Android Arsenal – Dynamic analysis tools

  • Android Hooker Hooker is an opensource project for dynamic analyses of Android applications. This project provides various tools and applications that can be use to automatically intercept and modify any API calls made by a targeted application.It leverages Android Substrate framework to intercept these calls and aggregate all their contextual information (parameters, returned values, …). Collected information can either be stored in a ElasticSearch or in JSON files.

    A set of python scripts is also provided to automatize the execution of an analysis to collect any API calls made by a set of applications.

  • AppAuditOnline tool ( including an API) uses dynamic and static analysis to detect hidden data leaks in an application .
  • BareDroidBareDroid allows for bare-metal analysis on Android devices. See the paper here
  • CuckooDroidCuckooDroid is an extension of Cuckoo Sandbox the Open Source software for automating analysis of suspicious files, CuckooDroid brigs to cuckoo the capabilities of execution and analysis of android application.
  • DroidboxDroidBox is developed to offer dynamic analysis of Android applications. The following information is described in the results, generated when analysis is complete:
    • Hashes for the analyzed package
    • Incoming/outgoing network data
    • File read and write operations
    • Started services and loaded classes through DexClassLoader
    • Information leaks via the network, file and SMS
    • Circumvented permissions
    • Cryptographic operations performed using Android API
    • Listing broadcast receivers
    • Sent SMS and phone calls

    Additionally, two graphs are generated visualizing the behavior of the package. One showing the temporal order of the operations and the other one being a treemap that can be used to check similarity between analyzed packages.

  • Droid-FFDroid-FF is an Android File Fuzzing Framework
  • Drozerdrozer helps to provide confidence that Android apps and devices being developed by, or deployed across, your organisation do not pose an unacceptable level of risk. By allowing you to interact with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.

    drozer provides tools to help you use and share public exploits for Android. For remote exploits, it can generate shellcode to help you to deploy the drozer Agent as a remote administrator tool, with maximum leverage on the device.

  • MarvinMarvin is a system that analyzes Android applications in search of vulnerabilities and allows tracking of an app through its version history.It is composed of 4 subsystems:
    • Marvin-django: The web application frontend for use and adminsitration of Marvin (this repostory). It includes a bayesian classifier that provides a probability estimation of a given Android app being malware.
    • Marvin-static-Analyzer: A static code analysis system that uses Androguard and Static Android Analysis Framework (SAAF).
    • Marvin-dynamic-Analyzer: A dynamic code analysis system that uses Android x86-emulators and Open Nebula virtualization to find vulnerabilities automatically
    • Marvin-toqueton: An automated GUI testing tool developed to assist Marvin’s dynamic code analysis.

    A Marvin user’s guide is provided in the docs folder of this repository.

  • InspeckageInspeckage is a tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime.
  • PATDroidPATDroid is a collection of tools and data structures for analyzing Android applications and the system itself. We intend to build it as a common base for developing novel mobile software debugging, refactoring, reverse engineering tools.