i ANDROID MALWARE ANALYSIS TOOLS – PART2 – All things in moderation

ANDROID MALWARE ANALYSIS TOOLS – PART2

Install Androguard:(ubuntu 14.04)
– Install python:
Install python 2.7 by command:

$sudo add-apt-repository ppa:fkrull/deadsnakes
$sudo apt-get update
$sudo apt-get install python2.7
  • Install pip:
$ sudo pip install ipython_genutils

Then, we install ipython and pygments:

$sudo easy_install ipython
$sudo easy_install pygments

In terminal and run command:
Using git clone Androguard:

$git clone https://github.com/androguard/androguard.git

Install Androguard:

$sudo python setup.py install

If error:

Traceback (most recent call last):

  File "./androaxml.py", line 84, in 

    main(options, arguments)

  File "./androaxml.py", line 54, in main

    a = apk.APK(options.input)

  File "/home/manh/androguard/androguard/core/bytecodes/apk.py", line 194, in __init__

    self.zip = zipfile.ZipFile(StringIO.StringIO(self.__raw), mode=mode)

  File "/usr/lib/python2.7/zipfile.py", line 770, in __init__

    self._RealGetContents()

  File "/usr/lib/python2.7/zipfile.py", line 857, in _RealGetContents

    x._decodeExtra()

  File "/usr/lib/python2.7/zipfile.py", line 388, in _decodeExtra

    tp, ln = unpack('HH', extra[:4])

struct.error: unpack requires a string argument of length 4

Open “zipfile.py” by command:

$sudo nano  /usr/lib/python2.7/zipfile.py

Edit value:

while extra:

=> while len(extra) > 4:

Install networkx:

sudo apt-get update
sudo apt-get install python-networkx
http://www.technotalkative.com/part-1-reverse-engineering-using-androguard/
http://www.technotalkative.com/part-2-deep-analysis-using-androguard-tools-2/

Option:

Androaxml
Use view file AndroidManifest.xml.

Syntax:
./androaxml.py -i [path_of_apk]  -o [name_of_output_file] [/code]

Example:
./androaxml.py -i demo.apk -o output.xml
-i: path file input.
-o: path file output .

Androsim
Used to decompile two applications(file apk) and compare the components have been modified.
Windows:

androsim.exe -i   -c ZLIB -n

Exmaple
androsim.exe -i demo.apk demo1.apk -c ZLIB -n
Linux:

python androsim.py -i circle.apk circle1.apk -c ZLIB -n

Example:
python androsim.py -i circle.apk circle1.apk -c ZLIB -n -d

-c specifies the type of compressor (BZ2, ZLIB, SNAPPY, LZMA, XZ).
-d can be used to display methods name as output.

Androdd
Dump all methods of all class files in an Android Package
To dump graphical outputs of all methods of all the classes in an android package, we use Androdd.py tool which comes out of box in Androguard
Syntax:

./androdd.py -i  -o 
-i: path file input
-o: path file output

Example:
python androdd.py -i circle2.apk -o ./dd

Now check out dd directory, graphical output of all methods will be generated as a .ag file, along with all java files. If we want output graphics file in .png format, just pass -f png as argument.

python androdd.py -i circle2.apk -o ./dd -f png
OR
./androdd.py -i circle2.apk -o ./dd -f png

Androapkinfo
Displays complete information about apk file
Androapkinfo displays Files, Permissions, Main Activity, All Activities, Services, Obfuscation related information at once!
Syntax:

python androapkinfo.py -i path_of_first_apk
OR
./androapkinfo.py -i path_of_first_apk

Leave a Reply