APKiD v2.0.0 releases: Android Application Identifier for Packers, Protectors, Obfuscators and Oddities

APKiD gives you information about how an APK was made. It identifies many compilers, packers, obfuscators, and other weird stuff. It’s PEiD for Android.

For more information on what this tool can be used for, check out:

Changelog v2.0

  • Rewrite core code — cleaner API, Python 3.6+ compatible, type hints
  • New rules — Arxan GuardIT, SecNeo, SecEnh, AppSealing, AliPay, GaoXor, Kiwi, Gemalto
  • Updated yara-python dependency to 3.10.0 (removed dependency on our custom fork!)
  • General rule cleanup and refactoring
  • 14.7% more cool
  • Readme now includes a screenshot because the marketing department demanded one

Installing

The yara-python clone and compile steps here are temporarily necessary because we must point directly to our modified version of a Yara branch which includes our DEX Yara module. This step is necessary until (if?) the original maintainers of Yaramerge our module into the master branch. When this happens, we will update the instructions here. After the yara-python fork is compiled, you can use pip to the most currently published APKiD package.

git clone –recursive https://github.com/rednaga/yara-python
cd yara-python
python setup.py install
pip install apkid

Docker install

In an attempt to reduce the support ticket we receive from the above instructions being hard to follow, there is a docker file and script which can be used for processing files quickly. This also serves as a proof that the above instructions do work! This usage, of course, requires that you have docker correctly installed on your machine. However, the following instructions should “just work” if you have docker and git install on a machine:

git clone https://github.com/rednaga/APKiD
cd APKiD/
docker-compose build
cd docker/
./apkid.sh ~/reverse/targets/android/example/example.apk
[+] APKiD 1.0.0 :: from RedNaga :: rednaga.io
[*] example.apk!classes.dex
|-> compiler : dx

Usage

usage: apkid [-h] [-j] [-t TIMEOUT] [-o DIR] [FILE [FILE ...]]

APKiD - Android Application Identifier v1.0.0

positional arguments:
  FILE                  apk, dex, or directory

optional arguments:
  -h, --help            show this help message and exit
  -j, --json            output results in JSON format
  -t TIMEOUT, --timeout TIMEOUT
                        Yara scan timeout (in seconds)
  -o DIR, --output-dir DIR
                        write individual JSON results to this directory

APKiD

Submitting New Packers / Compilers / Obfuscators

If you come across an APK or DEX which APKiD does not recognize, please open a GitHub issue and tell us:

  • what you think it is
  • the file hash (either MD5, SHA1, SHA256)

We are open to any type of concept you might have for “something interesting” to detect, so do not limit yourself solely to packers, compilers or obfuscators. If there is an interesting anti disassembler, anti vm, anti* trick, please make an issue.

You’re also welcome to submit pull requests. Just be sure to include a file hash so we can check the rule.

Hacking
First, you will need to install the specific version of yara-python the project depends on (more information about this in the Installing section):

git clone –recursive https://github.com/rednaga/yara-python
cd yara-python
python setup.py install

Then, clone this repo, compile the rules, and install the package in editable mode:

git clone https://github.com/rednaga/APKiD
cd APKiD
./prep-release.py
pip install -e .[dev]

If the above doesn’t work, due to permission errors dependent on your local machine and where Python has been installed, try specifying the –user flag. This is likely needed if you are working on OSX:

pip install –e .[dev] –user

Copyright (C) 2019 RedNaga. https://rednaga.io

Source: https://github.com/rednaga/

Share