Yet another static code analyzer for malicious Android applications

Related tags

App androwarn
Overview

Androwarn

Yet another static code analyzer for malicious Android applications

Description

Androwarn is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.

The detection is performed with the static analysis of the application's Dalvik bytecode, represented as Smali, with the androguard library.

This analysis leads to the generation of a report, according to a technical detail level chosen from the user.

Features

  • Structural and data flow analysis of the bytecode targeting different malicious behaviours categories

    • Telephony identifiers exfiltration: IMEI, IMSI, MCC, MNC, LAC, CID, operator's name...
    • Device settings exfiltration: software version, usage statistics, system settings, logs...
    • Geolocation information leakage: GPS/WiFi geolocation...
    • Connection interfaces information exfiltration: WiFi credentials, Bluetooth MAC adress...
    • Telephony services abuse: premium SMS sending, phone call composition...
    • Audio/video flow interception: call recording, video capture...
    • Remote connection establishment: socket open call, Bluetooth pairing, APN settings edit...
    • PIM data leakage: contacts, calendar, SMS, mails, clipboard...
    • External memory operations: file access on SD card...
    • PIM data modification: add/delete contacts, calendar events...
    • Arbitrary code execution: native code using JNI, UNIX command, privilege escalation...
    • Denial of Service: event notification deactivation, file deletion, process killing, virtual keyboard disable, terminal shutdown/reboot...
  • Report generation according to several detail levels

    • Essential (-v 1) for newbies
    • Advanced (-v 2)
    • Expert (-v 3)
  • Report generation according to several formats

    • Plaintext txt
    • Formatted html from a Bootstrap template
    • JSON

Usage

Options

usage: androwarn [-h] -i INPUT [-o OUTPUT] [-v {1,2,3}] [-r {txt,html,json}]
                 [-d]
                 [-L {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}]
                 [-w]

version: 1.4

optional arguments:
  -h, --help            show this help message and exit
  -i INPUT, --input INPUT
                        APK file to analyze
  -o OUTPUT, --output OUTPUT
                        Output report file (default
                        "./<apk_package_name>_<timestamp>.<report_type>")
  -v {1,2,3}, --verbose {1,2,3}
                        Verbosity level (ESSENTIAL 1, ADVANCED 2, EXPERT 3)
                        (default 1)
  -r {txt,html,json}, --report {txt,html,json}
                        Report type (default "html")
  -d, --display-report  Display analysis results to stdout
  -L {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}, --log-level {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}
                        Log level (default "ERROR")
  -w, --with-playstore-lookup
                        Enable online lookups on Google Play

Common usage

$ python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3

By default, the report is generated in the current folder.
An HTML report is now contained in a standalone file, CSS/JS resources are inlined.

Sample application

A sample application has been built, concentrating several malicious behaviours.

The APK is available in the _SampleApplication/bin/ folder and the HTML report is available in the _SampleReports folder.

Dependencies and installation

  • Python 3 or Python 2.7 + androguard + jinja2 + play_scraper + argparse
  • The easiest way to setup everything: pip install androwarn and then directly use $ androwarn
  • Or git clone that repository and pip install -r requirements.txt

Changelog

  • version 1.6 - 2019/05/30: Python 3 support and few fixes
  • version 1.5 - 2019/01/05: few fixes
  • version 1.4 - 2019/01/04: code cleanup and use of the latest androguard version
  • version 1.3 - 2018/12/30: few fixes
  • version 1.2 - 2018/12/30: few fixes
  • version 1.1 - 2018/12/29: fixing few bugs, removing Chilkat dependencies and pip packaging
  • version 1.0 - from 2012 to 2013

Contributing

You're welcome, any help is appreciated :)

Contact

  • Thomas Debize < tdebize at mail d0t com >
  • Join #androwarn on Freenode

Copyright and license

Androwarn is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Androwarn is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

See the GNU Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public License along with Androwarn.
If not, see http://www.gnu.org/licenses/.

Greetings

Comments
  • Androwarn index out of range errors

    Androwarn index out of range errors

    Thomas,

    We are getting "Index out of range errors" on some APKs. Unfortunately, I am not permitted to send the APKs to you for debugging. However, we can send you the output after running the APKs through androwarn. Is it possible to update androwarn to provide more debugging information, particularly with "index out of range" errors? Here is the output from the latest APK with this error:

    Traceback (most recent call last): File "/home/test/androwarn/androwarn.py", line 116, in main(options, arguments) File "/home/test/androwarn/androwarn.py", line 99, in main data = perform_analysis(APK_FILE, a, d, x, no_connection) File "/home/test/androwarn/androwarn/analysis/analysis.py", line 120, in perform_analysis ( 'suspicious_connection_establishment', gather_suspicious_connection_establishment(x) ), File "/home/test/androwarn/androwarn/search/malicious_behaviours/remote_connection.py", line 68, in gather_suspicious_connection_establishment result.extend( detect_Socket_use(x) ) File "/home/test/androwarn/androwarn/search/malicious_behaviours/remote_connection.py", line 52, in detect_Socket_use remote_port = get_register_value(2, registers) File "/home/test/androwarn/androwarn/core/core.py", line 426, in get_register_value dict = registers[index] IndexError: list index out of range

    opened by StephenQuirolgico 5
  • Getting IndexError: list index out of range errors

    Getting IndexError: list index out of range errors

    We are also getting "IndexError: list index out of range" errors but I cannot send the app for this. We have also seen a "ValueError: invalid literal for int() with base 10: 'android.intent.action.PACKAGE_ADDED 11'" error but cannot find the app that generated this error.

    opened by StephenQuirolgico 4
  • IndexError in core.py

    IndexError in core.py

    When using androwarn to analyze an approximately 23MB Xamarin application, I received an IndexError on line 426 of core.py. The full traceback is below:

    Traceback (most recent call last):
      File "androwarn.py", line 116, in <module>
        main(options, arguments)
      File "androwarn.py", line 99, in main
        data = perform_analysis(APK_FILE, a, d, x, no_connection)
      File ".../androwarn/analysis/analysis.py", line 120, in perform_analysis
        ( 'suspicious_connection_establishment',	 gather_suspicious_connection_establishment(x) ),
      File ".../androwarn/search/malicious_behaviours/remote_connection.py", line 68, in gather_suspicious_connection_establishment
        result.extend( detect_Socket_use(x) )
      File ".../androwarn/search/malicious_behaviours/remote_connection.py", line 52, in detect_Socket_use
        remote_port		= get_register_value(2, registers)
      File ".../androwarn/core/core.py", line 426, in get_register_value
        dict = registers[index]
    IndexError: list index out of range
    

    We were able to work around this temporarily by wrapping the offending block in a try/except and returning ERROR_VALUE_NOT_FOUND.

    opened by steverichey 3
  • code information

    code information

    Can you please share us the structure of the code that is written for androwarn. I am trying to find malicous apk file but I am unable to run them with this tools. Hoping to hear soon from you.

    opened by kirthimanasa 3
  • Index out of range error

    Index out of range error

    I got an error using Androwarn on the following Android app:

    https://play.google.com/store/apps/details?id=com.vaytek.crossfireremote

    Note that I am using Python 2.7.

    Traceback (most recent call last): File "/data/androwarn/androwarn.py", line 116, in main(options, arguments) File "/data/androwarn/androwarn.py", line 95, in main a, d, x = AnalyzeAPK(APK_FILE) File "/data/androwarn/androwarn/analysis/analysis.py", line 48, in AnalyzeAPK a = APK(filename, raw) File "/data/androwarn/androguard/core/bytecodes/apk.py", line 163, in init self.xml[i] = minidom.parseString( AXMLPrinter( self.zip.read( i ) ).getBuff() ) File "/data/androwarn/androguard/core/bytecodes/apk.py", line 877, in init self.buff += "<%s%s\n" % ( self.getPrefix( self.axml.getPrefix() ), self.axml.getName() ) File "/data/androwarn/androguard/core/bytecodes/apk.py", line 749, in getName return self.sb.getRaw(self.m_name) File "/data/androwarn/androguard/core/bytecodes/apk.py", line 556, in getRaw data += unichr( self.getShort(self.m_strings, offset) ) File "/data/androwarn/androguard/core/bytecodes/apk.py", line 567, in getShort value = array[offset/4].get_value() IndexError: list index out of range

    opened by StephenQuirolgico 1
  • ImportError: No module named androguard.misc

    ImportError: No module named androguard.misc

    After installing the requirements. I start the program as explained in the Readme file. But I faced this error message :

    Traceback (most recent call last):
      File "androwarn.py", line 30, in <module>
        from androguard.misc import AnalyzeAPK
    ImportError: No module named androguard.misc
    
    opened by m2farah 1
  • urllib2.URLError: <urlopen error [Errno 101] Network is unreachable>

    urllib2.URLError:

    when I run the command line python androwarn.py -i 0a7f7.apk -r html -v 3,I get the following message

    Traceback (most recent call last): File "androwarn.py", line 116, in main(options, arguments) File "androwarn.py", line 99, in main data = perform_analysis(APK_FILE, a, d, x, no_connection) File "/home/chenjun/androwarn/androwarn/analysis/analysis.py", line 94, in perform_analysis app_name, app_desc, app_icon = grab_application_name_description_icon(app_package_name, no_connection) File "/home/chenjun/androwarn/androwarn/search/application/application.py", line 67, in grab_application_name_description_icon response = urllib2.urlopen(req, timeout=REQUEST_TIMEOUT) File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/usr/lib/python2.7/urllib2.py", line 429, in open response = self._open(req, data) File "/usr/lib/python2.7/urllib2.py", line 447, in _open '_open', req) File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain result = func(*args) File "/usr/lib/python2.7/urllib2.py", line 1228, in http_open return self.do_open(httplib.HTTPConnection, req) File "/usr/lib/python2.7/urllib2.py", line 1198, in do_open raise URLError(err) urllib2.URLError: <urlopen error [Errno 101] Network is unreachable>

    The running environment of my computer is ubuntu16.04 ,python2.7 and java1.7.How could I solve this problem? Thanks.

    opened by ChenJunHero 1
  • exception must be old-style classes

    exception must be old-style classes

    I just installed androwarn and try to scan apk fiile, but getting this error. Anyone know how to solve it?

    Traceback (most recent call last): File "androwarn.py", line 116, in main(options, arguments) File "androwarn.py", line 95, in main a, d, x = AnalyzeAPK(APK_FILE) File "/root/androwarn/androwarn/analysis/analysis.py", line 48, in AnalyzeAPK a = APK(filename, raw) File "/root/androwarn/androguard/core/bytecodes/apk.py", line 163, in init self.xml[i] = minidom.parseString( AXMLPrinter( self.zip.read( i ) ).getBuff() ) File "/root/androwarn/androguard/core/bytecodes/apk.py", line 871, in init _type = self.axml.next() File "/root/androwarn/androguard/core/bytecodes/apk.py", line 622, in next self.doNext() File "/root/androwarn/androguard/core/bytecodes/apk.py", line 662, in doNext raise("ooo") TypeError: exceptions must be old-style classes or derived from BaseException, not str

    opened by k1ng88 1
  • Can't get androwarn to work

    Can't get androwarn to work

    I'm unable to run androwarn, do you know what is it connecting to?

    The apk is copied from the SampleApplication directory

    %> ./androwarn.py -v 1 -i mal.apk -r txt
    Traceback (most recent call last):
      File "./androwarn.py", line 116, in <module>
        main(options, arguments)
      File "./androwarn.py", line 99, in main
        data = perform_analysis(APK_FILE, a, d, x, no_connection)
      File "/Users/xxxx/Library/Caches/shm/androwarn-master/androwarn/analysis/analysis.py", line 94, in perform_analysis
        app_name, app_desc, app_icon = grab_application_name_description_icon(app_package_name, no_connection)
      File "/Users/xxxx/Library/Caches/shm/androwarn-master/androwarn/search/application/application.py", line 67, in grab_application_name_description_icon
        response = urllib2.urlopen(req, timeout=REQUEST_TIMEOUT)
      File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 154, in urlopen
        return opener.open(url, data, timeout)
      File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 431, in open
        response = self._open(req, data)
      File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 449, in _open
        '_open', req)
      File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 409, in _call_chain
        result = func(*args)
      File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 1227, in http_open
        return self.do_open(httplib.HTTPConnection, req)
      File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 1197, in do_open
        raise URLError(err)
    urllib2.URLError: <urlopen error [Errno 65] No route to host>
    
    opened by CaledoniaProject 1
  • Have the vulnerability categories changed?

    Have the vulnerability categories changed?

    I see today the Androwarn vulnerability categories include:

    • Telephony identifiers exfiltration
    • Device settings exfiltration
    • Geolocation information leakage
    • Connection interfaces information exfiltration
    • Telephony services abuse
    • Audio/video flow interception
    • Remote connection establishment
    • PIM data leakage
    • External memory operations
    • PIM data modification
    • Arbitrary code execution
    • Denial of Service

    However, a few months ago I wrote down these categories:

    • Telephony Identifiers Leakage
    • Location Lookup
    • Connection Interfaces Exfiltration
    • Telephony Services Abuse
    • Audio Video Eavesdropping
    • Suspicious Connection Establishment
    • Pim Data Leakage
    • Code Execution

    Have the categories changed?

    opened by StephenQuirolgico 1
  • AttributeError: 'MethodAnalysis' object has no attribute 'get_code'

    AttributeError: 'MethodAnalysis' object has no attribute 'get_code'

    [+] Androwarn version 1.6

    [+] Loading the APK file... Requested API level 31 is larger than maximum we have, returning API level 28 instead. Traceback (most recent call last): File "/home/shan/.local/bin/androwarn", line 8, in sys.exit(main()) File "/home/shan/.local/lib/python3.8/site-packages/androwarn/androwarn.py", line 86, in main data = perform_analysis(options.input, a, d, x, options.with_playstore_lookup) File "/home/shan/.local/lib/python3.8/site-packages/androwarn/warn/analysis/analysis.py", line 65, in perform_analysis ( 'device_settings_harvesting', gather_device_settings_harvesting(x) ), File "/home/shan/.local/lib/python3.8/site-packages/androwarn/warn/search/malicious_behaviours/device_settings.py", line 102, in gather_device_settings_harvesting result.extend( detect_log(x) ) File "/home/shan/.local/lib/python3.8/site-packages/androwarn/warn/search/malicious_behaviours/device_settings.py", line 44, in detect_log for registers in data_flow_analysis(structural_analysis_results, x): File "/home/shan/.local/lib/python3.8/site-packages/androwarn/warn/core/core.py", line 412, in data_flow_analysis registers = backtrace_registers_before_call(x, parent_method, calling_offset) File "/home/shan/.local/lib/python3.8/site-packages/androwarn/warn/core/core.py", line 214, in backtrace_registers_before_call bc = method.get_code().get_bc() AttributeError: 'MethodAnalysis' object has no attribute 'get_code'

    opened by sivaK003 0
  • play store

    play store

    hello, I just need some information as i have install the androwarn but i am not sure that how i can use it on some application from google store or some application on my laptop? python3 androwarn.py -i ...... now what should i type after -i, i am confused can anyone help me out and make me understand this.

    opened by AJquetta 2
  • Suspicious Connection Establishment Error Description?

    Suspicious Connection Establishment Error Description?

    I got the following Androwarn "Suspicious Connection Establishment" finding:

    "This application opens a Socket and connects it to the remote address ' returned no addresses for ; port is out of range' on the 'N/A' port".

    Can you elaborate on 'returned no addresses for', 'port is out of range', and 'N/A' port? Also, is it possible to get the file and line number for this finding?

    Thanks, Steve

    opened by StephenQuirolgico 0
  • FileNotFoundError: [Errno 2] No such file or directory

    FileNotFoundError: [Errno 2] No such file or directory

    hello, am new to python & don't know how to fix this issue...can anybody tell me how to solve it?

    kali@kali:~/androwarn$ python androwarn.py -i SampleApplication.apk -r html -v 3 [+] Androwarn version 1.6

    [+] Loading the APK file... Traceback (most recent call last): File "androwarn.py", line 96, in main() File "androwarn.py", line 82, in main a, d, x = AnalyzeAPK(options.input) File "/home/kali/.local/lib/python3.8/site-packages/androguard/misc.py", line 63, in AnalyzeAPK a = APK(_file, raw=raw) File "/home/kali/.local/lib/python3.8/site-packages/androguard/core/bytecodes/apk.py", line 274, in init self.__raw = bytearray(read(filename)) File "/home/kali/.local/lib/python3.8/site-packages/androguard/util.py", line 13, in read with open(filename, 'rb' if binary else 'r') as f: FileNotFoundError: [Errno 2] No such file or directory: 'SampleApplication.apk'

    opened by tharsh30 2
  • AndroWarn being flagged as a virus

    AndroWarn being flagged as a virus

    Some antivirus vendors seem to be flagging AndroWarn as a virus, see here: https://www.virustotal.com/gui/file/db851627421f19842feb04a62b8b2beac1b44173c0c4b94f35546cdbce229fba/detection

    opened by nightwatchcyber 1
  • UnicodeEncodeError on Otter apk

    UnicodeEncodeError on Otter apk

    Hi,

    I've run into an Androwarn bug on following app:

    https://play.google.com/store/apps/details?id=com.aisense.otter

    Traceback (most recent call last):
    File "/data/androwarn_1.6/androwarn-master/androwarn.py", line 96, in <module>
    main()
    File "/data/androwarn_1.6/androwarn-master/androwarn.py", line 91, in main
    dump_analysis_results(data,sys.stdout)
    File "/data/androwarn_1.6/androwarn-master/warn/report/report.py", line 93, in dump_analysis_results
    flush_simple_string(wrapper.fill(element), file_descriptor)
    File "/data/androwarn_1.6/androwarn-master/warn/report/report.py", line 67, in flush_simple_string
    file.write("%s\n" % string)
    UnicodeEncodeError: 'ascii' codec can't encode character '\u02ce' in position 68: ordinal not in range(128)
    

    Can this be fixed or possibly ignored in the code so the analysis can complete?

    Thanks in advance!

    opened by StephenQuirolgico 1
Owner
Thomas D.
Thomas D.
StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications.

StaCoAn Not maintained anymore! Will be archived soon. StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers pe

Vincent Cox 769 Dec 31, 2022
Yet another barcode scanner for Android

Binary Eye Yet another barcode scanner for Android. As if there weren't enough. This one is free, without any ads and open source. Works in portrait a

Markus Fisch 802 Dec 31, 2022
Yet another ToDo app, but the UI completely written in Jetpack Compose!

Yet another ToDo app, but the UI completely written in Jetpack Compose!

Wisnu Kurniawan 134 Dec 31, 2022
Easy setup of static analysis tools for Android and Java projects.

[DEPRECATED] Gradle static analysis plugin ⚠️ A fork of this project is maintained at https://github.com/GradleUp/static-analysis-plugin/ Please migra

Novoda 408 Dec 19, 2022
Static recyclerview dan kalkulator sederhana, dibuat dengan menggunakan kotlin

Static Recyclerview Using Kotlin Static recyclerview dan kalkulator sederhana, dibuat dengan menggunakan kotlin. Screenshot License Copyright (C) 2021

AR Hakim 2 Dec 14, 2021
FlowDroid Static Data Flow Tracker

FlowDroid Data Flow Analysis Tool This repository hosts the FlowDroid data flow analysis tool. FlowDroid statically computes data flows in Android app

Secure Software Engineering Group at Paderborn University and Fraunhofer IEM 801 Dec 28, 2022
Just another Quotes app with beautiful UI which shows random quotes from the internet

RandomQuotes Just another Quotes app with beautiful UI which shows random quotes from the internet. Screenshots Libraries Volley Android Material API

Hamza Aziz 5 Mar 2, 2022
Android Study Jams - These are applications built for Android Study Jams 2022 at Chitkara University

Project Description These are applications built for Android Study Jams 2022 at

Armaan Jain 3 Sep 16, 2022
Examples of Android applications

Android Demos This is a collection of basic android examples created by Novoda. CarouselFragment CompassExample ContactSelector CustomActivityTransiti

Novoda 2k Dec 16, 2022
An open source application to make your own android applications without coding!

Stif An Open source project for building Android Application at a go both with and without coding. This project was inspired from Scratch and Sketchwa

Nethical org 5 Aug 28, 2021
Android Kotlin Completed Training Applications.

Android Kotlin Completed Training Applications. This Repo is used to track a series of Android Kotlin apps I've created based on Google & Udacity trai

Tc2r 3 Dec 4, 2021
A plugin for Termux to use native Android GUI components from CLI applications.

Termux:GUI This is a plugin for Termux that enables command line programs to use the native android GUI. In the examples directory you can find demo v

Termux 345 Jan 1, 2023
Changelog - a android library, it helps developers display the history of changes in their applications

Changelog is a android library, it helps developers display the history of changes in their applications. Supports Locales, Layout direction

Amirhosein Barati 2 Aug 1, 2022
An Animated Scrolling View for React Native applications, supported on both iOS and Android

react-native-focused-scroll An Animated Scrolling View for React Native applications, supported on both iOS and Android Preview react-native-focus-scr

Fatemeh Marzoughi (Saba) 3 Aug 12, 2022
A framework for building native applications using React

React Native Learn once, write anywhere: Build mobile apps with React. Getting Started · Learn the Basics · Showcase · Contribute · Community · Suppor

Meta 106.9k Jan 8, 2023
This app aims at helping people keep track of their job applications, and remind them regularly about the same.

Applications Tracker Lately I have been applying for many roles, and it has become a hard task to keep track of all the applications. Spreadsheets are

Kartik Pant 4 Feb 20, 2022
Conscrypt Provider app, which can be included from other applications (WIP)

Conscrypt Provider is an APK which can provide the Conscrypt Library to apps that support older Android devices. The Conscrypt Library provides modern

mendhak 8 Oct 1, 2022
Source code of JekyllEx Android App which can manage your Jekyll blog directly from your Android device!

JekyllEx Android App Built with ❤︎ by Gourav Khunger ?? Introduction JekyllEx is an Android App that allows you to manage a Jekyll Blog directly from

JekyllEx 24 Nov 8, 2022
android-trinity is tiny proactive framework with much of the scaffolding code required to start a new Android Application.

android-trinity This is tiny framework with much of the scaffolding code (with some nice utilities and prepared source code) required to start a new A

Fernando Cejas 49 Nov 24, 2022