Monday, March 19, 2012

Androguard + Mercury

Hi !

I saw Mercury and I wanted to test it in order to check malware or others things with my tools, so I wrote a small script to do that.

You can follow the quick start in order to install and run mercury in an emulator or in your device. After that, you can download androguard, compile it, and create a symlink from your mercury directory to androguard main directory.

Next, you can view all packages:
desnos@t0t0:~/androguard$ ./andromercury.py -l *

Package name: android
Process name: system
Version: 4.0.3-237985
Data directory: /data/system
APK path: /system/framework/framework-res.apk
UID: 1000
GID: 1015; 3002; 3001; 3003;
SharedUserId: android.uid.system (1000)
Permissions: android.intent.category.MASTER_CLEAR.permission.C2D_MESSAGE; android.permission.CONFIRM_FULL_BACKUP;
[...]

And you can also get specific packages and save them directly in a directory :
desnos@t0t0:~/androguard$ ./andromercury.py -i com.mwr.mercury -o outputmercury/

Package name: com.mwr.mercury
Process name: com.mwr.mercury
Version: 1.0
Data directory: /data/data/com.mwr.mercury
APK path: /data/app/com.mwr.mercury-1.apk
UID: 10040
GID: 3003; 
Permissions: android.permission.INTERNET;

/data/app/com.mwr.mercury-1.apk 6f9fadea2f620445e159f3818553b5aa 

But for now, it is exactly the same things as the mercury shell, but are you interesting to scan offline your apps from your mobile phone ? :) 

If yes, you must specify a database (in my case it will be my opensource database of malware) and a config :
desnos@t0t0:~/androguard$ ./andromercury.py -i com.mwr.mercury -o outputmercury/ -b signatures/dbandroguard -c signatures/dbconfig 
Package name: com.mwr.mercury
Process name: com.mwr.mercury
Version: 1.0
Data directory: /data/data/com.mwr.mercury
APK path: /data/app/com.mwr.mercury-1.apk
UID: 10040
GID: 3003; 
Permissions: android.permission.INTERNET;

/data/app/com.mwr.mercury-1.apk 6f9fadea2f620445e159f3818553b5aa  ----> None

And in a case of a malware :
desnos@t0t0:~/androguard$ ./andromercury.py -i org.eapp -o outputmercury/ -b signatures/dbandroguard -c signatures/dbconfig

Package name: org.eapp
Process name: org.eapp
Version: 2.9.2
Data directory: /data/data/org.eapp
APK path: /data/app/org.eapp-1.apk
UID: 10041
GID: 1015; 3003; 1007;
Permissions: android.permission.SEND_SMS; android.permission.RECEIVE_SMS; android.permission.WRITE_EXTERNAL_STORAGE; android.permission.ACCESS_COARSE_LOCATION; android.permission.ACCESS_COARSE_UPDATES; android.permission.ACCESS_FINE_LOCATION; android.permission.ACCESS_NETWORK_STATE; android.permission.ACCESS_WIFI_STATE; android.permission.CHANGE_WIFI_STATE; android.permission.DISABLE_KEYGUARD; android.permission.GET_ACCOUNTS; android.permission.GET_TASKS; android.permission.INTERNET; android.permission.KILL_BACKGROUND_PROCESSES; android.permission.MANAGE_ACCOUNTS; android.permission.MOUNT_FORMAT_FILESYSTEMS; android.permission.MOUNT_UNMOUNT_FILESYSTEMS; android.permission.READ_CONTACTS; android.permission.READ_LOGS; android.permission.READ_PHONE_STATE; android.permission.READ_SMS; android.permission.READ_SYNC_SETTINGS; android.permission.RECEIVE_BOOT_COMPLETED; android.permission.RESTART_PACKAGES; android.permission.WRITE_CALENDAR; android.permission.WRITE_CONTACTS; android.permission.WRITE_OWNER_DATA; android.permission.WRITE_SETTINGS; android.permission.WRITE_SMS; android.permission.WRITE_SYNC_SETTINGS; android.permission.WRITE_USER_DICTIONARY; com.android.browser.permission.READ_HISTORY_BOOKMARKS; com.android.browser.permission.WRITE_HISTORY_BOOKMARKS; com.android.launcher.permission.INSTALL_SHORTCUT; com.android.launcher.permission.UNINSTALL_SHORTCUT; com.android.launcher.permission.WRITE_SETTINGS; com.htc.launcher.permission.WRITE_SETTINGS; com.sonyericsson.homescreen.permission.READ_SETTINGS; com.sonyericsson.homescreen.permission.WRITE_SETTINGS; org.antivirus.permission.C2D_MESSAGE; com.google.android.c2dm.permission.RECEIVE; com.android.vending.CHECK_LICENSE; android.permission.SUBSCRIBED_FEEDS_WRITE; android.permission.VIBRATE;

/data/app/org.eapp-1.apk a2e328813532f00b31c90f56560dce2e  ----> Foncy.B


I will update this script to support new things in future with my framework.

Thx to MWR Labs for this framework ! You guys rock !

No comments:

Post a Comment