apk anal: Android APK analyzer based on radare2 and others

apk anal

Android APK analyzer based on radare2 and others.

What does it do?

apk anal is a static analysis tool for APK files based on radare2, apktool, and APKiD. It tries to quickly determine interesting features like

  • root detection
  • emulator detection
  • unusual files
  • URLs, IPs
  • interesting API access (camera, mic, Bluetooth, NFC, location, fingerprint…)

etc. Under the hood, it uses radare2 to look for certain strings, methods, symbols, and imports in the dex file(s). It also extracts the APK and disassembles it to smali files (using apktool) so you can continue your analysis afterward.

When doing extended analysis (via –extended flag) APK-Anal tries to find cross-references within the code to show you which methods access certain strings, files, urls etc. so you have a starting point for further analysis.

The script was more or less quickly hacked together and only tested with a handful of malware samples. Don’t expect too much. You might get similar information using online services like “koodous”. Still, it’s useful for quick analysis on your local system.

This script was based on an article by @trufae on analyzing APK files with radare2: https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/

Requirements

Optional (but useful):

Installation

git clone https://github.com/mhelwig/apk-anal.git

Usage

% python apk-anal.py -h
usage: apk-anal.py [-h] [--output OUTPUT] [--dex] [--apktool APKTOOL]
                   [--skip-extraction] [--skip-assets] [--extended]
                   [--cleanup] [--cleanup-before]
                   [apkfile]

positional arguments:
  apkfile               apk file to analyse

optional arguments:
  -h, --help            show this help message and exit
  --output OUTPUT, -o OUTPUT
                        output directory
  --dex, -d             dex file to analyse (skips extraction and disassembly
                        of apk)
  --apktool APKTOOL     Path to apktool jar file
  --skip-extraction     skip decompilation & extraction. Assumes you already
                        have something extracted to output-dir
  --skip-assets         skip asset listing and filetype detection
  --extended            Do extended radare2 analysis. Try to find XREFS. This
                        might take some time.
  --cleanup             Delete extracted files after completion. WARNING: Deletes content
                        of output directory.
  --cleanup-before      Cleanup before extraction. WARNING: Deletes content
                        of output directory.

Examples

Analyse APK file:

python apk-anal.py –apktool /opt/apktool_2.2.4.jar example.apk

Analyse DEX file:

python apk-anal.py –apktool /opt/apktool_2.2.4.jar -d example.dex

Extended analysis with radare2 (which gives you XREFS):

python apk-anal.py –extended –apktool /opt/apktool_2.2.4.jar example.apk

Demo

asciicast

Source: https://github.com/mhelwig/apk-anal

Share