tag:blogger.com,1999:blog-68961703599811287712024-03-14T07:16:39.073+01:00AndroguardReverse engineering, Malware analysis of Android applications ... and more (ninja) !Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.comBlogger39125tag:blogger.com,1999:blog-6896170359981128771.post-57589168519258686702013-06-30T10:39:00.000+02:002013-06-30T10:39:04.632+02:00One year after, end of Magnificent 7 project !
It has been a year already since the start of the Magnificient 7 program !
So what happened during this year ?
We added some features to enhance your analyses such as:
arm support to analyze binaries/shared libraries.
the possibility to have a graphical view of the application you are working on,
the support of sessions, so that you can save / restore the state of your Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-70546214194847310642012-12-05T18:53:00.000+01:002012-12-05T18:53:47.880+01:00Androguard 1.9Hi folks !
After pacsec conference in Tokyo, we finished few things to have a new version. And it is the time to release it !
We fixed a lot of things, bugs in the auto analysis, remove useless dependencies, we added new tools from external contributor (thx Axelle) as "androdis.py" which can disassemble at a specific offset dalvik bytecodes (it can be interesting when an application has Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-70747671604291952932012-09-14T11:16:00.000+02:002012-09-14T11:16:24.884+02:00Androguard 1.6: community !Hi !
Since the latest version, we have fixed a lot of bugs, the decompiler has been improved, and we added a new feature.
This feature is the possibility to scan automatically a bunch of android apps (with multiple threads) and to control exactly what do you want to do (from where you get the app (web, file system, ...), filtering, control the different steps of analysis (APK, DEX, Advanced Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-64532843145847738032012-08-05T23:09:00.000+02:002012-08-07T15:37:40.858+02:00Androguard 1.5We did it.
What ? A stable version of Androguard with a lot of new and exciting features. It was a long road since the beginning of this project, and I think you know it is not easy to do an open source project on your free time.
Disassembler
We wrote and changed everything from the beginning of the project to have now a simple and modifiable disassembler. Each instruction is now represented Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-21401836685414669032012-05-31T14:42:00.002+02:002012-05-31T14:42:34.111+02:00support of sessions + notes !Hi,
I changed a lot of things in the output, and now you can choose your colors, and the overview of a method is better:
But an interesting feature is to save your analysis with json, and you can done that by using save_session and load_session functions:
Because all is python, all is saved automatically, and you can save what you want :)
One new step is the support of "annotation" Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-44827512862488655392012-05-29T17:24:00.000+02:002012-05-29T17:24:45.829+02:00news ....Hi !
after feedbacks from Dexlab about errors on the parsing of android bytecodes, I decided to rewrite the module as Baksmali. Now, each instruction is an object and in each object (instruction) you can access to all fields :
For few instructions, I added more information, specially for all numeric values :
Moreover, I added "tags" feature. The idea is to associate Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-23894712076699425032012-05-25T10:35:00.000+02:002012-05-25T10:35:32.708+02:00not dead
Hi !
Lot of new things during the last months ... Androguard got selected by Rapid7 to be sponsored as part of the Magnificent7 program. It is really a good news and the project will be seriously improved (and if you are interesting to participate, you're welcome !).
Next, we published a paper in Phrack about software similarities/diffing. We have a different approaches compared to Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-54952710719048959032012-04-04T08:49:00.000+02:002012-04-04T08:49:03.165+02:00Google Summer of Code 2012Hi !
For the first year, Androguard is in the GSOC with Honeynet. The "idea" of the project is to improve Androguard by adding new databases of adware (or classical software) to identify them. And we would like to display the results of similarities and differences between Android Applications, so we need a GUI!
The deadline is April 6th at 19:00 UTC. If you are a student, you can apply on thisAnonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-15360452858264410562012-03-20T15:02:00.002+01:002012-03-20T15:02:50.616+01:00Fakeinst + Christian AndersenHi !
I saw in FakeInst sample an interesting trick :
desnos@t0t0:~/androguard$ ./androlyze.py -s
Androlyze version 1.0
In [1]: a, d, dx = AAnalyzeAPK("./apks/malwares/fakeinst.b/338666398c775c0690e78a632cd861c541d0f1da6c9134506881487526a9786c", decompiler="dex2jad")
In [2]: d.CL
d.CLASS_Ldfjg6_Gtr6H_B66gGh
d.CLASS_Ldfjg6_Gtr6H_HeavendeliverusfromthewildNorthmen
Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com2tag:blogger.com,1999:blog-6896170359981128771.post-54106698149626398662012-03-19T16:08:00.000+01:002012-03-19T16:14:52.073+01:00Androguard + MercuryHi !
I saw Mercury and I wanted to test it in order to check malware or others things with my tools, so I wrote a small script to do that.
You can follow the quick start in order to install and run mercury in an emulator or in your device. After that, you can download androguard, compile it, and create a symlink from your mercury directory to androguard main directory.
Next, youAnonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-85119390376320858822012-03-19T14:11:00.000+01:002012-03-19T14:11:01.514+01:00Faketoken or Opfake ?Faketoken is a trojan banker on Android platform. You can find few analysis links on this malware on my open source database of android malware.
But I was working on my Android similarities tool in order to improve it and I found an interesting thing on the Faketoken sample (10/43) and the opfake.d/fakeinst sample (16/41) :
desnos@t0t0:~/androguard$ ./androsim.py -i apks/Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-45953223017232943042012-03-07T12:22:00.000+01:002012-03-07T12:22:44.242+01:00Androguard + Gephi (part 2)Hi,
it's not very easy to use the export of gexf file in androguard.
After the export of the gexf file :
desnos@t0t0:~/androguard$ ./androgexf.py -i apks/malwares/BaseBridge/com.keji.sendere.apk -o sendere.gexf
desnos@t0t0:~/androguard$
Most of the times you will have something like that :
which is not very usable. You must apply a layout in gephi to have something better :
and Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-41811394895974651652011-11-01T10:09:00.002+01:002011-11-01T10:09:46.805+01:00Virtual Machine for Android Reverse Engineering
Hi !!
Now, it's possible to download a virtual machine (for VirtualBox) with all interesting tools around android RE. So you can test directly Androguard, DroixBox, ....
See ya !
Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-80257483222143326892011-10-21T14:11:00.001+02:002012-03-04T16:30:50.749+01:00Androguard + GephiHi !!In one of the latest commit in the androguard repository (development version), I added the support of methods calls graph with Gephi.It's a really cool feature because it's allow you to find directly all interesting information (activities, services, receivers, permissions risks (internet, privacy, sms, money), dynamic code loading ...), only by looking the graph :)It's a beta version, and Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-53246683155134298232011-09-01T16:53:00.005+02:002011-09-01T17:08:18.930+02:00Android "rip-off indicator" of applicationsHi !
In a previous post, I explained how it is possible to use similarity distance to know if your application or a part of your application has been stolen. Lately, I created an open source database of android malwares (it will be the next post), with androsign and androcsign (you must read 1 and 2 for technical information). I can extend this concept to detect more quickly and in a more large Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-83394426555205920102011-07-15T11:27:00.004+02:002011-07-15T11:37:56.230+02:00DroidBox: alpha releaseThe Android application sandbox is now ready for an alpha release. Details on how to get DroidBox running are available at the project webpage. At the moment, the following actions are logged during runtime: File read and write operations Cryptography API activity Opened network connections Outgoing network traffic Information leaks through the following sinks: network, file, sms Attempts Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-66092904558882158762011-06-22T11:37:00.020+02:002011-06-22T14:36:55.671+02:00DroidBox: testing with Geinimi sampleOne of the very first Android malwares, Geinimi has been analyzed in the application sandbox DroidBox ( http://code.google.com/p/droidbox ) that is currently being developed. The project is part of GSoC 2011 in collaboration with Honeynet and as a master thesis. The Geinimi application uses DES encryption, and it's possible to uncrypt statically the content.But it's very easy to do that because Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-49442749451907541982011-06-10T18:47:00.010+02:002011-06-10T23:41:30.722+02:00Android diffing tool : skype vulnerabilityThe 15th April 2011, AndroidPolice have released a new security vulnerability in Skype (version 1.0.0.831) for Android. This vulnerability exposes your name, phone number, chat logs, ... to all installed applications.The security bug is very simple, it's an incorrect usage of permissions to open files. So, it's possible for another application to access to all information of your skype account, Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-34096554169382951712011-05-31T13:58:00.021+02:002011-06-07T15:28:04.797+02:00Similarity of android applications or "rip-off indicator"Hi !By using algorithms described in the previous post, it's possible to detect if an application is really close from another one. And it can be really useful in many situations, like :check if your application has been stolen by someone, for now it's very easy to rip off an application from the android market, and to crack/re-package the application with smali/basksmali/apk-tool to re-inject Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com1tag:blogger.com,1999:blog-6896170359981128771.post-80608692995064819292011-05-18T17:56:00.028+02:002011-05-22T12:27:46.188+02:00Diffing Android ApplicationsHi !During the last month, I tried to implement a new module to do a diff between two android applications. Current tools, like BinDiff, patchdiff, turbodiff ... don't support this feature.If you would like to diff two applications, the classical first step is to extract the Control Flow Graph, and it's already done in Androguard. After that, you must be able to compare two graphs (the basic Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com2tag:blogger.com,1999:blog-6896170359981128771.post-65878508107044123512011-05-16T15:19:00.021+02:002011-05-16T16:31:39.162+02:00Android zsone malwareHi !Recently a new malware called "zsone" has been published on the official android market.It's a good exercice to use Androguard on this malware, and to test new features.So, we have a direct method in androlyze.py to open an apk and to export interesting features (like names in the python namespace, a correct display for functions ..) :This time, there is no embedded exploit, so we can go Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-11831724668909895112011-05-01T10:37:00.006+02:002011-05-01T11:00:24.981+02:00APK to ascii or png (part 2)Hi !In the previous post, I talked about how to dump methods of an application. On the wiki, I updated a page about the visualization of methods.And now it's more easy to display you method in a classical ascii view :or with nodes and edges :or like IDA basic view :or in PNG :See ya !Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-67681763248894544932011-04-17T17:15:00.008+02:002011-05-01T10:39:05.494+02:00APK to ascii or pngHi !Today, I updated the source code of Androguard by adding a new tool called androdd which dump an entire application. For now, I added only dot or png (or any format supported by pydot) :Usage: androdd.py [options]Options:-h, --help show this help message and exit-i INPUT, --input=INPUT file : use this filename-o OUTPUT, --output=OUTPUT base Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-44866710326921298722011-03-20T17:46:00.003+01:002011-03-20T17:53:40.441+01:00GSOC + HoneynetHi !Yesterday, mentoring organizations for google summer of code have been announced. One of them is Honeynet, and the page of ideas is available. Three projects are about Android :project 5 : Mobile honeypotproject 6 : Android Marketplace crawlerproject 7 : Mobile malware analysisNext steps are the selection of students, and students can be contact mentors though the gsoc mailing list or IRC (Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0tag:blogger.com,1999:blog-6896170359981128771.post-63775346329756281102011-03-15T09:58:00.010+01:002011-03-15T16:16:25.475+01:00Android + Permissions ?Hi !In the latest commit, I added a feature to check where an Android permission of an application is used (in the bytecode). This feature is currently (I need to increase the DB) only based on the relation in the android api reference and the annotation of the needed permission.For example, to use the getDeviceId function, you must have the READ_PHONE_STATE permission. You can get these Anonymoushttp://www.blogger.com/profile/13774661631687864953noreply@blogger.com0