apk anal: Android APK analyzer based on radare2 and others
Android APK analyzer based on radare2 and others.
What does it do?
apk anal is a static analysis tool for APK files based on radare2, apktool, and APKiD. It tries to quickly determine interesting features like
- root detection
- emulator detection
- unusual files
- URLs, IPs
- interesting API access (camera, mic, Bluetooth, NFC, location, fingerprint…)
etc. Under the hood, it uses radare2 to look for certain strings, methods, symbols, and imports in the dex file(s). It also extracts the APK and disassembles it to smali files (using apktool) so you can continue your analysis afterward.
When doing extended analysis (via –extended flag) APK-Anal tries to find cross-references within the code to show you which methods access certain strings, files, urls etc. so you have a starting point for further analysis.
The script was more or less quickly hacked together and only tested with a handful of malware samples. Don’t expect too much. You might get similar information using online services like “koodous”. Still, it’s useful for quick analysis on your local system.
This script was based on an article by @trufae on analyzing APK files with radare2: https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/
- apktool (https://ibotpeaches.github.io/Apktool/)
- radare2 (https://radare.org – use latest from Git)
- python-modules: filemagic, r2pipe
- grep with -E option
- java in path
Optional (but useful):
git clone https://github.com/mhelwig/apk-anal.git
Analyse APK file:
python apk-anal.py –apktool /opt/apktool_2.2.4.jar example.apk
Analyse DEX file:
python apk-anal.py –apktool /opt/apktool_2.2.4.jar -d example.dex
Extended analysis with radare2 (which gives you XREFS):
python apk-anal.py –extended –apktool /opt/apktool_2.2.4.jar example.apk