apk-anal
Android APK analyzer based on radare2 and others.
What does it do?
It's an static analys tool for APK files based on radare2, apktool and APKiD. It tries to quickly determine interesting features like
- root detection
- emulator detection
- unusual files
- URLs, IPs
- interesting API access (camera, mic, bluetooth, nfc, location, fingerprint...)
etc. Under the hood, it uses radare2 to look for certain strings, methods, symbols and imports in the dex file(s). It also extracts the APK and disassembles it to smali files (using apktool) so you can continue your analysis afterwards.
When doing extended analysis (via --extended
flag) APK-Anal tries to find cross references within the code to show you which methods access certain strings, files, urls etc. so you have a starting point for further analysis.
The script was more or less quickly hacked together and only tested with a handful of malware samples. Don't expect too much. You might get similar information using online services like "koodous". Still, it's useful for quick analysis on your local system.
This script was based on an article by @trufae on analysing APK files with radare2: https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/
Why apk-anal?
Because of Radare2 (https://github.com/radare/radare2/tree/master/libr/anal).
Requirements
- apktool (https://ibotpeaches.github.io/Apktool/)
- radare2 (https://radare.org - use latest from Git)
- python-modules: filemagic, r2pipe, argparse
- grep with -E option
- java in path
Optional (but useful):
Installation
Just download the apk-anal.py script. You have to install the requirements yourself.
You should be able to install the python requirements via the requirements.txt file:
pip install -r requirements.txt
Usage
% python apk-anal.py -h
usage: apk-anal.py [-h] [--output OUTPUT] [--dex] [--apktool APKTOOL]
[--skip-extraction] [--skip-assets] [--extended]
[--cleanup] [--cleanup-before]
[apkfile]
positional arguments:
apkfile apk file to analyse
optional arguments:
-h, --help show this help message and exit
--output OUTPUT, -o OUTPUT
output directory
--dex, -d dex file to analyse (skips extraction and disassembly
of apk)
--apktool APKTOOL Path to apktool jar file
--skip-extraction skip decompilation & extraction. Assumes you already
have something extracted to output-dir
--skip-assets skip asset listing and filetype detection
--extended Do extended radare2 analysis. Try to find XREFS. This
might take some time.
--cleanup Delete extracted files after completion. WARNING: Deletes content
of output directory.
--cleanup-before Cleanup before extraction. WARNING: Deletes content
of output directory.
Examples
Analyse APK file:
python apk-anal.py --apktool /opt/apktool_2.2.4.jar example.apk
Analyse DEX file:
python apk-anal.py --apktool /opt/apktool_2.2.4.jar -d example.dex
Extended analysis with radare2 (which gives you XREFS):
python apk-anal.py --extended --apktool /opt/apktool_2.2.4.jar example.apk
Further development
Please let me know about issues and suggestions for improvements. Search terms can certainly be improved and adjusted.
Feel free to contact me on Twitter (@c0dmtr1x) or via email ([email protected]).