Androwarn - Notwithstanding To A Greater Extent Than Or Less Other Static Code Analyzer For Malicious Android Applications


Androwarn is a tool whose principal aim is to reveal in addition to warn the user most potential malicious behaviours developped past times an Android application.
The detection is performed amongst the static analysis of the application's Dalvik bytecode, represented equally Smali, amongst the androguard library.
This analysis leads to the generation of a report, according to a technical exceptional degree chosen from the user.

Features
  • Structural in addition to information catamenia analysis of the bytecode targeting dissimilar malicious behaviours categories
    • Telephony identifiers exfiltration: IMEI, IMSI, MCC, MNC, LAC, CID, operator's name...
    • Device settings exfiltration: software version, usage statistics, organization settings, logs...
    • Geolocation information leakage: GPS/WiFi geolocation...
    • Connection interfaces information exfiltration: WiFi credentials, Bluetooth MAC adress...
    • Telephony services abuse: premium SMS sending, telephone phone telephone composition...
    • Audio/video catamenia interception: telephone telephone recording, video capture...
    • Remote connectedness establishment: socket opened upwards call, Bluetooth pairing, APN settings edit...
    • PIM information leakage: contacts, calendar, SMS, mails, clipboard...
    • External retentiveness operations: file access on SD card...
    • PIM information modification: add/delete contacts, calendar events...
    • Arbitrary code execution: native code using JNI, UNIX command, privilege escalation...
    • Denial of Service: lawsuit notification deactivation, file deletion, procedure killing, virtual keyboard disable, final shutdown/reboot...
  • Report generation according to several exceptional levels
    • Essential (-v 1) for newbies
    • Advanced (-v 2)
    • Expert (-v 3)
  • Report generation according to several formats
    • Plaintext txt
    • Formatted html from a Bootstrap template
    • JSON

Usage

Options
usage: androwarn [-h] -i INPUT [-o OUTPUT] [-v {1,2,3}] [-r {txt,html,json}]                  [-d]                  [-L {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}]                  [-w]  version: 1.4  optional arguments:   -h, --help            present this assist message in addition to teach out   -i INPUT, --input INPUT                         APK file to analyze   -o OUTPUT, --output OUTPUT                         Output written report file (default                         "./_.")   -v {1,2,3}, --verbose {1,2,3}                         Verbosity degree (ESSENTIAL 1, ADVANCED 2, EXPERT 3)                         (default 1)   -r {txt,html,json}, --report {txt,html,json}                         Report type (default "html")   -d, --display-report  Display analysis results to stdout   -L {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}, --log-level {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}                         Log degree (default "ERROR")   -w, --with-playstore-lookup                         Enable online lookups on Google Play

Common usage
$ python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3
By default, the written report is generated inwards the electrical flow folder.
An HTML written report is at ane time contained inwards a standalone file, CSS/JS resources are inlined.

Sample application
Influenza A virus subtype H5N1 sample application has been built, concentrating several malicious behaviours.
The APK is available inwards the _SampleApplication/bin/ folder in addition to the HTML written report is available inwards the _SampleReports folder.

Dependencies in addition to installation
  • Python 2.7 + androguard + jinja2 + play_scraper + argparse
  • The easiest way to setup everything: pip install androwarn in addition to thus straight piece of job $ androwarn
  • Or git clone that repository in addition to pip install -r requirements.txt

Changelog
  • version 1.5 - 2019/01/05: few fixes
  • version 1.4 - 2019/01/04: code cleanup in addition to piece of job of the latest androguard version
  • version 1.3 - 2018/12/30: few fixes
  • version 1.2 - 2018/12/30: few fixes
  • version 1.1 - 2018/12/29: fixing few bugs, removing Chilkat dependencies in addition to pip packaging
  • version 1.0 - from 2012 to 2013

Contributing
You're welcome, whatever assist is appreciated :)

Contact
  • Thomas Debize < tdebize at post d0t com >
  • Join #androwarn on Freenode

Greetings