From 14d48df0c3b9c26401488c01a458af1ff0bca62e Mon Sep 17 00:00:00 2001 From: Ajin Abraham Date: Thu, 7 Nov 2024 01:12:39 -0800 Subject: [PATCH 1/2] Add support for pulling split apks, Fixes #2271 --- .../views/android/dynamic_analyzer.py | 11 ++- .../views/android/environment.py | 83 ++++++++++++++----- mobsf/MobSF/init.py | 2 +- mobsf/StaticAnalyzer/views/android/xapk.py | 5 +- pyproject.toml | 2 +- 5 files changed, 75 insertions(+), 28 deletions(-) diff --git a/mobsf/DynamicAnalyzer/views/android/dynamic_analyzer.py b/mobsf/DynamicAnalyzer/views/android/dynamic_analyzer.py index f2c14203c9..ae0f576dea 100755 --- a/mobsf/DynamicAnalyzer/views/android/dynamic_analyzer.py +++ b/mobsf/DynamicAnalyzer/views/android/dynamic_analyzer.py @@ -325,16 +325,19 @@ def trigger_static_analysis(request, checksum): err = 'Cannot connect to Android Runtime' return print_n_send_error_response(request, err) env = Environment(identifier) - apk_file = env.get_apk(checksum, package) - if not apk_file: + scan_type = env.get_apk(checksum, package) + if not scan_type: err = 'Failed to download APK file' return print_n_send_error_response(request, err) + file_name = f'{package}.apk' + if scan_type == 'apks': + file_name = f'{file_name}s' data = { 'analyzer': 'static_analyzer', 'status': 'success', 'hash': checksum, - 'scan_type': 'apk', - 'file_name': f'{package}.apk', + 'scan_type': scan_type, + 'file_name': file_name, } add_to_recent_scan(data) return HttpResponseRedirect(f'/static_analyzer/{checksum}/') diff --git a/mobsf/DynamicAnalyzer/views/android/environment.py b/mobsf/DynamicAnalyzer/views/android/environment.py index 190d29ae2e..2cf7f57aef 100644 --- a/mobsf/DynamicAnalyzer/views/android/environment.py +++ b/mobsf/DynamicAnalyzer/views/android/environment.py @@ -7,6 +7,7 @@ import tempfile import threading import time +from pathlib import Path from base64 import b64encode from hashlib import md5 @@ -436,31 +437,71 @@ def get_device_packages(self): device_packages[md5] = (pkg, apk) return device_packages - def get_apk(self, checksum, package): - """Download APK from device.""" - try: - out_dir = os.path.join(settings.UPLD_DIR, checksum + '/') - if not os.path.exists(out_dir): - os.makedirs(out_dir) - out_file = os.path.join(out_dir, f'{checksum}.apk') - if is_file_exists(out_file): - return out_file + def download_apk_packages(self, pkg_path, out_file): + """Download APK package(s).""" + with tempfile.TemporaryDirectory() as temp_dir: + # Download APK package(s) + # Can be single or multiple packages out = self.adb_command([ - 'pm', - 'path', - package], True) - out = out.decode('utf-8').rstrip() - path = out.split('package:', 1)[1].strip() - logger.info('Downloading APK') - self.adb_command([ 'pull', - path, - out_file, + pkg_path.as_posix(), + temp_dir, ]) - if is_file_exists(out_file): - return out_file + fmt = out.decode('utf-8').strip() + logger.info('ADB Pull Output: %s', fmt) + # Filter for APK files in the directory + apk_files = [] + for f in Path(temp_dir).glob('*.apk'): + if f.is_file(): + apk_files.append(f) + # Check if there is exactly one APK file + if len(apk_files) == 1: + shutil.move(apk_files[0], out_file) + return 'apk' + else: + # If there are multiple APK files, zip them + shutil.make_archive(out_file, 'zip', root_dir=temp_dir, base_dir='.') + # Rename the zip file to APK + apks_file = out_file.with_suffix('.apk') + os.rename(out_file.as_posix() + '.zip', apks_file) + return 'apks' + + def get_apk_packages(self, package): + """Get all APK packages from device.""" + out = self.adb_command([ + 'pm', + 'path', + package], True) + return out.decode('utf-8').strip() + + def get_apk_parent_directory(self, package): + """Get parent directory of APK packages.""" + package_out = self.get_apk_packages(package) + package_out = package_out.split() + if ('package:' in package_out[0] + and package_out[0].endswith('.apk')): + path = package_out[0].split('package:', 1)[1].strip() + return Path(path).parent + return False + + def get_apk(self, checksum, package): + """Download APK from device.""" + try: + # Do not download if already exists + out_dir = Path(settings.UPLD_DIR) / checksum + out_dir.mkdir(parents=True, exist_ok=True) + out_file = out_dir / f'{checksum}.apk' + if out_file.exists(): + return 'apk' + # Get APK package parent directory + pkg_path = self.get_apk_parent_directory(package) + if pkg_path: + # Download APK package(s) + logger.info('Downloading APK') + return self.download_apk_packages(pkg_path, out_file) except Exception: - return False + logger.exception('Failed to download APK') + return False def system_check(self, runtime): """Check if /system is writable.""" diff --git a/mobsf/MobSF/init.py b/mobsf/MobSF/init.py index fff61d291f..a83f768b99 100644 --- a/mobsf/MobSF/init.py +++ b/mobsf/MobSF/init.py @@ -18,7 +18,7 @@ logger = logging.getLogger(__name__) -VERSION = '4.1.5' +VERSION = '4.1.6' BANNER = r""" __ __ _ ____ _____ _ _ _ | \/ | ___ | |__/ ___|| ___|_ _| || | / | diff --git a/mobsf/StaticAnalyzer/views/android/xapk.py b/mobsf/StaticAnalyzer/views/android/xapk.py index a0f7093b9b..1d60a7490f 100644 --- a/mobsf/StaticAnalyzer/views/android/xapk.py +++ b/mobsf/StaticAnalyzer/views/android/xapk.py @@ -62,7 +62,10 @@ def handle_split_apk(app_dic): for apk in unzip(checksum, apks.as_posix(), app_dic['app_dir']): full_path = app_dic['app_dir'] / apk safe_path = is_safe_path(app_dic['app_dir'], full_path) - if (not apk.startswith('config.') + if apk.endswith('base.apk') and safe_path: + move(full_path, apks) + return True + if ('config.' not in apk.lower() and apk.endswith('.apk') and safe_path): move(full_path, apks) diff --git a/pyproject.toml b/pyproject.toml index 0ea75177a0..fe04f01657 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "mobsf" -version = "4.1.5" +version = "4.1.6" description = "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis." keywords = ["mobsf", "mobile security framework", "mobile security", "security tool", "static analysis", "dynamic analysis", "malware analysis"] authors = ["Ajin Abraham "] From 5cc146c01e6386320450cb5faca42bd369f5ec2d Mon Sep 17 00:00:00 2001 From: Ajin Abraham Date: Thu, 7 Nov 2024 19:25:12 -0800 Subject: [PATCH 2/2] Replace Quark with Behaviour analysis using quark rules --- .../views/android/behaviour_analysis.py | 45 + mobsf/MalwareAnalyzer/views/android/quark.py | 144 - .../views/android/rules/behaviour_rules.yaml | 2819 +++++++++++++++++ .../views/android/code_analysis.py | 2 +- .../views/android/db_interaction.py | 16 +- mobsf/StaticAnalyzer/views/android/jar_aar.py | 17 +- mobsf/StaticAnalyzer/views/android/so.py | 4 +- .../views/android/static_analyzer.py | 32 +- mobsf/templates/pdf/android_report.html | 64 +- .../android_binary_analysis.html | 82 +- .../android_source_analysis.html | 73 + 11 files changed, 3065 insertions(+), 233 deletions(-) create mode 100644 mobsf/MalwareAnalyzer/views/android/behaviour_analysis.py delete mode 100644 mobsf/MalwareAnalyzer/views/android/quark.py create mode 100644 mobsf/MalwareAnalyzer/views/android/rules/behaviour_rules.yaml diff --git a/mobsf/MalwareAnalyzer/views/android/behaviour_analysis.py b/mobsf/MalwareAnalyzer/views/android/behaviour_analysis.py new file mode 100644 index 0000000000..a7613e86e4 --- /dev/null +++ b/mobsf/MalwareAnalyzer/views/android/behaviour_analysis.py @@ -0,0 +1,45 @@ +# -*- coding: utf_8 -*- +"""Perform behaviour analysis.""" +import logging +from pathlib import Path + +from django.conf import settings + +from mobsf.MobSF.utils import ( + append_scan_status, + get_android_src_dir, +) +from mobsf.StaticAnalyzer.views.sast_engine import ( + scan, +) + +logger = logging.getLogger(__name__) + + +def analyze(checksum, app_dir, typ): + """Perform behaviour analysis.""" + try: + root = Path(settings.BASE_DIR) / 'MalwareAnalyzer' / 'views' + rules = root / 'android' / 'rules' / 'behaviour_rules.yaml' + app_dir = Path(app_dir) + src = get_android_src_dir(app_dir, typ) + skp = settings.SKIP_CLASS_PATH + msg = 'Android Behaviour Analysis Started' + logger.info(msg) + append_scan_status(checksum, msg) + # Behaviour Analysis + findings = scan( + checksum, + rules.as_posix(), + {'.java', '.kt'}, + [src.as_posix() + '/'], + skp) + msg = 'Android Behaviour Analysis Completed' + logger.info(msg) + append_scan_status(checksum, msg) + return findings + except Exception as exp: + msg = 'Failed to perform behaviour analysis' + logger.exception(msg) + append_scan_status(checksum, msg, repr(exp)) + return {} diff --git a/mobsf/MalwareAnalyzer/views/android/quark.py b/mobsf/MalwareAnalyzer/views/android/quark.py deleted file mode 100644 index 77eefa7e60..0000000000 --- a/mobsf/MalwareAnalyzer/views/android/quark.py +++ /dev/null @@ -1,144 +0,0 @@ -# -*- coding: utf_8 -*- -import logging -from pathlib import Path - -from mobsf.MobSF.utils import ( - append_scan_status, - disable_print, - enable_print, - settings_enabled, -) - -logger = logging.getLogger(__name__) - - -def quark_analysis(checksum, app_dir, apk_file): - """QUARK Analysis of APK files.""" - if not settings_enabled('QUARK_ENABLED'): - return [] - try: - import quark - except ImportError: - logger.error('Failed to import Quark') - return [] - if not Path(apk_file).exists(): - logger.error('APK not found') - return [] - - quark_ver = quark.__version__ - - from quark import config - from quark.freshquark import download - from quark.report import Report - msg = f'Running Quark {quark_ver}' - logger.info(msg) - append_scan_status(checksum, msg) - json_report = {} - try: - # freshquark: update quark rules - disable_print() - download() - enable_print() - - # default rules path - rules_dir = Path(f'{config.HOME_DIR}quark-rules/rules') - report = Report() - - # Analyze apk - report.analysis(apk_file, rules_dir) - - # Generate Report - json_report = report.get_report('json') - # Clear all functools.lru_cache from quark - report.quark.apkinfo.find_method.cache_clear() - report.quark.apkinfo.upperfunc.cache_clear() - report.quark.apkinfo.get_wrapper_smali.cache_clear() - except Exception as exp: - msg = 'Quark APK Analysis' - logger.exception(msg) - append_scan_status(checksum, msg, repr(exp)) - return _convert_report(json_report, app_dir) - - -def _convert_report(origin_report, app_dir): - new_report = [] - if not origin_report or not origin_report.get('crimes'): - logger.warning('Skipping Quark Analysis') - return new_report - for crime in origin_report.get('crimes'): - if not crime['confidence'] == '100%': - continue - - new_crime = {} - new_crime['crime'] = crime['crime'] - new_crime['score'] = crime['score'] - new_crime['weight'] = crime['weight'] - new_crime['confidence'] = crime['confidence'] - new_crime['permissions'] = crime['permissions'] - new_crime['register'] = [] - - for item in crime['register']: - source_code = {} - cls_and_md = next(iter(item)) - detail = item[cls_and_md] - - file_path = cls_and_md.split(' ')[0].replace(';', '.smali')[1:] - method = ''.join(cls_and_md.split(' ')[1:]) - source_code['file'] = file_path - source_code['method'] = method - source_code['first_api'] = detail['first'] - source_code['second_api'] = detail['second'] - - source_code_dir = Path(app_dir) / 'smali_source' / file_path - source_code['line_numbers'] = _get_line_numbers( - source_code_dir, - method, - detail['first'], - detail['second'], - ) - - new_crime['register'].append(source_code) - - new_report.append(new_crime) - - return new_report - - -def _get_line_numbers(source_code_path, method, first_api, second_api): - line_numbers = { - 'method_start': -1, - 'method_end': -1, - 'first_api': -1, - 'second_api': -1, - } - method_found = False - - try: - with open(source_code_path, 'r') as file: - for num, line in enumerate(file, 1): - if (not method_found - and line.startswith('.method') - and method in line): - line_numbers['method_start'] = num - method_found = True - elif method_found: - first_api_opcode = first_api[0] - first_api_method = first_api[-1].replace(' ', '') - if first_api_opcode in line and first_api_method in line: - line_numbers['first_api'] = num - - second_api_opcode = second_api[0] - second_api_method = second_api[-1].replace(' ', '') - if second_api_opcode in line and second_api_method in line: - line_numbers['second_api'] = num - - if line.startswith('.end method'): - line_numbers['method_end'] = num - return line_numbers - return line_numbers - except EnvironmentError: - return line_numbers - - except Exception: - logger.exception('Finding line numbers of method and apis') - return line_numbers diff --git a/mobsf/MalwareAnalyzer/views/android/rules/behaviour_rules.yaml b/mobsf/MalwareAnalyzer/views/android/rules/behaviour_rules.yaml new file mode 100644 index 0000000000..b9286337fe --- /dev/null +++ b/mobsf/MalwareAnalyzer/views/android/rules/behaviour_rules.yaml @@ -0,0 +1,2819 @@ +- id: 00019 + message: 'Find a method from given class name, usually for reflection' + metadata: + label: + - reflection + pattern: + - java\.lang\.Object + - java\.lang\.Class + - \.getMethod\( + - \.getClass\( + type: RegexAnd + severity: info + input_case: exact +- id: 00058 + message: Connect to the specific WIFI network + metadata: + label: + - wifi + - control + pattern: + - android\.net\.wifi\.WifiManager + - \.getConfiguredNetworks\( + - \.enableNetwork\( + type: RegexAnd + severity: info + input_case: exact +- id: '00166' + message: Get SMS message body and retrieve a string from it (possibly PIN / mTAN) + metadata: + label: + - sms + - pin + pattern: + - android\.telephony\.SmsMessage + - java\.util\.regex\.Pattern + - \.getMessageBody\( + - \.matcher\( + type: RegexAnd + severity: info + input_case: exact +- id: '00023' + message: Start another application from current application + metadata: + label: + - reflection + - control + pattern: + - android\.content\.pm\.PackageManager + - android\.content\.Context + - \.getLaunchIntentForPackage\( + - \.startActivity\( + type: RegexAnd + severity: info + input_case: exact +- id: 00189 + message: Get the content of a SMS message + metadata: + label: + - sms + pattern: + - android\.content\.ContentResolver + - android\.database\.Cursor + - \.query\( + - \.getColumnIndex\( + type: RegexAnd + severity: info + input_case: exact +- id: '00131' + message: Get location of the current GSM and put it into JSON + metadata: + label: + - collection + - location + pattern: + - android\.telephony\.gsm\.GsmCellLocation + - org\.json\.JSONObject + - \.put\( + - \.getLac\( + type: RegexAnd + severity: info + input_case: exact +- id: '00074' + message: Get IMSI and the ISO country code + metadata: + label: + - collection + - telephony + pattern: + - android\.telephony\.TelephonyManager + - \.getNetworkCountryIso\( + - \.getSubscriberId\( + type: RegexAnd + severity: info + input_case: exact +- id: '00127' + message: 'Monitor the broadcast action events (BOOT_COMPLETED, etc)' + metadata: + label: + - command + pattern: + - android\.content\.Intent + - java\.lang\.String + - \.compareToIgnoreCase\( + - \.getAction\( + type: RegexAnd + severity: info + input_case: exact +- id: '00062' + message: Query WiFi information and WiFi Mac Address + metadata: + label: + - wifi + - collection + pattern: + - android\.net\.wifi\.WifiInfo + - android\.net\.wifi\.WifiManager + - \.getMacAddress\( + - \.getConnectionInfo\( + type: RegexAnd + severity: info + input_case: exact +- id: '00170' + message: Get installed applications and put the list in shared preferences + metadata: + label: + - applications + - privacy + pattern: + - android\.content\.pm\.PackageManager + - android\.content\.SharedPreferences$Editor + - \.getInstalledApplications\( + - \.putString\( + type: RegexAnd + severity: info + input_case: exact +- id: '00035' + message: Query the list of the installed packages + metadata: + label: + - reflection + pattern: + - android\.content\.pm\.PackageManager + - android\.content\.Context + - \.getInstalledPackages\( + - \.getPackageManager\( + type: RegexAnd + severity: info + input_case: exact +- id: '00042' + message: Query WiFi BSSID and scan results + metadata: + label: + - collection + - wifi + pattern: + - android\.net\.wifi\.WifiInfo + - android\.net\.wifi\.WifiManager + - \.getBSSID\( + - \.getScanResults\( + type: RegexAnd + severity: info + input_case: exact +- id: '00107' + message: Write the IMSI number into a file + metadata: + label: + - collection + - telephony + - file + - command + pattern: + - java\.io\.FileOutputStream + - android\.telephony\.TelephonyManager + - \.write\( + - \.getSubscriberId\( + type: RegexAnd + severity: info + input_case: exact +- id: '00015' + message: Put buffer stream (data) to JSON object + metadata: + label: + - file + pattern: + - java\.io\.BufferedInputStream + - org\.json\.JSONObject + - \.put\( + - \.read\( + type: RegexAnd + severity: info + input_case: exact +- id: '00150' + message: Send IMSI over Internet + metadata: + label: + - phone + pattern: + - java\.net\.URL + - android\.telephony\.TelephonyManager + - \.openConnection\( + - \.getSubscriberId\( + type: RegexAnd + severity: info + input_case: exact +- id: '00003' + message: Put the compressed bitmap data into JSON object + metadata: + label: + - camera + pattern: + - android\.graphics\.Bitmap + - org\.json\.JSONObject + - \.put\( + - \.compress\( + type: RegexAnd + severity: info + input_case: exact +- id: '00146' + message: Get the network operator name and IMSI + metadata: + label: + - telephony + - collection + pattern: + - android\.telephony\.TelephonyManager + - \.getNetworkOperatorName\( + - \.getSubscriberId\( + type: RegexAnd + severity: info + input_case: exact +- id: '00054' + message: Install other APKs from file + metadata: + label: + - reflection + pattern: + - android\.content\.Intent + - android\.net\.Uri + - \.fromFile\( + - \.setDataAndType\( + type: RegexAnd + severity: info + input_case: exact +- id: '00111' + message: Get the sender address of the SMS + metadata: + label: + - collection + - sms + pattern: + - android\.telephony\.SmsMessage + - java\.lang\.String + - \.toString\( + - \.getOriginatingAddress\( + type: RegexAnd + severity: info + input_case: exact +- id: 00185 + message: Start capturing camera preview frames to the screen + metadata: + label: + - camera + pattern: + - java\.lang\.Object + - android\.hardware\.Camera + - \.startPreview\( + type: RegexAnd + severity: info + input_case: exact +- id: 00097 + message: Get the sender address of the SMS and put it into JSON + metadata: + label: + - collection + - sms + pattern: + - android\.telephony\.SmsMessage + - org\.json\.JSONObject + - \.put\( + - \.getOriginatingAddress\( + type: RegexAnd + severity: info + input_case: exact +- id: 00078 + message: Get the network operator name + metadata: + label: + - collection + - telephony + pattern: + - android\.content\.Context + - android\.telephony\.TelephonyManager + - \.getNetworkOperatorName\( + - \.getSystemService\( + type: RegexAnd + severity: info + input_case: exact +- id: '00202' + message: Make a phone call + metadata: + label: + - control + pattern: + - android\.content\.Intent + - "tel:" + - \.setData\( + type: RegexAnd + severity: info + input_case: exact +- id: 00081 + message: Get declared method from given method name + metadata: + label: + - reflection + pattern: + - java\.lang\.Class + - java\.lang\.StringBuilder + - \.getDeclaredMethods\( + type: RegexAnd + severity: info + input_case: exact +- id: 00039 + message: Start a web server + metadata: + label: + - control + - network + pattern: + - java\.net\.Socket + - java\.net\.ServerSocket + - \.getInetAddress\( + - \.accept\( + type: RegexAnd + severity: info + input_case: exact +- id: 00193 + message: Send a SMS message + metadata: + label: + - sms + pattern: + - android\.telephony\.SmsManager + - \.sendTextMessage\( + - \.getDefault\( + type: RegexAnd + severity: info + input_case: exact +- id: 00038 + message: Query the phone number + metadata: + label: + - collection + pattern: + - android\.content\.Context + - android\.telephony\.TelephonyManager + - \.getLine1Number\( + - \.getSystemService\( + type: RegexAnd + severity: info + input_case: exact +- id: 00192 + message: Get messages in the SMS inbox + metadata: + label: + - sms + pattern: + - android\.database\.Cursor + - android\.net\.Uri + - \.parse\( + - \.getColumnIndexOrThrow\( + type: RegexAnd + severity: info + input_case: exact +- id: 00080 + message: Save recorded audio/video to a file + metadata: + label: + - record + - file + pattern: + - android\.os\.Bundle + - android\.media\.MediaRecorder + - \.getString\( + - \.setOutputFile\( + type: RegexAnd + severity: info + input_case: exact +- id: '00203' + message: Put a phone number into an intent + metadata: + label: + - control + pattern: + - android\.content\.Intent + - android\.net\.Uri + - \.parse\( + - \.setData\( + - "tel:" + type: RegexAnd + severity: info + input_case: exact +- id: 00096 + message: Connect to a URL and set request method + metadata: + label: + - command + - network + pattern: + - java\.net\.HttpURLConnection + - java\.net\.URL + - \.openConnection\( + - \.setRequestMethod\( + type: RegexAnd + severity: info + input_case: exact +- id: 00079 + message: Hide the current app's icon + metadata: + label: + - evasion + pattern: + - android\.content\.pm\.PackageManager + - android\.content\.Context + - \.setComponentEnabledSetting\( + - \.getPackageManager\( + type: RegexAnd + severity: info + input_case: exact +- id: 00184 + message: Set camera preview texture + metadata: + label: + - camera + pattern: + - java\.lang\.Object + - android\.hardware\.Camera + - \.setPreviewTexture\( + type: RegexAnd + severity: info + input_case: exact +- id: '00055' + message: Query the SMS content and the source of the phone number + metadata: + label: + - sms + - collection + pattern: + - android\.telephony\.SmsMessage + - \.getDisplayOriginatingAddress\( + - \.getDisplayMessageBody\( + type: RegexAnd + severity: info + input_case: exact +- id: '00110' + message: Query the ICCID number + metadata: + label: + - collection + - telephony + pattern: + - android\.telephony\.SubscriptionManager + - android\.telephony\.SubscriptionInfo + - \.getActiveSubscriptionInfoList\( + - \.getIccId\( + type: RegexAnd + severity: info + input_case: exact +- id: '00002' + message: Open the camera and take picture + metadata: + label: + - camera + pattern: + - android\.hardware\.Camera + - \.open\( + - \.takePicture\( + type: RegexAnd + severity: info + input_case: exact +- id: '00147' + message: Get the time of current location + metadata: + label: + - collection + - location + pattern: + - android\.location\.LocationManager + - android\.location\.Location + - \.getTime\( + - \.isProviderEnabled\( + type: RegexAnd + severity: info + input_case: exact +- id: '00014' + message: Read file into a stream and put it into a JSON object + metadata: + label: + - file + pattern: + - java\.io\.FileInputStream + - org\.json\.JSONObject + - \.put\( + type: RegexAnd + severity: info + input_case: exact +- id: '00151' + message: Send phone number over Internet + metadata: + label: + - phone + - privacy + pattern: + - java\.net\.URL + - android\.telephony\.TelephonyManager + - \.openConnection\( + - \.getLine1Number\( + type: RegexAnd + severity: info + input_case: exact +- id: '00043' + message: Calculate WiFi signal strength + metadata: + label: + - collection + - wifi + pattern: + - android\.net\.wifi\.WifiInfo + - android\.net\.wifi\.WifiManager + - \.calculateSignalLevel\( + - \.getRssi\( + type: RegexAnd + severity: info + input_case: exact +- id: '00106' + message: Get the currently formatted WiFi IP address + metadata: + label: + - collection + - wifi + pattern: + - android\.net\.wifi\.WifiInfo + - android\.text\.format\.Formatter + - \.formatIpAddress\( + - \.getIpAddress\( + type: RegexAnd + severity: info + input_case: exact +- id: '00171' + message: Compare network operator with a string + metadata: + label: + - network + pattern: + - java\.lang\.String + - android\.telephony\.TelephonyManager + - \.equals\( + - \.getNetworkOperatorName\( + type: RegexAnd + severity: info + input_case: exact +- id: '00034' + message: Query the current data network type + metadata: + label: + - collection + - network + pattern: + - android\.content\.Context + - android\.telephony\.TelephonyManager + - \.getNetworkType\( + - \.getSystemService\( + type: RegexAnd + severity: info + input_case: exact +- id: '00126' + message: 'Read sensitive data(SMS, CALLLOG, etc)' + metadata: + label: + - collection + - sms + - calllog + - calendar + pattern: + - android\.content\.ContentResolver + - java\.lang\.String + - \.query\( + - \.toString\( + type: RegexAnd + severity: info + input_case: exact +- id: '00063' + message: 'Implicit intent(view a web page, make a phone call, etc.)' + metadata: + label: + - control + pattern: + - android\.content\.Intent + - android\.net\.Uri + - \.parse\( + type: RegexAnd + severity: info + input_case: exact +- id: '00130' + message: Get the current WIFI information + metadata: + label: + - wifi + - collection + pattern: + - android\.net\.wifi\.WifiManager + - android\.content\.Context + - \.getConnectionInfo\( + - \.getSystemService\( + type: RegexAnd + severity: info + input_case: exact +- id: '00075' + message: Get location of the device + metadata: + label: + - collection + - location + pattern: + - android\.location\.LocationManager + - \.getLastKnownLocation\( + - \.isProviderEnabled\( + type: RegexAnd + severity: info + input_case: exact +- id: '00167' + message: Use accessibility service to perform action getting root in active window + metadata: + label: + - accessibility service + pattern: + - android\.view\.accessibility\.AccessibilityNodeInfo + - android\.accessibilityservice\.AccessibilityService + - \.performAction\( + - \.getRootInActiveWindow\( + type: RegexAnd + severity: info + input_case: exact +- id: '00022' + message: Open a file from given absolute path of the file + metadata: + label: + - file + pattern: + - java\.io\.File + - \.getAbsolutePath\( + type: RegexAnd + severity: info + input_case: exact +- id: 00188 + message: Get the address of a SMS message + metadata: + label: + - sms + pattern: + - android\.content\.ContentResolver + - android\.database\.Cursor + - \.query\( + - \.getColumnIndex\( + type: RegexAnd + severity: info + input_case: exact +- id: 00059 + message: Query the SIM card status + metadata: + label: + - collection + pattern: + - java\.lang\.Integer + - android\.telephony\.TelephonyManager + - \.getSimState\( + - \.intValue\( + type: RegexAnd + severity: info + input_case: exact +- id: 00018 + message: Get JSON object prepared and fill in location info + metadata: + label: + - location + - collection + pattern: + - android\.location\.LocationManager + - org\.json\.JSONObject + - \.requestLocationUpdates\( + type: RegexAnd + severity: info + input_case: exact +- id: '00044' + message: Query the last time this package's activity was used + metadata: + label: + - collection + - reflection + pattern: + - android\.app\.usage\.UsageStatsManager + - android\.app\.usage\.UsageStats + - \.getLastTimeUsed\( + - \.queryUsageStats\( + type: RegexAnd + severity: info + input_case: exact +- id: '00101' + message: Initialize recorder + metadata: + label: + - record + pattern: + - android\.os\.Bundle + - android\.media\.MediaRecorder + - \.getString\( + - \.prepare\( + type: RegexAnd + severity: info + input_case: exact +- id: '00013' + message: Read file and put it into a stream + metadata: + label: + - file + pattern: + - java\.io\.FileInputStream + - java\.io\.File + type: RegexAnd + severity: info + input_case: exact +- id: '00156' + message: 'Acquire lock on Power Manager ' + metadata: + label: + - lock + - power manager + pattern: + - android\.os\.PowerManager$WakeLock + - android\.os\.PowerManager + - \.newWakeLock\( + - \.acquire\( + type: RegexAnd + severity: info + input_case: exact +- id: '00005' + message: Get absolute path of file and put it to JSON object + metadata: + label: + - file + pattern: + - java\.io\.File + - org\.json\.JSONObject + - \.getAbsolutePath\( + - \.put\( + type: RegexAnd + severity: info + input_case: exact +- id: '00140' + message: Write the phone number into a file + metadata: + label: + - collection + - telephony + - file + - command + pattern: + - java\.io\.FileOutputStream + - android\.telephony\.TelephonyManager + - \.getLine1Number\( + - \.write\( + type: RegexAnd + severity: info + input_case: exact +- id: '00052' + message: 'Deletes media specified by a content URI(SMS, CALL_LOG, File, etc.)' + metadata: + label: + - sms + pattern: + - android\.content\.ContentResolver + - android\.net\.Uri + - \.parse\( + - \.delete\( + type: RegexAnd + severity: info + input_case: exact +- id: '00117' + message: Get the IMSI and network operator name + metadata: + label: + - telephony + - collection + pattern: + - android\.telephony\.TelephonyManager + - \.getNetworkOperatorName\( + - \.getSubscriberId\( + type: RegexAnd + severity: info + input_case: exact +- id: 00183 + message: Get current camera parameters and change the setting. + metadata: + label: + - camera + pattern: + - android\.hardware\.Camera + - \.setParameters\( + - \.getParameters\( + type: RegexAnd + severity: info + input_case: exact +- id: 00029 + message: Initialize class object dynamically + metadata: + label: + - reflection + pattern: + - java\.lang\.Class + - java\.lang\.reflect\.Constructor + - \.newInstance\( + - \.forName\( + type: RegexAnd + severity: info + input_case: exact +- id: 00091 + message: Retrieve data from broadcast + metadata: + label: + - collection + pattern: + - android\.content\.Intent + - android\.os\.Bundle + - \.getString\( + - \.getExtras\( + type: RegexAnd + severity: info + input_case: exact +- id: '00204' + message: Get the default ringtone + metadata: + label: + - collection + pattern: + - android\.media\.RingtoneManager + - \.getDefaultUri\( + - \.getRingtone\( + type: RegexAnd + severity: info + input_case: exact +- id: 00087 + message: Check the current network type + metadata: + label: + - network + pattern: + - java\.lang\.Object + - android\.net\.NetworkInfo + - \.equals\( + - \.getType\( + type: RegexAnd + severity: info + input_case: exact +- id: 00068 + message: Executes the specified string Linux command + metadata: + label: + - control + pattern: + - java\.lang\.Runtime + - \.getRuntime\( + - \.exec\( + type: RegexAnd + severity: info + input_case: exact +- id: 00195 + message: Set the output path of the recorded file + metadata: + label: + - record + - file + pattern: + - java\.io\.File + - android\.media\.MediaRecorder + - \.setOutputFile\( + - \.getAbsolutePath\( + type: RegexAnd + severity: info + input_case: exact +- id: 00048 + message: Query the SMS contents + metadata: + label: + - sms + - collection + pattern: + - android\.telephony\.SmsMessage + - \.getDisplayMessageBody\( + - \.createFromPdu\( + type: RegexAnd + severity: info + input_case: exact +- id: 00009 + message: Put data in cursor to JSON object + metadata: + label: + - file + pattern: + - android\.database\.Cursor + - org\.json\.JSONObject + - \.getString\( + - \.put\( + type: RegexAnd + severity: info + input_case: exact +- id: '00160' + message: Use accessibility service to perform action getting node info by View Id + metadata: + label: + - accessibility service + pattern: + - android\.view\.accessibility\.AccessibilityNodeInfo + - \.performAction\( + - \.findAccessibilityNodeInfosByViewId\( + type: RegexAnd + severity: info + input_case: exact +- id: '00025' + message: Monitor the general action to be performed + metadata: + label: + - reflection + pattern: + - android\.content\.Intent + - java\.lang\.String + - \.equals\( + - \.getAction\( + type: RegexAnd + severity: info + input_case: exact +- id: '00137' + message: Get last known location of the device + metadata: + label: + - location + - collection + pattern: + - android\.location\.LocationManager + - android\.location\.Location + - \.getLastKnownLocation\( + - \.toString\( + type: RegexAnd + severity: info + input_case: exact +- id: '00072' + message: Write HTTP input stream into a file + metadata: + label: + - command + - network + - file + pattern: + - java\.net\.HttpURLConnection + - java\.io\.FileOutputStream + - \.getInputStream\( + - \.write\( + type: RegexAnd + severity: info + input_case: exact +- id: '00121' + message: Create a directory + metadata: + label: + - file + - command + pattern: + - java\.io\.File + - android\.os\.Bundle + - \.getString\( + - \.mkdirs\( + type: RegexAnd + severity: info + input_case: exact +- id: '00064' + message: Monitor incoming call status + metadata: + label: + - control + pattern: + - android\.content\.Context + - android\.telephony\.TelephonyManager + - \.getCallState\( + - \.getSystemService\( + type: RegexAnd + severity: info + input_case: exact +- id: 00208 + message: Capture the contents of the device screen + metadata: + label: + - collection + - screen + pattern: + - android\.media\.projection\.MediaProjection + - \.createVirtualDisplay\( + - \.registerCallback\( + type: RegexAnd + severity: info + input_case: exact +- id: '00176' + message: Send sms to a contact of contact list + metadata: + label: + - sms + pattern: + - android\.telephony\.SmsManager + - android\.content\.ContentResolver + - \.sendTextMessage\( + - \.query\( + type: RegexAnd + severity: info + input_case: exact +- id: 00199 + message: Stop recording and release recording resources + metadata: + label: + - record + pattern: + - android\.media\.MediaRecorder + - \.stop\( + - \.release\( + type: RegexAnd + severity: info + input_case: exact +- id: '00033' + message: Query the IMEI number + metadata: + label: + - collection + pattern: + - android\.content\.Context + - android\.telephony\.TelephonyManager + - \.getDeviceId\( + - \.getSystemService\( + type: RegexAnd + severity: info + input_case: exact +- id: '00177' + message: Check if permission is granted and request it + metadata: + label: + - permission + pattern: + - android\.app\.Activity + - android\.content\.Context + - \.checkPermission\( + - \.requestPermissions\( + type: RegexAnd + severity: info + input_case: exact +- id: 00198 + message: Initialize the recorder and start recording + metadata: + label: + - record + pattern: + - android\.media\.MediaRecorder + - \.prepare\( + - \.start\( + type: RegexAnd + severity: info + input_case: exact +- id: '00032' + message: Load external class + metadata: + label: + - reflection + pattern: + - java\.lang\.Class + - java\.lang\.ClassLoader + - \.getClassLoader\( + - \.loadClass\( + type: RegexAnd + severity: info + input_case: exact +- id: 00209 + message: Get pixels from the latest rendered image + metadata: + label: + - collection + pattern: + - android\.media\.ImageReader + - android\.media\.Image + - \.getPlanes\( + - \.acquireLatestImage\( + type: RegexAnd + severity: info + input_case: exact +- id: '00120' + message: Append the sender's address to the string + metadata: + label: + - sms + - collection + pattern: + - android\.telephony\.SmsMessage + - java\.lang\.StringBuilder + - \.append\( + - \.getOriginatingAddress\( + type: RegexAnd + severity: info + input_case: exact +- id: '00065' + message: Get the country code of the SIM card provider + metadata: + label: + - collection + pattern: + - android\.content\.Context + - android\.telephony\.TelephonyManager + - \.getSimCountryIso\( + - \.getSystemService\( + type: RegexAnd + severity: info + input_case: exact +- id: '00136' + message: Stop recording + metadata: + label: + - record + - command + pattern: + - android\.os\.Bundle + - android\.media\.MediaRecorder + - \.getString\( + - \.stop\( + type: RegexAnd + severity: info + input_case: exact +- id: '00073' + message: Write the SIM card information into a file + metadata: + label: + - collection + - telephony + - file + pattern: + - android\.telephony\.SubscriptionManager + - java\.io\.FileOutputStream + - \.getActiveSubscriptionInfoList\( + - \.write\( + type: RegexAnd + severity: info + input_case: exact +- id: '00161' + message: Perform accessibility service action on accessibility node info + metadata: + label: + - accessibility service + pattern: + - android\.view\.accessibility\.AccessibilityNodeInfo + - \.performAction\( + - \.getParent\( + type: RegexAnd + severity: info + input_case: exact +- id: '00024' + message: Write file after Base64 decoding + metadata: + label: + - reflection + - file + pattern: + - java\.io\.FileOutputStream + - android\.util\.Base64 + - \.decode\( + - \.write\( + type: RegexAnd + severity: info + input_case: exact +- id: 00008 + message: Check if successfully sending out SMS + metadata: + label: + - sms + pattern: + - android\.telephony\.SmsManager + - java\.lang\.Boolean + - \.sendTextMessage\( + - \.valueOf\( + type: RegexAnd + severity: info + input_case: exact +- id: 00049 + message: Query the phone number from SMS sender + metadata: + label: + - sms + - collection + pattern: + - android\.telephony\.SmsMessage + - \.getDisplayOriginatingAddress\( + - \.createFromPdu\( + type: RegexAnd + severity: info + input_case: exact +- id: 00194 + message: Set the audio source (MIC) and recorded file format + metadata: + label: + - record + pattern: + - android\.media\.MediaRecorder + - \.setAudioSource\( + - \.setOutputFormat\( + type: RegexAnd + severity: info + input_case: exact +- id: 00086 + message: Check if the device is in data roaming mode + metadata: + label: + - telephony + pattern: + - java\.lang\.Object + - android\.net\.NetworkInfo + - \.isRoaming\( + - \.equals\( + type: RegexAnd + severity: info + input_case: exact +- id: 00069 + message: Run shell script programmably + metadata: + label: + - control + pattern: + - java\.lang\.Runtime + - java\.lang\.Process + - \.exec\( + - \.getOutputStream\( + type: RegexAnd + severity: info + input_case: exact +- id: '00205' + message: Simulate a touch gesture on the device screen + metadata: + label: + - accessibility service + - control + pattern: + - android\.accessibilityservice\.GestureDescription$Builder + - \.build\( + - \.addStroke\( + type: RegexAnd + severity: info + input_case: exact +- id: 00090 + message: Set recroded audio/video file format + metadata: + label: + - record + pattern: + - android\.os\.Bundle + - android\.media\.MediaRecorder + - \.getString\( + - \.setOutputFormat\( + type: RegexAnd + severity: info + input_case: exact +- id: 00182 + message: Open camera. + metadata: + label: + - camera + pattern: + - java\.lang\.Object + - android\.hardware\.Camera + - \.open\( + type: RegexAnd + severity: info + input_case: exact +- id: 00028 + message: Read file from assets directory + metadata: + label: + - file + pattern: + - android\.content\.res\.AssetManager + - java\.io\.InputStream + - \.open\( + - \.read\( + type: RegexAnd + severity: info + input_case: exact +- id: '00053' + message: 'Monitor data identified by a given content URI changes(SMS, MMS, etc.)' + metadata: + label: + - sms + pattern: + - android\.content\.ContentResolver + - android\.net\.Uri + - \.parse\( + - \.registerContentObserver\( + type: RegexAnd + severity: info + input_case: exact +- id: '00116' + message: Get the current WiFi MAC address and put it into JSON + metadata: + label: + - wifi + - collection + pattern: + - android\.net\.wifi\.WifiInfo + - org\.json\.JSONObject + - \.getMacAddress\( + - \.put\( + type: RegexAnd + severity: info + input_case: exact +- id: '00004' + message: Get filename and put it to JSON object + metadata: + label: + - file + - collection + pattern: + - java\.io\.File + - org\.json\.JSONObject + - \.put\( + - \.getName\( + type: RegexAnd + severity: info + input_case: exact +- id: '00141' + message: Load class from given class name + metadata: + label: + - reflection + pattern: + - java\.lang\.ClassLoader + - java\.lang\.StringBuilder + - \.toString\( + - \.loadClass\( + type: RegexAnd + severity: info + input_case: exact +- id: '00012' + message: Read data and put it into a buffer stream + metadata: + label: + - file + pattern: + - java\.io\.FileInputStream + - java\.io\.BufferedInputStream + type: RegexAnd + severity: info + input_case: exact +- id: '00157' + message: 'Instantiate new object using reflection, possibly used for dexClassLoader ' + metadata: + label: + - reflection + - dexClassLoader + pattern: + - java\.lang\.Class + - java\.lang\.reflect\.Constructor + - \.newInstance\( + - \.getConstructor\( + type: RegexAnd + severity: info + input_case: exact +- id: '00045' + message: Query the name of currently running application + metadata: + label: + - collection + - reflection + pattern: + - android\.app\.usage\.UsageStatsManager + - android\.app\.usage\.UsageStats + - \.getPackageName\( + - \.queryUsageStats\( + type: RegexAnd + severity: info + input_case: exact +- id: '00100' + message: Check the network capabilities + metadata: + label: + - collection + - network + pattern: + - java\.lang\.Object + - android\.net\.ConnectivityManager + - \.equals\( + - \.getNetworkCapabilities\( + type: RegexAnd + severity: info + input_case: exact +- id: 00197 + message: Set the audio encoder and initialize the recorder + metadata: + label: + - record + pattern: + - android\.media\.MediaRecorder + - \.prepare\( + - \.setAudioEncoder\( + type: RegexAnd + severity: info + input_case: exact +- id: 00178 + message: Execute Linux commands via ProcessBuilder + metadata: + label: + - command + pattern: + - java\.lang\.ProcessBuilder + - \.start\( + type: RegexAnd + severity: info + input_case: exact +- id: 00085 + message: Get the ISO country code and put it into JSON + metadata: + label: + - collection + - telephony + pattern: + - org\.json\.JSONObject + - android\.telephony\.TelephonyManager + - \.put\( + - \.getNetworkCountryIso\( + type: RegexAnd + severity: info + input_case: exact +- id: '00206' + message: Check if the text of the view contains the given string + metadata: + label: + - accessibility service + pattern: + - android\.view\.accessibility\.AccessibilityNodeInfo + - java\.lang\.String + - \.getText\( + - \.contains\( + type: RegexAnd + severity: info + input_case: exact +- id: 00139 + message: Get the current WiFi id + metadata: + label: + - collection + - wifi + pattern: + - android\.net\.wifi\.WifiInfo + - android\.content\.Context + - \.getNetworkId\( + - \.getSystemService\( + type: RegexAnd + severity: info + input_case: exact +- id: 00093 + message: Get the content of SMS and forward it to others via SMS + metadata: + label: + - collection + - sms + - command + pattern: + - android\.telephony\.SmsMessage + - android\.telephony\.SmsManager + - \.sendTextMessage\( + - \.getMessageBody\( + type: RegexAnd + severity: info + input_case: exact +- id: '00210' + message: Copy pixels from the latest rendered image into a Bitmap + metadata: + label: + - collection + pattern: + - android\.media\.ImageReader + - android\.graphics\.Bitmap + - \.copyPixelsFromBuffer\( + - \.acquireLatestImage\( + type: RegexAnd + severity: info + input_case: exact +- id: 00181 + message: Load native libraries(.so) via System.load (60% means caught) + metadata: + label: + - so + pattern: + - java\.lang\.System + - \.load\( + type: RegexAnd + severity: info + input_case: exact +- id: '00115' + message: Get last known location of the device + metadata: + label: + - collection + - location + pattern: + - android\.location\.LocationManager + - android\.location\.Location + - \.getLastKnownLocation\( + - \.getLongitude\( + type: RegexAnd + severity: info + input_case: exact +- id: '00050' + message: Query the SMS service centre timestamp + metadata: + label: + - sms + - collection + pattern: + - android\.telephony\.SmsMessage + - \.getTimestampMillis\( + - \.createFromPdu\( + type: RegexAnd + severity: info + input_case: exact +- id: '00142' + message: Get calendar information + metadata: + label: + - collection + - calendar + pattern: + - java\.lang\.StringBuilder + - java\.util\.Calendar + - \.append\( + - \.get\( + type: RegexAnd + severity: info + input_case: exact +- id: '00007' + message: Use absolute path of directory for the output media file path + metadata: + label: + - file + pattern: + - java\.io\.File + - android\.media\.MediaRecorder + - \.setOutputFile\( + - \.getAbsolutePath\( + type: RegexAnd + severity: info + input_case: exact +- id: '00154' + message: Connect hostname to TCP or UDP socket using KryoNet + metadata: + label: + - socket + pattern: + - com\.esotericsoftware\.kryonet\.Client + - java\.net\.InetAddress + - \.connect\( + - \.getByName\( + type: RegexAnd + severity: info + input_case: exact +- id: '00011' + message: 'Query data from URI (SMS, CALLLOGS)' + metadata: + label: + - sms + - calllog + - collection + pattern: + - android\.content\.ContentResolver + - android\.net\.Uri + - \.parse\( + - \.query\( + type: RegexAnd + severity: info + input_case: exact +- id: '00103' + message: Check the active network type + metadata: + label: + - network + pattern: + - java\.lang\.Object + - android\.net\.ConnectivityManager + - \.equals\( + - \.getActiveNetworkInfo\( + type: RegexAnd + severity: info + input_case: exact +- id: '00046' + message: Method reflection + metadata: + label: + - reflection + pattern: + - java\.lang\.reflect\.Method + - java\.lang\.Class + - \.getDeclaredMethod\( + - \.invoke\( + type: RegexAnd + severity: info + input_case: exact +- id: '00031' + message: Check the list of currently running applications + metadata: + label: + - reflection + - collection + pattern: + - android\.content\.ComponentName + - android\.app\.ActivityManager + - \.getPackageName\( + - \.getRunningTasks\( + type: RegexAnd + severity: info + input_case: exact +- id: '00174' + message: Get all accounts by type and put them in a JSON object + metadata: + label: + - accounts + - collection + pattern: + - org\.json\.JSONObject + - android\.accounts\.AccountManager + - \.put\( + - \.getAccountsByType\( + type: RegexAnd + severity: info + input_case: exact +- id: '00066' + message: Query the ICCID number + metadata: + label: + - collection + pattern: + - android\.content\.Context + - android\.telephony\.TelephonyManager + - \.getSimSerialNumber\( + - \.getSystemService\( + type: RegexAnd + severity: info + input_case: exact +- id: '00123' + message: Save the response to JSON after connecting to the remote server + metadata: + label: + - network + - command + pattern: + - java\.net\.HttpURLConnection + - org\.json\.JSONObject + - \.connect\( + type: RegexAnd + severity: info + input_case: exact +- id: 00089 + message: Connect to a URL and receive input stream from the server + metadata: + label: + - command + - network + pattern: + - java\.net\.HttpURLConnection + - java\.net\.URL + - \.openConnection\( + - \.getInputStream\( + type: RegexAnd + severity: info + input_case: exact +- id: '00070' + message: Get sender's address and send SMS + metadata: + label: + - collection + - command + - sms + pattern: + - android\.telephony\.SmsMessage + - android\.telephony\.SmsManager + - \.sendTextMessage\( + - \.getOriginatingAddress\( + type: RegexAnd + severity: info + input_case: exact +- id: '00135' + message: Get the current WiFi id and put it into JSON. + metadata: + label: + - wifi + - collection + pattern: + - android\.net\.wifi\.WifiInfo + - org\.json\.JSONObject + - \.getNetworkId\( + - \.put\( + type: RegexAnd + severity: info + input_case: exact +- id: '00027' + message: Get specific method from other Dex files + metadata: + label: + - reflection + pattern: + - java\.lang\.Class + - java\.lang\.ClassLoader + - \.getMethod\( + - \.loadClass\( + type: RegexAnd + severity: info + input_case: exact +- id: '00162' + message: Create InetSocketAddress object and connecting to it + metadata: + label: + - socket + pattern: + - java\.net\.Socket + - java\.net\.InetSocketAddress + - \.connect\( + type: RegexAnd + severity: info + input_case: exact +- id: 00119 + message: Write the IMEI number into a file + metadata: + label: + - collection + - file + - telephony + - command + pattern: + - java\.io\.FileOutputStream + - android\.telephony\.TelephonyManager + - \.getDeviceId\( + - \.write\( + type: RegexAnd + severity: info + input_case: exact +- id: 00158 + message: Connect to a URL and send sensitive data got from resolver + metadata: + label: + - privacy + - connection + pattern: + - java\.net\.HttpURLConnection + - android\.content\.ContentResolver + - \.query\( + - \.getOutputStream\( + type: RegexAnd + severity: info + input_case: exact +- id: 00159 + message: Use accessibility service to perform action getting node info by text + metadata: + label: + - accessibility service + pattern: + - android\.view\.accessibility\.AccessibilityNodeInfo + - \.findAccessibilityNodeInfosByText\( + - \.performAction\( + type: RegexAnd + severity: info + input_case: exact +- id: 00118 + message: Check if the content of SMS contains given string + metadata: + label: + - sms + - collection + pattern: + - android\.telephony\.SmsMessage + - java\.lang\.String + - \.getMessageBody\( + - \.contains\( + type: RegexAnd + severity: info + input_case: exact +- id: '00026' + message: Method reflection + metadata: + label: + - reflection + pattern: + - java\.lang\.reflect\.Method + - java\.lang\.Class + - \.getMethod\( + - \.invoke\( + type: RegexAnd + severity: info + input_case: exact +- id: '00163' + message: Create new Socket and connecting to it + metadata: + label: + - socket + pattern: + - java\.net\.Socket + - \.connect\( + type: RegexAnd + severity: info + input_case: exact +- id: '00071' + message: Write the ISO country code of the current network operator into a file + metadata: + label: + - collection + - command + - network + - file + pattern: + - java\.io\.FileOutputStream + - android\.telephony\.TelephonyManager + - \.getNetworkCountryIso\( + - \.write\( + type: RegexAnd + severity: info + input_case: exact +- id: '00134' + message: Get the current WiFi IP address + metadata: + label: + - wifi + - collection + pattern: + - android\.net\.wifi\.WifiInfo + - android\.content\.Context + - \.getIpAddress\( + - \.getSystemService\( + type: RegexAnd + severity: info + input_case: exact +- id: '00067' + message: Query the IMSI number + metadata: + label: + - collection + pattern: + - android\.content\.Context + - android\.telephony\.TelephonyManager + - \.getSubscriberId\( + - \.getSystemService\( + type: RegexAnd + severity: info + input_case: exact +- id: '00122' + message: Check if the sender address of SMS contains the given string + metadata: + label: + - sms + - collection + pattern: + - android\.telephony\.SmsMessage + - java\.lang\.String + - \.getOriginatingAddress\( + - \.contains\( + type: RegexAnd + severity: info + input_case: exact +- id: 00088 + message: Create a secure socket connection to the given host address + metadata: + label: + - command + - network + pattern: + - javax\.net\.ssl\.SSLSocketFactory + - java\.net\.InetAddress + - \.getHostAddress\( + - \.createSocket\( + type: RegexAnd + severity: info + input_case: exact +- id: '00030' + message: Connect to the remote server through the given URL + metadata: + label: + - network + pattern: + - java\.net\.HttpURLConnection + - java\.net\.URL + - \.openConnection\( + - \.connect\( + type: RegexAnd + severity: info + input_case: exact +- id: '00175' + message: 'Get notification manager and cancel notifications ' + metadata: + label: + - notification + pattern: + - android\.app\.NotificationManager + - android\.content\.Context + - \.cancelAll\( + - \.getSystemService\( + type: RegexAnd + severity: info + input_case: exact +- id: '00102' + message: Set the phone speaker on + metadata: + label: + - command + pattern: + - android\.media\.AudioManager + - android\.content\.Context + - \.setSpeakerphoneOn\( + - \.getSystemService\( + type: RegexAnd + severity: info + input_case: exact +- id: '00047' + message: Query the local IP address + metadata: + label: + - network + - collection + pattern: + - java\.net\.Socket + - java\.net\.InetAddress + - \.getHostAddress\( + - \.getLocalAddress\( + type: RegexAnd + severity: info + input_case: exact +- id: '00155' + message: Execute commands on shell using DataOutputStream object + metadata: + label: + - exec + - command + pattern: + - java\.io\.DataOutputStream + - java\.lang\.Runtime + - \.writeBytes\( + - \.exec\( + type: RegexAnd + severity: info + input_case: exact +- id: '00010' + message: 'Read sensitive data(SMS, CALLLOG) and put it into JSON object' + metadata: + label: + - sms + - calllog + - collection + pattern: + - android\.content\.ContentResolver + - org\.json\.JSONObject + - \.put\( + - \.query\( + type: RegexAnd + severity: info + input_case: exact +- id: '00143' + message: Get external class from given path or file name + metadata: + label: + - reflection + pattern: + - android\.app\.Service + - java\.lang\.StringBuilder + - \.getClassLoader\( + - \.toString\( + type: RegexAnd + severity: info + input_case: exact +- id: '00006' + message: Scheduling recording task + metadata: + label: + - record + pattern: + - java\.util\.Timer + - android\.media\.MediaRecorder + type: RegexAnd + severity: info + input_case: exact +- id: '00114' + message: Create a secure socket connection to the proxy address + metadata: + label: + - network + - command + pattern: + - javax\.net\.ssl\.SSLSocketFactory + - java\.net\.Proxy + - \.address\( + - \.createSocket\( + type: RegexAnd + severity: info + input_case: exact +- id: '00051' + message: 'Implicit intent(view a web page, make a phone call, etc.) via setData' + metadata: + label: + - control + pattern: + - android\.content\.Intent + - android\.net\.Uri + - \.parse\( + - \.setData\( + type: RegexAnd + severity: info + input_case: exact +- id: 00180 + message: Load native libraries(.so) via System.loadLibrary (60% means caught) + metadata: + label: + - so + pattern: + - java\.lang\.System + - \.loadLibrary\( + type: RegexAnd + severity: info + input_case: exact +- id: '00211' + message: Open an URL in Wevbiew + metadata: + label: + - http + pattern: + - com\.google\.youngandroid\.runtime + - gnu\.lists\.LList + - \.callComponentMethod\( + - \.list1\( + type: RegexAnd + severity: info + input_case: exact +- id: 00138 + message: Set the audio source (MIC) + metadata: + label: + - record + pattern: + - android\.os\.Bundle + - android\.media\.MediaRecorder + - \.getString\( + - \.setAudioSource\( + type: RegexAnd + severity: info + input_case: exact +- id: 00092 + message: Send broadcast + metadata: + label: + - command + pattern: + - android\.app\.Activity + - android\.content\.Context + - \.sendBroadcast\( + - \.getApplicationContext\( + type: RegexAnd + severity: info + input_case: exact +- id: '00207' + message: Check if the resource name of the view contains the given string + metadata: + label: + - accessibility service + pattern: + - android\.view\.accessibility\.AccessibilityNodeInfo + - java\.lang\.String + - \.contains\( + - \.getViewIdResourceName\( + type: RegexAnd + severity: info + input_case: exact +- id: 00084 + message: Get the ISO country code and IMSI + metadata: + label: + - collection + - telephony + pattern: + - android\.telephony\.TelephonyManager + - \.getNetworkCountryIso\( + - \.getSubscriberId\( + type: RegexAnd + severity: info + input_case: exact +- id: 00196 + message: Set the recorded file format and output path + metadata: + label: + - record + - file + pattern: + - android\.media\.MediaRecorder + - \.setOutputFile\( + - \.setOutputFormat\( + type: RegexAnd + severity: info + input_case: exact +- id: 00179 + message: Send Location via SMS + metadata: + label: + - location + - collection + pattern: + - Landroid/telephony/TelephonyManager + - Landroid/telephony/SmsManager + - \.sendTextMessage\( + - \.getCellLocation\( + type: RegexAnd + severity: info + input_case: exact +- id: '00037' + message: Send notification + metadata: + label: + - control + pattern: + - android\.app\.Notification$Builder + - android\.app\.NotificationManager + - \.notify\( + - \.build\( + type: RegexAnd + severity: info + input_case: exact +- id: '00172' + message: Check Admin permissions to (probably) get them + metadata: + label: + - admin + pattern: + - android\.app\.admin\.DevicePolicyManager + - android\.content\.Context + - \.isAdminActive\( + - \.getSystemService\( + type: RegexAnd + severity: info + input_case: exact +- id: '00060' + message: Query the network operator name + metadata: + label: + - network + - collection + pattern: + - java\.lang\.Integer + - android\.telephony\.TelephonyManager + - \.getNetworkOperatorName\( + - \.valueOf\( + type: RegexAnd + severity: info + input_case: exact +- id: '00125' + message: Check if the given file path exist + metadata: + label: + - file + pattern: + - java\.io\.File + - android\.os\.Bundle + - \.getString\( + - \.exists\( + type: RegexAnd + severity: info + input_case: exact +- id: '00076' + message: Get the current WiFi information and put it into JSON + metadata: + label: + - collection + - wifi + pattern: + - android\.net\.wifi\.WifiManager + - org\.json\.JSONObject + - \.put\( + - \.getConnectionInfo\( + type: RegexAnd + severity: info + input_case: exact +- id: 00099 + message: Get location of the current GSM and put it into JSON + metadata: + label: + - collection + - location + pattern: + - android\.telephony\.gsm\.GsmCellLocation + - org\.json\.JSONObject + - \.getCid\( + - \.put\( + type: RegexAnd + severity: info + input_case: exact +- id: '00133' + message: Start recording + metadata: + label: + - record + - command + pattern: + - android\.os\.Bundle + - android\.media\.MediaRecorder + - \.getString\( + - \.start\( + type: RegexAnd + severity: info + input_case: exact +- id: '00021' + message: Load additional DEX files dynamically + metadata: + label: + - reflection + pattern: + - java\.lang\.ClassLoader + - java\.io\.File + - \.getAbsolutePath\( + - \.loadClass\( + type: RegexAnd + severity: info + input_case: exact +- id: '00164' + message: Get SMS address and send it through http + metadata: + label: + - sms + - http + pattern: + - java\.net\.HttpURLConnection + - android\.telephony\.SmsMessage + - \.getOriginatingAddress\( + - \.getOutputStream\( + type: RegexAnd + severity: info + input_case: exact +- id: 00148 + message: Create a socket connection to the given host address + metadata: + label: + - network + - command + pattern: + - javax\.net\.SocketFactory + - java\.net\.InetAddress + - \.getHostAddress\( + - \.createSocket\( + type: RegexAnd + severity: info + input_case: exact +- id: 00109 + message: Connect to a URL and get the response code + metadata: + label: + - network + - command + pattern: + - java\.net\.HttpURLConnection + - java\.net\.URL + - \.openConnection\( + - \.getResponseCode\( + type: RegexAnd + severity: info + input_case: exact +- id: 00191 + message: Get messages in the SMS inbox + metadata: + label: + - sms + pattern: + - android\.database\.Cursor + - android\.net\.Uri + - \.parse\( + - \.getColumnIndex\( + type: RegexAnd + severity: info + input_case: exact +- id: 00083 + message: Query the IMEI number + metadata: + label: + - collection + - telephony + pattern: + - android\.app\.Activity + - android\.telephony\.TelephonyManager + - \.getDeviceId\( + - \.getSystemService\( + type: RegexAnd + severity: info + input_case: exact +- id: 00129 + message: Get the content of SMS + metadata: + label: + - sms + - collection + pattern: + - android\.telephony\.SmsMessage + - java\.lang\.String + - \.getMessageBody\( + - \.toString\( + type: RegexAnd + severity: info + input_case: exact +- id: '00200' + message: Query data from the contact list + metadata: + label: + - collection + - contact + pattern: + - android\.content\.ContentResolver + - android\.database\.Cursor + - \.query\( + - \.getColumnIndex\( + type: RegexAnd + severity: info + input_case: exact +- id: 00095 + message: Write the ICCID of device into a file + metadata: + label: + - collection + - telephony + pattern: + - java\.io\.FileOutputStream + - android\.telephony\.SubscriptionInfo + - \.getIccId\( + - \.write\( + type: RegexAnd + severity: info + input_case: exact +- id: 00187 + message: Query a URI and check the result + metadata: + label: + - collection + - sms + - calllog + - calendar + pattern: + - android\.content\.ContentResolver + - android\.database\.Cursor + - \.query\( + - \.moveToNext\( + type: RegexAnd + severity: info + input_case: exact +- id: 00168 + message: Use accessibility service to perform global action getting node info by text + metadata: + label: + - accessibility service + pattern: + - android\.view\.accessibility\.AccessibilityNodeInfo + - android\.accessibilityservice\.AccessibilityService + - \.findAccessibilityNodeInfosByText\( + - \.performGlobalAction\( + type: RegexAnd + severity: info + input_case: exact +- id: '00113' + message: Get location and put it into JSON + metadata: + label: + - collection + - location + pattern: + - android\.location\.LocationManager + - org\.json\.JSONObject + - \.getLastKnownLocation\( + - \.put\( + type: RegexAnd + severity: info + input_case: exact +- id: '00056' + message: Modify voice volume + metadata: + label: + - control + pattern: + - android\.media\.AudioManager + - \.getStreamMaxVolume\( + - \.setStreamVolume\( + type: RegexAnd + severity: info + input_case: exact +- id: '00144' + message: Write SIM card serial number into a file + metadata: + label: + - collection + - telephony + - file + - command + pattern: + - java\.io\.FileOutputStream + - android\.telephony\.TelephonyManager + - \.write\( + - \.getSimSerialNumber\( + type: RegexAnd + severity: info + input_case: exact +- id: '00001' + message: Initialize bitmap object and compress data (e.g. JPEG) into bitmap object + metadata: + label: + - camera + pattern: + - android\.graphics\.BitmapFactory + - android\.graphics\.Bitmap + - \.decodeByteArray\( + - \.compress\( + type: RegexAnd + severity: info + input_case: exact +- id: '00152' + message: Get data from HTTP and send SMS + metadata: + label: + - command + - sms + pattern: + - android\.telephony\.SmsManager + - java\.net\.URL + - \.openConnection\( + - \.sendTextMessage\( + type: RegexAnd + severity: info + input_case: exact +- id: '00017' + message: Get Location of the device and append this info to a string + metadata: + label: + - location + - collection + pattern: + - android\.location\.Location + - java\.lang\.StringBuilder + - \.append\( + - \.getLatitude\( + type: RegexAnd + severity: info + input_case: exact +- id: '00105' + message: Append the sender's address to the string + metadata: + label: + - collection + - sms + pattern: + - android\.telephony\.SmsMessage + - java\.lang\.StringBuilder + - \.append\( + - \.getOriginatingAddress\( + type: RegexAnd + severity: info + input_case: exact +- id: '00040' + message: Send SMS + metadata: + label: + - sms + pattern: + - android\.telephony\.SmsManager + - \.divideMessage\( + - \.sendMultipartTextMessage\( + type: RegexAnd + severity: info + input_case: exact +- id: '00104' + message: Check if the given path is directory + metadata: + label: + - file + pattern: + - java\.io\.File + - android\.os\.Bundle + - \.getString\( + - \.isDirectory\( + type: RegexAnd + severity: info + input_case: exact +- id: '00041' + message: Save recorded audio/video to file + metadata: + label: + - record + pattern: + - java\.io\.File + - android\.media\.MediaRecorder + - \.setOutputFile\( + - \.toString\( + type: RegexAnd + severity: info + input_case: exact +- id: '00153' + message: Send binary data over HTTP + metadata: + label: + - http + pattern: + - java\.net\.HttpURLConnection + - java\.io\.DataOutputStream + - \.write\( + - \.getOutputStream\( + type: RegexAnd + severity: info + input_case: exact +- id: '00016' + message: Get location info of the device and put it to JSON object + metadata: + label: + - location + - collection + pattern: + - android\.location\.Location + - org\.json\.JSONObject + - \.getLongitude\( + - \.put\( + type: RegexAnd + severity: info + input_case: exact +- id: '00145' + message: Create a socket connection to the proxy address + metadata: + label: + - network + - command + pattern: + - java\.net\.Proxy + - javax\.net\.SocketFactory + - \.address\( + - \.createSocket\( + type: RegexAnd + severity: info + input_case: exact +- id: '00112' + message: Get the date of the calendar event + metadata: + label: + - collection + - calendar + pattern: + - java\.util\.Date + - java\.util\.Calendar + - \.toString\( + - \.getTimeInMillis\( + type: RegexAnd + severity: info + input_case: exact +- id: '00057' + message: Return the DHCP-assigned addresses from the last successful DHCP request + metadata: + label: + - network + - collection + pattern: + - android\.net\.wifi\.WifiManager + - java\.lang\.StringBuilder + - \.getDhcpInfo\( + - \.toString\( + type: RegexAnd + severity: info + input_case: exact +- id: 00186 + message: Control camera to take picture + metadata: + label: + - camera + pattern: + - java\.lang\.Object + - android\.hardware\.Camera + - \.takePicture\( + type: RegexAnd + severity: info + input_case: exact +- id: 00169 + message: >- + Use accessibility service to perform global action getting node info by View + Id + metadata: + label: + - accessibility service + pattern: + - android\.view\.accessibility\.AccessibilityNodeInfo + - android\.accessibilityservice\.AccessibilityService + - \.findAccessibilityNodeInfosByViewId\( + - \.performGlobalAction\( + type: RegexAnd + severity: info + input_case: exact +- id: 00094 + message: Connect to a URL and read data from it + metadata: + label: + - command + - network + pattern: + - java\.io\.InputStream + - java\.net\.URL + - \.openConnection\( + - \.read\( + type: RegexAnd + severity: info + input_case: exact +- id: '00201' + message: Query data from the call log + metadata: + label: + - collection + - calllog + pattern: + - android\.content\.ContentResolver + - android\.database\.Cursor + - \.query\( + - \.getColumnIndex\( + type: RegexAnd + severity: info + input_case: exact +- id: 00082 + message: Get the current WiFi MAC address + metadata: + label: + - collection + - wifi + pattern: + - android\.net\.wifi\.WifiInfo + - android\.content\.Context + - \.getMacAddress\( + - \.getSystemService\( + type: RegexAnd + severity: info + input_case: exact +- id: 00128 + message: Query user account information + metadata: + label: + - collection + - account + pattern: + - android\.accounts\.AccountManager + - \.getAccounts\( + - \.get\( + type: RegexAnd + severity: info + input_case: exact +- id: 00190 + message: Query a URI and append the result into a string + metadata: + label: + - collection + - sms + - calllog + - calendar + pattern: + - android\.content\.ContentResolver + - java\.lang\.StringBuilder + - \.append\( + - \.query\( + type: RegexAnd + severity: info + input_case: exact +- id: 00108 + message: Read the input stream from given URL + metadata: + label: + - network + - command + pattern: + - java\.net\.HttpURLConnection + - java\.io\.InputStream + - \.getInputStream\( + - \.read\( + type: RegexAnd + severity: info + input_case: exact +- id: 00149 + message: 'Unpack an asset, possibly decrypt it and load it as DEX' + metadata: + label: + - packer + pattern: + - android/content/res/Resources; + - dalvik\.system\.DexClassLoader + - \.getAssets\( + type: RegexAnd + severity: info + input_case: exact +- id: '00020' + message: Get absolute path of the file and store in string + metadata: + label: + - file + pattern: + - java\.io\.File + - java\.lang\.StringBuilder + - \.getAbsolutePath\( + - \.toString\( + type: RegexAnd + severity: info + input_case: exact +- id: '00165' + message: Get SMS message body and send it through http + metadata: + label: + - sms + - http + pattern: + - java\.net\.HttpURLConnection + - android\.telephony\.SmsMessage + - \.getMessageBody\( + - \.getOutputStream\( + type: RegexAnd + severity: info + input_case: exact +- id: '00077' + message: 'Read sensitive data(SMS, CALLLOG, etc)' + metadata: + label: + - collection + - sms + - calllog + - calendar + pattern: + - android\.content\.ContentResolver + - android\.content\.Context + - \.query\( + - \.getContentResolver\( + type: RegexAnd + severity: info + input_case: exact +- id: 00098 + message: Check if the network is connected + metadata: + label: + - network + pattern: + - java\.lang\.Object + - android\.net\.NetworkInfo + - \.isConnected\( + - \.equals\( + type: RegexAnd + severity: info + input_case: exact +- id: '00132' + message: Query The ISO country code + metadata: + label: + - telephony + - collection + pattern: + - android\.content\.Context + - android\.telephony\.TelephonyManager + - \.getNetworkCountryIso\( + - \.getSystemService\( + type: RegexAnd + severity: info + input_case: exact +- id: '00061' + message: Return dynamic information about the current Wi-Fi connection + metadata: + label: + - wifi + - collection + pattern: + - java\.lang\.Integer + - android\.net\.wifi\.WifiManager + - \.valueOf\( + - \.getConnectionInfo\( + type: RegexAnd + severity: info + input_case: exact +- id: '00124' + message: Check the current active network type + metadata: + label: + - network + pattern: + - java\.lang\.Object + - android\.net\.ConnectivityManager + - \.equals\( + - \.getActiveNetwork\( + type: RegexAnd + severity: info + input_case: exact +- id: '00036' + message: Get resource file from res/raw directory + metadata: + label: + - reflection + pattern: + - android\.net\.Uri + - android\.content\.Context + - \.parse\( + - \.getPackageName\( + type: RegexAnd + severity: info + input_case: exact +- id: '00173' + message: Get bounds in screen of an AccessibilityNodeInfo and perform action + metadata: + label: + - accessibility service + pattern: + - android\.view\.accessibility\.AccessibilityNodeInfo + - \.performAction\( + - \.getBoundsInScreen\( + type: RegexAnd + severity: info + input_case: exact diff --git a/mobsf/StaticAnalyzer/views/android/code_analysis.py b/mobsf/StaticAnalyzer/views/android/code_analysis.py index 6a2edd1c78..f8e662d0c2 100755 --- a/mobsf/StaticAnalyzer/views/android/code_analysis.py +++ b/mobsf/StaticAnalyzer/views/android/code_analysis.py @@ -147,7 +147,7 @@ def code_analysis(checksum, app_dir, typ, manifest_file, android_permissions): url_list.extend(urls) url_n_file.extend(urls_nf) email_n_file.extend(emails_nf) - msg = 'Finished Code Analysis, Email and URL Extraction' + msg = 'Email and URL Extraction Completed' logger.info(msg) append_scan_status(checksum, msg) code_an_dic = { diff --git a/mobsf/StaticAnalyzer/views/android/db_interaction.py b/mobsf/StaticAnalyzer/views/android/db_interaction.py index c4f44d9456..2d4a7f8767 100755 --- a/mobsf/StaticAnalyzer/views/android/db_interaction.py +++ b/mobsf/StaticAnalyzer/views/android/db_interaction.py @@ -83,7 +83,7 @@ def get_context_from_db_entry(db_entry: QuerySet) -> dict: 'files': python_list(db_entry[0].FILES), 'exported_count': python_dict(db_entry[0].EXPORTED_COUNT), 'apkid': python_dict(db_entry[0].APKID), - 'quark': python_list(db_entry[0].QUARK), + 'behaviour': python_dict(db_entry[0].QUARK), 'trackers': python_dict(db_entry[0].TRACKERS), 'playstore_details': python_dict(db_entry[0].PLAYSTORE_DETAILS), 'secrets': python_list(db_entry[0].SECRETS), @@ -102,7 +102,7 @@ def get_context_from_analysis(app_dic, cert_dic, bin_anal, apk_id, - quark_report, + behaviour_an, trackers) -> dict: """Get the context for APK/ZIP from analysis results.""" try: @@ -157,7 +157,7 @@ def get_context_from_analysis(app_dic, 'files': app_dic['files'], 'exported_count': man_an_dic['exported_cnt'], 'apkid': apk_id, - 'quark': quark_report, + 'behaviour': behaviour_an, 'trackers': trackers, 'playstore_details': app_dic['playstore'], 'secrets': code_an_dic['secrets'], @@ -178,7 +178,7 @@ def save_or_update(update_type, cert_dic, bin_anal, apk_id, - quark_report, + behaviour_an, trackers) -> None: """Save/Update an APK/ZIP DB entry.""" try: @@ -223,7 +223,7 @@ def save_or_update(update_type, 'FILES': app_dic['files'], 'EXPORTED_COUNT': man_an_dic['exported_cnt'], 'APKID': apk_id, - 'QUARK': quark_report, + 'QUARK': behaviour_an, 'TRACKERS': trackers, 'PLAYSTORE_DETAILS': app_dic['playstore'], 'NETWORK_SECURITY': man_an_dic['network_security'], @@ -255,7 +255,7 @@ def save_or_update(update_type, append_scan_status(app_dic['md5'], msg, repr(exp)) -def save_get_ctx(app, man, m_anal, code, cert, elf, apkid, quark, trk, rscn): +def save_get_ctx(app, man, m_anal, code, cert, elf, apkid, behaviour, trk, rscn): # SAVE TO DB if rscn: msg = 'Updating Database...' @@ -277,7 +277,7 @@ def save_get_ctx(app, man, m_anal, code, cert, elf, apkid, quark, trk, rscn): cert, elf, apkid, - quark, + behaviour, trk, ) return get_context_from_analysis( @@ -288,6 +288,6 @@ def save_get_ctx(app, man, m_anal, code, cert, elf, apkid, quark, trk, rscn): cert, elf, apkid, - quark, + behaviour, trk, ) diff --git a/mobsf/StaticAnalyzer/views/android/jar_aar.py b/mobsf/StaticAnalyzer/views/android/jar_aar.py index 3dbe441268..e2c7d84abf 100644 --- a/mobsf/StaticAnalyzer/views/android/jar_aar.py +++ b/mobsf/StaticAnalyzer/views/android/jar_aar.py @@ -7,7 +7,10 @@ import mobsf.MalwareAnalyzer.views.Trackers as Trackers import mobsf.MalwareAnalyzer.views.VirusTotal as VirusTotal -from mobsf.MalwareAnalyzer.views.android import permissions +from mobsf.MalwareAnalyzer.views.android import ( + behaviour_analysis, + permissions, +) from mobsf.MobSF.utils import ( append_scan_status, file_size, @@ -61,6 +64,7 @@ has_permission, ) +APK_TYPE = 'apk' logger = logging.getLogger(__name__) @@ -197,21 +201,24 @@ def common_analysis(request, app_dic, rescan, api, analysis_type): code_an_dic = code_analysis( checksum, app_dic['app_dir'], - 'apk', + APK_TYPE, app_dic['manifest_file'], man_data_dic['perm']) obfuscated_check( checksum, app_dic['app_dir'], code_an_dic) - quark_results = [] + behaviour_an = behaviour_analysis.analyze( + checksum, + app_dic['app_dir'], + APK_TYPE) # Get the strings and metadata get_strings_metadata( checksum, apk, app_dic['app_dir'], elf_dict['elf_strings'], - 'apk', + APK_TYPE, ['.java'], code_an_dic) # Firebase DB Check @@ -232,7 +239,7 @@ def common_analysis(request, app_dic, rescan, api, analysis_type): cert_dic, elf_dict['elf_analysis'], {}, - quark_results, + behaviour_an, tracker_res, rescan, ) diff --git a/mobsf/StaticAnalyzer/views/android/so.py b/mobsf/StaticAnalyzer/views/android/so.py index 186eff328d..072ce83280 100644 --- a/mobsf/StaticAnalyzer/views/android/so.py +++ b/mobsf/StaticAnalyzer/views/android/so.py @@ -123,7 +123,7 @@ def so_analysis(request, app_dic, rescan, api): 'urls': [], 'emails': [], } - quark_results = [] + behaviour_an = [] # Get the strings and metadata from shared object get_strings_metadata( checksum, @@ -157,7 +157,7 @@ def so_analysis(request, app_dic, rescan, api): cert_dic, elf_dict['elf_analysis'], apkid_results, - quark_results, + behaviour_an, trackers, rescan, ) diff --git a/mobsf/StaticAnalyzer/views/android/static_analyzer.py b/mobsf/StaticAnalyzer/views/android/static_analyzer.py index 8626c798f4..91300c5712 100755 --- a/mobsf/StaticAnalyzer/views/android/static_analyzer.py +++ b/mobsf/StaticAnalyzer/views/android/static_analyzer.py @@ -10,8 +10,8 @@ import mobsf.MalwareAnalyzer.views.VirusTotal as VirusTotal from mobsf.MalwareAnalyzer.views.android import ( apkid, + behaviour_analysis, permissions, - quark, ) from mobsf.MalwareAnalyzer.views.MalwareDomainCheck import MalwareDomainCheck @@ -102,7 +102,7 @@ has_permission, ) - +APK_TYPE = 'apk' logger = logging.getLogger(__name__) register.filter('key', key) register.filter('android_component', android_component) @@ -159,18 +159,18 @@ def static_analyzer(request, checksum, api=False): # Base APK will have the MD5 of XAPK if not handle_xapk(app_dic): raise Exception('Invalid XAPK File') - typ = 'apk' + typ = APK_TYPE elif typ == 'apks': # Handle Split APK if not handle_split_apk(app_dic): raise Exception('Invalid Split APK File') - typ = 'apk' + typ = APK_TYPE elif typ == 'aab': # Convert AAB to APK if not handle_aab(app_dic): raise Exception('Invalid AAB File') - typ = 'apk' - if typ == 'apk': + typ = APK_TYPE + if typ == APK_TYPE: app_dic['app_file'] = f'{checksum}.apk' app_dic['app_path'] = ( app_dic['app_dir'] / app_dic['app_file']).as_posix() @@ -218,7 +218,7 @@ def static_analyzer(request, checksum, api=False): app_dic['app_path'], app_dic['app_dir'], app_dic['tools_dir'], - 'apk', + APK_TYPE, ) app_dic['manifest_file'] = mani_file app_dic['parsed_xml'] = mani_xml @@ -296,20 +296,20 @@ def static_analyzer(request, checksum, api=False): code_an_dic = code_analysis( checksum, app_dic['app_dir'], - 'apk', + APK_TYPE, app_dic['manifest_file'], man_data_dic['perm']) - quark_results = quark.quark_analysis( + behaviour_an = behaviour_analysis.analyze( checksum, app_dic['app_dir'], - app_dic['app_path']) + APK_TYPE) # Get the strings and metadata get_strings_metadata( checksum, apk, app_dic['app_dir'], elf_dict['elf_strings'], - 'apk', + APK_TYPE, ['.java'], code_an_dic) # Firebase DB Check @@ -321,7 +321,7 @@ def static_analyzer(request, checksum, api=False): checksum, code_an_dic['urls_list']) - app_dic['zipped'] = 'apk' + app_dic['zipped'] = APK_TYPE context = save_get_ctx( app_dic, man_data_dic, @@ -330,7 +330,7 @@ def static_analyzer(request, checksum, api=False): cert_dic, elf_dict['elf_analysis'], apkid_results, - quark_results, + behaviour_an, tracker_res, rescan, ) @@ -482,6 +482,10 @@ def static_analyzer(request, checksum, api=False): pro_type, app_dic['manifest_file'], man_data_dic['perm']) + behaviour_an = behaviour_analysis.analyze( + checksum, + app_dic['app_dir'], + pro_type) # Get the strings and metadata get_strings_metadata( checksum, @@ -514,7 +518,7 @@ def static_analyzer(request, checksum, api=False): cert_dic, [], {}, - [], + behaviour_an, trackers, rescan, ) diff --git a/mobsf/templates/pdf/android_report.html b/mobsf/templates/pdf/android_report.html index 5a57e9d189..cfc2b4638e 100755 --- a/mobsf/templates/pdf/android_report.html +++ b/mobsf/templates/pdf/android_report.html @@ -718,36 +718,42 @@

NIAP ANALYSIS v1.3

{% endfor %} - + {% endif %} - + + {% if behaviour %} +

BEHAVIOUR ANALYSIS

+ + + + + + + + + + + {% for rule, details in behaviour.items %} + + + + + + + {% endfor %} + +
RULE IDBEHAVIOURLABELFILES
{{ rule }} + {{ details.metadata.description }} + {% for lbl in details.metadata.label %} + {{ lbl }} + {% endfor %} + + {% for file_path in details.files %} + {{ file_path }} +
+ {% endfor %} +
+ {% endif %} {% if firebase_urls %}

FIREBASE DATABASES ANALYSIS

diff --git a/mobsf/templates/static_analysis/android_binary_analysis.html b/mobsf/templates/static_analysis/android_binary_analysis.html index 80b4368f24..04b2f1d0d7 100755 --- a/mobsf/templates/static_analysis/android_binary_analysis.html +++ b/mobsf/templates/static_analysis/android_binary_analysis.html @@ -192,9 +192,9 @@ {% endif %} @@ -1702,7 +1702,7 @@
{{ code_analysis.summary.suppressed }}
- +
@@ -1710,34 +1710,56 @@
{{ code_analysis.summary.suppressed }}

- QUARK ANALYSIS + BEHAVIOUR ANALYSIS

- - - - - - - - - {% if quark %} - {% for item in quark %} - - - - - {% endfor%} - {% endif %} - - -
POTENTIAL MALICIOUS BEHAVIOUREVIDENCE
{{ item.crime }} - {% for api in item.register %} - {{api.file}} -> {{api.method}} -
- {% endfor %} -
+ + + + + + + + + + + {% for rule, details in behaviour.items %} + + + + + + + {% endfor %} + +
RULE IDBEHAVIOURLABELFILES
{{ rule }} + {{ details.metadata.description }} + {% for lbl in details.metadata.label %} + {{ lbl }} + {% endfor %} + + {% if details.files|length < 4 %} + {% for file_path, lines in details.files.items %} + + {{ file_path }} + +
+ {% endfor %} + {% else %} + +
+ {% for file_path, lines in details.files.items %} + + {{ file_path }} + +
+ {% endfor %} +
+ {% endif %} +
@@ -1746,7 +1768,7 @@
{{ code_analysis.summary.suppressed }}
- + {% endif %} {% if virus_total %} diff --git a/mobsf/templates/static_analysis/android_source_analysis.html b/mobsf/templates/static_analysis/android_source_analysis.html index 364f477859..7defa69a18 100755 --- a/mobsf/templates/static_analysis/android_source_analysis.html +++ b/mobsf/templates/static_analysis/android_source_analysis.html @@ -136,6 +136,12 @@