def each(self, target): self.results = dict(name=None, files=[], package=None, permissions=[], declared_permissions=[], main_activity=None, activities=[], receivers=[], services=[], manifest=None, libraries=[], main_activity_content=None, internal_classes=[]) try: apk, vm, vm_analysis = AnalyzeAPK(target) # First, get basic information about the APK self.results['name'] = apk.get_app_name() self.results['files'] = apk.get_files_types() self.results['package'] = apk.get_package() self.results['permissions'] = apk.get_details_permissions() self.results[ 'declared_permissions'] = apk.get_declared_permissions_details( ) self.results['main_activity'] = apk.get_main_activity() self.results['activities'] = apk.get_activities() self.results['receivers'] = apk.get_receivers() self.results['services'] = apk.get_services() self.results['manifest'] = apk.get_android_manifest_axml().get_xml( ) self.results['libraries'] = list(apk.get_libraries()) self.results['main_activity_content'] = None self.results['internal_classes'] = [] try: self.results['main_activity_content'] = self.results[ 'main_activity_content'] = vm[0].get_class( "L{};".format(self.results['main_activity']).replace( '.', '/')).get_source() except: self.log('error', traceback.print_exc()) try: self.results['internal_classes'] = self._get_internal_classes( vm_analysis) self._store_internal_classes() except: self.log('error', traceback.print_exc()) # Then, run all the APK Plugins in order to see if this is a known malware for plugin in APKPlugin.__subclasses__(): plugin = plugin(target, apk, vm, vm_analysis) plugin.apply(self) except: self.log('error', traceback.print_exc()) return True
def main(file_name): #apk_file="com.coloros.gallery3d.apk" if (len(file_name) < 2): apk_file = "BackupAndRestore.apk" else: apk_file = file_name #apk_file="BackupAndRestore.apk" a, d, dalvik_ctx = AnalyzeAPK(apk_file) #print("[+] %s init Done" %(apk_file)) signed_flag = True for cert in a.get_certificates(): # cert.sha1 # the sha1 fingerprint # cert.sha256 # the sha256 fingerprint # cert.issuer.human_friendly # issuer # cert.subject.human_friendly # subject, usually the same # cert.hash_algo # hash algorithm # cert.signature_algo # Signature algorithm # cert.serial_number # Serial number # cert.contents # The DER coded bytes of the certificate itself finger_print = "9C A5 17 0F 38 19 19 DF E0 44 6F CD AB 18 B1 9A 14 3B 31 63" if (str(finger_print) == str(cert.sha1_fingerprint)): signed_flag = True print("----------------------------------------------------") print("[+] %s init Done" % (apk_file)) print("[+] is priv-app [True] ") break else: signed_flag = False #print("[-] is priv-app [False]") break if (signed_flag == False): sys.exit(1) if (not a.is_signed_v2() or not a.is_signed_v3()): print("[!] APK [%s] is not signed from v2, v3" % (apk_file)) service_lists = a.get_services() manifestData = str(a.get_android_manifest_axml().get_xml()) soup = BeautifulSoup(manifestData, 'html.parser') for service_name in service_lists: tmpData = "" intent_filter = [] permission = "" exported = False has_ifilter = False service_name = service_name.split(".")[-1] services = soup.find_all("service") for service in services: if (service.has_attr('android:name')): if (service_name in service['android:name']): pass else: continue if (service.has_attr('android:permission')): permission = service['android:permission'] else: permission = "" if (service.has_attr('android:exported')): if (service['android:exported'] == "true"): exported = True else: exported = False # intent filter if (len(service.find_all('intent-filter')) > 0): has_ifilter = True intents = service.find_all('intent-filter') for intent in intents: actions = intent.find_all('action') #print(actions) for action in actions: #print(action) intent_filter.append(action['android:name']) if (exported == True or has_ifilter == True): print("[!] (exported=[%s]) ->" % (exported), end=' ') print(service_name, end='') print(" (perm:[%s])" % permission, end="->") import subprocess if (permission != ""): command_string = 'adb shell "pm list permissions -f |grep %s -A 10 |grep protection | head -n 1"' % ( permission) output = subprocess.check_output(command_string, shell=True) output = output.decode("utf-8").strip() if (len(str(output)) < 2): print("[can not find permission]") else: print("[%s]" % (output)) else: print("[no permission]") for intent in intent_filter: print("\t[->]intent-filter action: [%s] " % intent) receivers = a.get_receivers() for receive_name in receivers: print("[+] Receiver : " + receive_name)
def apkGetManifest(i): # variables hardware = set() permission = set() activity = set() service = set() receiver = set() provider = set() intentfilter = set() dom = None # extracting AndroidManifest.xml a, d, dx = AnalyzeAPK(join(apkpath, i)) try: # axml dom = minidom.parseString(a.get_android_manifest_axml().get_xml()) except: try: # xml dom = minidom.parseString(a.get_android_manifest_xml().get_xml()) except Exception as e: print("e: " + i + " : Failed to extract Manifest from APK with error:\n" + e) # open manifest file fout = open(join(manifestpath, i), 'w') domCollection = dom.documentElement # hardware feature extraction for _ in domCollection.getElementsByTagName("uses-feature"): if _.hasAttribute("android:name"): hardware.add(_.getAttribute("android:name")) if len(hardware): fout.write('\n'.join(("hardware::" + _) for _ in hardware)) fout.write("\n") # permission feature extraction for _ in domCollection.getElementsByTagName("uses-permission"): if _.hasAttribute("android:name"): permission.add(_.getAttribute("android:name")) if len(permission): fout.write('\n'.join(("permission::" + _) for _ in permission)) fout.write("\n") # activity feature extraction for _ in domCollection.getElementsByTagName("activity"): if _.hasAttribute("android:name"): activity.add(_.getAttribute("android:name")) if len(activity): fout.write('\n'.join(("activity::" + _) for _ in activity)) fout.write("\n") # service feature extraction for _ in domCollection.getElementsByTagName("service"): if _.hasAttribute("android:name"): service.add(_.getAttribute("android:name")) if len(service): fout.write('\n'.join(("service::" + _) for _ in service)) fout.write("\n") # receiver feature extraction for _ in domCollection.getElementsByTagName("receiver"): if _.hasAttribute("android:name"): receiver.add(_.getAttribute("android:name")) if len(receiver): fout.write('\n'.join(("receiver::" + _) for _ in receiver)) fout.write("\n") # provider feature extraction for _ in domCollection.getElementsByTagName("provider"): if _.hasAttribute("android:name"): provider.add(_.getAttribute("android:name")) if len(provider): fout.write('\n'.join(("provider::" + _) for _ in provider)) fout.write("\n") # intent-filter action & category feature extraction for _ in domCollection.getElementsByTagName("action"): if _.hasAttribute("android:name"): intentfilter.add(_.getAttribute("android:name")) for _ in dom.getElementsByTagName("category"): if _.hasAttribute("android:name"): intentfilter.add(_.getAttribute("android:name")) if len(intentfilter): fout.write('\n'.join(("intent-filter::" + _) for _ in intentfilter)) fout.write("\n") fout.close()
print("[+] %s init Done" % (apk_file)) print("[+] is priv-app [True] ") break else: signed_flag = False #print("[-] is priv-app [False]") break if (signed_flag == False): sys.exit(1) if (not a.is_signed_v2() or not a.is_signed_v3()): print("[!] APK [%s] is not signed from v2, v3" % (apk_file)) service_lists = a.get_services() manifestData = str(a.get_android_manifest_axml().get_xml()) soup = BeautifulSoup(manifestData, 'html.parser') for service_name in service_lists: tmpData = "" intent_filter = [] permission = "" exported = False has_ifilter = False service_name = service_name.split(".")[-1] services = soup.find_all("service") for service in services: if (service.has_attr('android:name')): if (service_name in service['android:name']): pass else: continue