Categories: Kali Linux

Droidefense – Advance Android Malware Analysis Framework

Droidefense (originally named atom: analysis through observation machine)* is the codename for android apps/malware analysis/reversing tool. It was built focused on security issues and tricks that malware researcher have on they every day work. For those situations on where the malware has anti-analysis routines, Droidefense attemps to bypass them in order to get to the code and ‘bad boy’ routine. Sometimes those techniques can be virtual machine detection, emulator detection, self certificate checking, pipes detection. tracer pid check, and so on.

Droidefense uses an innovative idea in where the code is not decompiled rather than viewed. This allow us to get the global view of the execution workflow of the code with a 100% accuracy on gathered information. With this situation, Droidefense generates a fancy html report with the results for an easy understanding.

Also ReadMobSF – Mobile Security Framework Is An Automated All-In-One Mobile Application

Droidefense Features

.apk unpacker
.apk resource decoder
.apk file enumeration
.apk file classification and identification
binary xml decoder
in-memory processing using a virtual filesystem
resource fuzzing and hashing
entropy calculator
native code dump
certificate analysis
debug certificate detection
opcode analysis
unused opcode detection
androidManifest.xml analysis
internal structure analysis
dalvik bytecode flow analysis
multipath analysis implementation (not tested)
CFG generation
simple reflection resolver
String classification
simulated workflow generation
dynamic rules engine

Droidefense modules

PSCout data module
Full Android manifest parser, based on official SDK documentation v23.
Plugins
Machine Learning (Weka based) module

Droidefense plugins

Hidden ELF file detector plugin
Hidden APK file detector plugin
Application UID detector plugin
Privacy plugin

Usage

java -jar droidefense-cli-1.0-SNAPSHOT.jar -i /path/to/your/sample.apk

Detailed usage

java -jar droidefense-cli-1.0-SNAPSHOT.jar

________               .__    .___      _____                            
\______ \_______  ____ |__| __| _/_____/ ____\____   ____   ______ ____  
 |    |  \_  __ \/  _ \|  |/ __ |/ __ \   __\/ __ \ /    \ /  ___// __ \ 
 |    `   \  | \(  <_> )  / /_/ \  ___/|  | \  ___/|   |  \\___ \\  ___/ 
/_______  /__|   \____/|__\____ |\___  >__|  \___  >___|  /____  >\___  >
        \/                     \/    \/          \/     \/     \/     \/ 

* Current build:    2018_03_09__09_17_34
* Check out on Github:    https://github.com/droidefense/
* Report your issue:    https://github.com/droidefense/engine/issues
* Lead developer:    @zerjioang

usage: droidefense
 -d,--debug                 print debugging information
 -h,--help                  print this message
 -i,--input <apk>           input .apk to be analyzed
 -o,--output <format>       select prefered output:
                            json
                            json.min
                            html
 -p,--profile               Wait for JVM profiler
 -s,--show                  show generated report after scan
 -u,--unpacker <unpacker>   select prefered unpacker:
                            zip
                            memapktool
 -v,--verbose               be verbose
 -V,--version               show current version information

License

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Uses GPL license described below

R K