup and Mount Guide

NFS (Network File System) is a distributed file sharing protocol that lets you mount remote directories…

11 hours ago

VirtualBox Guest Additions on Ubuntu 18.04: Install and Verify

VirtualBox is an open-source, cross-platform virtualization application that lets you run multiple operating systems simultaneously on…

11 hours ago

Enable SSH on Ubuntu 18.04: Install, Connect, and Manage

SSH (Secure Shell) is a cryptographic network protocol that creates a secure, encrypted connection between your…

1 day ago