i Android malware analysis tool – All things in moderation

Android malware analysis tool

1. Amandroid

Amandroid is a static analysis framework for Android apps.

The Android platform is immensely popular. However, malicious or vulnerable applications have been reported to cause several security problems. Currently there is no effective method that a market operator can use to vet apps entering a market (e.g., Google Play).

Prior works using static analysis to address Android app security problems more focus on specific problems and built specialized tools for them. We observe that a large portion of those security issues can be resolved by addressing one underlying core problem – capturing semantic behaviors of the app such as object points-to and control-/data-flow information. Thus, we designed a new approach to conducting static analysis for vetting Android apps, and built a generic framework, called Amandroid, which does flow- and context-sensitive data flow analysis in an inter-component way.

Our approach shows that a comprehensive (tracking all objects) static analysis method on Android apps is totally feasible in terms of computation resources, and the Amandroid framework is flexible and easy to be extended for many types of specialized security analyses.

Since Amandroid directly handles Inter-component control and data flows, it can be used to address security problems that result from interactions among multiple components from either the same or different apps. Amandroid analysis is sound in that it can provide assurance of the absence of the specified security problems in an app with well-specified and reasonable assumptions on the Android runtime and its library.

On top of Amandroid we performed certain specific security analyses, for instance, a) user password flow tracking, b) intent injection detection, and c) crypto API misuse checking. We apply those analyses on hundreds of apps collected from Google Play’s popular apps and a third-party security company, and the results show that it is capable of finding real security issues and efficient enough in terms of analysis time.

Amandroid Workflow

Amandroid take an Android APK x as the input, then it works as following:

  1. Extract x, then parse .dex file to Dex2Pilar module and other files (like .xml, resource.arsc) to Preprocess module.

  2. Dex2PilarConverter in Dex2Pilar module decompile the .dex file into Pilar format. Parsers in Preprocess module can provide app’s information to AppInfoCollector. Developer can specify what kind of information he/she is interested and non-interesting app can be ignored. Finally, Preprocess module will output meta data of x.

  3. AndroidEnvironmentGenerator in EnvironmentBuilder is getting all sources codes and meta datas from previous step, then building the environment method for each of the component.

  4. DataFlowFramework provide data flow analysis technics to examine data flow problems.

    AndroidReachingFactsAnalysis takes environment methods as the entry points and build IDFG.

    InterproceduralDataDependenceAnalysis takes IDFG and build DDG.

    AndroidDataDependentTaintAnalysis takes DDG and SourceAndSinkManager (provided by the developer) to do taint analysis and output taint result.

  5. Developer specified plugin get all the result, then he/she can do further analysis or visualize it in certain way.

2. Androwarn
Androwarn is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.

The detection is performed with the static analysis of the application’s Dalvik bytecode, represented as Smali.

This analysis leads to the generation of a report, according to a technical detail level chosen from the user.
Structural and data flow analysis of the bytecode targeting different malicious behaviours categories
Telephony identifiers exfiltration: IMEI, IMSI, MCC, MNC, LAC, CID, operator’s name…
Device settings exfiltration: software version, usage statistics, system settings, logs…
Geolocation information leakage: GPS/WiFi geolocation…
Connection interfaces information exfiltration:WiFi credentials, Bluetooth MAC adress…
Telephony services abuse: premium SMS sending, phone call composition…
Audio/video flow interception: call recording, video capture…
Remote connection establishment:socket open call, Bluetooth pairing, APN settings edit…
PIM data leakage: contacts, calendar, SMS, mails…
External memory operations: file access on SD card…
PIM data modification:add/delete contacts, calendar events…
Arbitrary code execution:native code using JNI, UNIX command, privilege escalation…
Denial of Service:event notification deactivation, file deletion, process killing, virtual keyboard disable, terminal shutdown/reboot…

3. APKInspector
APKinspector application is a powerful GUI tool for analysts to analyze the Android applications. While this application is used to aid analysts and reverse engineers to visualize compiled Android packages and their corresponding DEX code.
APKInspector provides both analysis functions and graphic features for the users to gain deep insight into the malicious apps:
APKinspector is an open source tool that allows you to do any kind of analysis on android programs. Developed with the Python language, you can reverse-engineer your apk files and perform security analysis.
– Call Graph
– Static Instrumentation
– Permission Analysis
– Dalvik codes
– Smali codes
– Java codes
– APK Information
Android apk analyze
apk reverse engineering
apk viewer

4. Droid-hunter

DROID-HUNTER is an Android application vulnerability analysis and Android pentest tool.
+ App info check
+ Baksmaling android app
+ Decompile android app
+ Extract class file
+ Extract java code
+ Pattern base Information Leakage

5. Error-Prone
Error Prone is a static analysis tool for Java that catches common programming mistakes at compile-time.
Error Prone …
– hooks into your standard build, so all developers run it without thinking
– tells you about mistakes immediately after they’re made
– produces suggested fixes, allowing you to build tooling on it

6. FindBugs + FindSecurityBugs

FindSecurityBugs is an extension of FindBugs, including Java application security rules. It will find the encryption problem and the specific problems of Android.

– It can detect 121 different vulnerability types with over 785 unique API signatures.
– Cover popular frameworks including Spring-MVC, Struts, Tapestry and many more.
– Plugins are available for Eclipse, IntelliJ, Android Studio and NetBeans. Command line integration is available with Ant and Maven.
– Can be used with systems such as Jenkins and SonarQube.
– Extensive references are given for each bug patterns with references to OWASP Top 10 and CWE.
– The project is open-source and is open for contributions.
7. FlowDroid

FlowDroid is a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications. Unlike many other static-analysis approaches for Android we aim for an analysis with very high recall and precision. To achieve this goal we had to accomplish two main challenges: To increase precision we needed to build an analysis that is context-, flow-, field- and object-sensitive; to increase recall we had to create a complete model of Android’s app lifecycle.



  1. Amirul December 2, 2017
    • Cloudi December 5, 2017

Leave a Reply