Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-SkillsFramework mappings
MITRE ATT&CK
T1003 on the official MITRE ATT&CK siteT1036 on the official MITRE ATT&CK siteT1056 on the official MITRE ATT&CK siteT1059 on the official MITRE ATT&CK siteT1078 on the official MITRE ATT&CK siteT1412 on the official MITRE ATT&CK siteT1437 on the official MITRE ATT&CK siteT1437.001 on the official MITRE ATT&CK siteT1444 on the official MITRE ATT&CK siteT1471 on the official MITRE ATT&CK site
When to Use
Use this skill when:
- Analyzing suspicious mobile applications submitted by users or discovered during incident response
- Monitoring enterprise mobile fleet for malicious app indicators
- Performing malware triage on APK/IPA samples
- Investigating data exfiltration or unauthorized device access from mobile apps
Do not use this skill to create, enhance, or distribute malware. This skill is for defensive analysis only.
Prerequisites
- Isolated analysis environment (dedicated device or emulator, not connected to production networks)
- MobSF for automated static+dynamic analysis
- Frida/Objection for runtime behavior monitoring
- Wireshark/tcpdump for network traffic capture
- Android emulator (AVD) or Genymotion for safe execution
- VirusTotal API key for hash lookups
Workflow
Step 1: Static Indicator Analysis
# Hash the sample
sha256sum suspicious.apk
# Check VirusTotal
curl -s "https://www.virustotal.com/api/v3/files/<SHA256>" \
-H "x-apikey: <VT_API_KEY>" | jq '.data.attributes.last_analysis_stats'
# Extract permissions from AndroidManifest.xml
aapt dump permissions suspicious.apk
# High-risk permission combinations:
# READ_SMS + INTERNET = SMS stealer
# RECEIVE_SMS + SEND_SMS = SMS interceptor/banker trojan
# ACCESSIBILITY_SERVICE + INTERNET = overlay attack capability
# CAMERA + RECORD_AUDIO + INTERNET = spyware
# DEVICE_ADMIN + INTERNET = ransomware capability
# READ_CONTACTS + INTERNET = contact exfiltrationStep 2: MobSF Automated Malware Scan
# Upload to MobSF
curl -F "file=@suspicious.apk" http://localhost:8000/api/v1/upload \
-H "Authorization: <API_KEY>"
# Review malware indicators in report:
# - Hardcoded C2 server addresses
# - Dynamic code loading (DexClassLoader)
# - Reflection-based API calls (to evade static analysis)
# - Encrypted/obfuscated payloads
# - Root detection (malware often checks for root)
# - Anti-emulator checks (malware evades sandbox)Step 3: Network Behavior Monitoring
# Start packet capture on emulator
tcpdump -i any -w malware_traffic.pcap
# Or use mitmproxy for HTTP/HTTPS
mitmproxy --mode transparent
# Monitor for:
# - DNS lookups to suspicious/newly registered domains
# - Connections to known C2 infrastructure
# - Data exfiltration patterns (large POST requests)
# - Beaconing behavior (regular interval connections)
# - Non-standard ports and protocols
# - Domain Generation Algorithm (DGA) patternsStep 4: Runtime Behavior Monitoring with Frida
// monitor_malware.js - Comprehensive behavior monitoring
Java.perform(function() {
// Monitor SMS access
var SmsManager = Java.use("android.telephony.SmsManager");
SmsManager.sendTextMessage.overload("java.lang.String", "java.lang.String",
"java.lang.String", "android.app.PendingIntent", "android.app.PendingIntent")
.implementation = function(dest, sc, text, sent, delivery) {
console.log("[SMS] Sending to: " + dest + " Text: " + text);
// Allow or block based on analysis needs
return this.sendTextMessage(dest, sc, text, sent, delivery);
};
// Monitor file operations
var FileOutputStream = Java.use("java.io.FileOutputStream");
FileOutputStream.$init.overload("java.lang.String").implementation = function(path) {
console.log("[FILE-WRITE] " + path);
return this.$init(path);
};
// Monitor network connections
var URL = Java.use("java.net.URL");
URL.openConnection.overload().implementation = function() {
console.log("[NET] " + this.toString());
return this.openConnection();
};
// Monitor dynamic code loading
var DexClassLoader = Java.use("dalvik.system.DexClassLoader");
DexClassLoader.$init.implementation = function(dexPath, optDir, libPath, parent) {
console.log("[DEX-LOAD] Loading: " + dexPath);
return this.$init(dexPath, optDir, libPath, parent);
};
// Monitor command execution
var Runtime = Java.use("java.lang.Runtime");
Runtime.exec.overload("java.lang.String").implementation = function(cmd) {
console.log("[EXEC] " + cmd);
return this.exec(cmd);
};
// Monitor camera/audio access
var Camera = Java.use("android.hardware.Camera");
Camera.open.overload("int").implementation = function(id) {
console.log("[CAMERA] Camera opened: " + id);
return this.open(id);
};
// Monitor content provider access (contacts, call log)
var ContentResolver = Java.use("android.content.ContentResolver");
ContentResolver.query.overload("android.net.Uri", "[Ljava.lang.String;",
"java.lang.String", "[Ljava.lang.String;", "java.lang.String")
.implementation = function(uri, proj, sel, selArgs, sort) {
console.log("[QUERY] " + uri.toString());
return this.query(uri, proj, sel, selArgs, sort);
};
console.log("[*] Malware behavior monitor active");
});Step 5: Classify Malware Type
Based on observed behaviors, classify the sample:
| Behavior Pattern | Malware Type |
|---|---|
| SMS interception + C2 communication | Banking Trojan |
| Camera/mic access + data upload | Spyware/Stalkerware |
| File encryption + ransom note display | Mobile Ransomware |
| Ad injection + click fraud traffic | Adware |
| Root exploit + persistence | Rootkit |
| Contact harvesting + SMS spam | Worm/SMS Spammer |
| Overlay attacks + credential capture | Credential Stealer |
| Crypto mining network activity | Cryptojacker |
Key Concepts
| Term | Definition |
|---|---|
| Dynamic Code Loading | Loading executable code at runtime from external sources, commonly used by malware to evade static analysis |
| C2 Beacon | Regular network check-in from malware to command-and-control server, identifiable by periodic timing patterns |
| DGA | Domain Generation Algorithm creating pseudo-random domain names for resilient C2 infrastructure |
| Overlay Attack | Drawing fake UI over legitimate apps to capture credentials, requiring SYSTEM_ALERT_WINDOW permission |
| Anti-Emulator | Techniques malware uses to detect sandbox/emulator environments and suppress malicious behavior |
Tools & Systems
- MobSF: Automated static and dynamic analysis for initial malware triage
- VirusTotal: Multi-engine malware scanning and hash reputation lookup
- Frida: Runtime behavior monitoring through method hooking
- Wireshark: Network traffic analysis for C2 communication patterns
- Cuckoo Sandbox / CuckooDroid: Automated malware analysis sandbox for Android samples
Common Pitfalls
- Anti-analysis evasion: Sophisticated malware detects emulators, debuggers, and Frida. Use hardware devices and stealthy Frida configurations for accurate analysis.
- Time-delayed payloads: Some malware activates only after a delay or specific trigger. Monitor for extended periods and simulate various conditions.
- Encrypted C2: Malware using encrypted communications requires TLS interception or memory inspection to observe payload content.
- Multi-stage payloads: Initial APK may be benign; malicious payload downloads later. Monitor for dynamic code loading and file downloads.
Source materials
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md1.7 KB
API Reference: Detecting Mobile Malware Behavior
Android Dangerous Permissions
| Permission | Risk | Abuse Scenario |
|---|---|---|
| SEND_SMS | HIGH | Premium rate SMS fraud |
| READ_SMS | HIGH | OTP/2FA theft |
| BIND_ACCESSIBILITY_SERVICE | CRITICAL | Screen scraping, keylogging |
| BIND_DEVICE_ADMIN | CRITICAL | Device lockout, ransomware |
| INSTALL_PACKAGES | CRITICAL | Dropper functionality |
| SYSTEM_ALERT_WINDOW | HIGH | Overlay phishing attacks |
Android Analysis Tools
# Extract permissions from APK
aapt dump permissions app.apk
# Decompile APK
apktool d app.apk -o output_dir/
# Decompile to Java source
jadx app.apk -d java_output/
# Run MobSF scan
docker run -p 8000:8000 opensecurity/mobile-security-framework-mobsfSuspicious API Patterns
# Dynamic code loading
r"DexClassLoader|PathClassLoader"
# Shell execution
r"Runtime\.exec|ProcessBuilder"
# Device fingerprinting
r"TelephonyManager\.getDeviceId"MobSF REST API
import requests
# Upload APK
resp = requests.post("http://localhost:8000/api/v1/upload",
files={"file": open("app.apk", "rb")},
headers={"Authorization": API_KEY})
# Get scan results
resp = requests.post("http://localhost:8000/api/v1/scan",
data={"hash": file_hash},
headers={"Authorization": API_KEY})Android Broadcast Receivers (Persistence)
| Action | Malware Use |
|---|---|
| BOOT_COMPLETED | Auto-start on reboot |
| SMS_RECEIVED | SMS interception |
| PHONE_STATE | Call monitoring |
| CONNECTIVITY_CHANGE | Network-triggered C2 |
CLI Usage
python agent.py --apk suspicious.apk
python agent.py --source-dir jadx_output/
python agent.py --apk app.apk --source-dir decompiled/standards.md0.9 KB
Standards Reference: Mobile Malware Detection
OWASP Mobile Top 10 2024
| ID | Risk | Malware Relevance |
|---|---|---|
| M2 | Inadequate Supply Chain Security | Trojanized apps, repackaged malware |
| M8 | Security Misconfiguration | Excessive permissions enabling malware |
NIST SP 800-163 Rev 1
- Section 5: Mobile app vetting for malware indicators
- Section 6: Enterprise mobile device management for malware prevention
MITRE ATT&CK Mobile Matrix
| Tactic | Technique | Indicator |
|---|---|---|
| Initial Access | T1444: Masquerade as Legitimate App | App name/icon spoofing |
| Collection | T1412: Capture SMS Messages | SMS permission + network |
| Exfiltration | T1437: Standard Application Layer Protocol | HTTP POST to C2 |
| Command and Control | T1437.001: Web Protocols | HTTPS beaconing |
| Impact | T1471: Data Encrypted for Impact | File encryption + ransom |
workflows.md1.0 KB
Workflows: Mobile Malware Detection
Workflow 1: Malware Triage Pipeline
[Receive sample] --> [Hash & VirusTotal check] --> [Known malware?]
/ \
[Yes: Report] [No: Continue]
|
[MobSF static scan] --> [Permission analysis]
|
[Dynamic execution in sandbox]
[Network monitoring]
[Behavior monitoring with Frida]
|
[Classify malware type]
[Extract IOCs (domains, IPs, hashes)]
[Generate report]Scripts 2
agent.py6.1 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Mobile malware behavior detection agent.
Analyzes Android APK manifests and iOS app metadata for suspicious permissions,
dangerous API usage, and known malware behavioral patterns.
"""
import argparse
import json
import re
import subprocess
import zipfile
from pathlib import Path
from datetime import datetime
DANGEROUS_ANDROID_PERMISSIONS = {
"android.permission.SEND_SMS": ("HIGH", "Can send SMS (premium rate fraud)"),
"android.permission.READ_SMS": ("HIGH", "Reads SMS (OTP theft)"),
"android.permission.RECEIVE_SMS": ("HIGH", "Intercepts SMS"),
"android.permission.READ_CONTACTS": ("MEDIUM", "Reads contacts"),
"android.permission.RECORD_AUDIO": ("HIGH", "Records audio"),
"android.permission.CAMERA": ("MEDIUM", "Camera access"),
"android.permission.READ_CALL_LOG": ("HIGH", "Reads call logs"),
"android.permission.ACCESS_FINE_LOCATION": ("MEDIUM", "Fine GPS location"),
"android.permission.WRITE_EXTERNAL_STORAGE": ("LOW", "Write to external storage"),
"android.permission.INSTALL_PACKAGES": ("CRITICAL", "Can install other apps"),
"android.permission.REQUEST_INSTALL_PACKAGES": ("HIGH", "Request app install"),
"android.permission.SYSTEM_ALERT_WINDOW": ("HIGH", "Overlay attacks"),
"android.permission.BIND_ACCESSIBILITY_SERVICE": ("CRITICAL", "Accessibility abuse"),
"android.permission.BIND_DEVICE_ADMIN": ("CRITICAL", "Device admin control"),
"android.permission.READ_PHONE_STATE": ("MEDIUM", "Reads device identifiers"),
"android.permission.PROCESS_OUTGOING_CALLS": ("HIGH", "Intercepts outgoing calls"),
}
SUSPICIOUS_RECEIVERS = [
"BOOT_COMPLETED", "SMS_RECEIVED", "PHONE_STATE",
"NEW_OUTGOING_CALL", "PACKAGE_ADDED", "CONNECTIVITY_CHANGE",
]
MALWARE_API_PATTERNS = [
(r"DexClassLoader|PathClassLoader", "HIGH", "Dynamic code loading"),
(r"Runtime\.exec|ProcessBuilder", "HIGH", "Command execution"),
(r"TelephonyManager\.getDeviceId", "MEDIUM", "Device fingerprinting"),
(r"Base64\.decode.*exec", "CRITICAL", "Encoded payload execution"),
(r"loadLibrary|System\.load", "MEDIUM", "Native library loading"),
(r"Cipher.*AES.*encrypt", "LOW", "Encryption (possible ransomware)"),
(r"javax\.crypto", "LOW", "Cryptographic operations"),
(r"HttpURLConnection|OkHttp", "LOW", "Network communication"),
(r"getRuntime\(\)\.exec", "HIGH", "Shell command execution"),
]
def analyze_apk_manifest(apk_path):
findings = []
permissions = []
try:
result = subprocess.run(
["aapt", "dump", "permissions", apk_path],
capture_output=True, text=True, timeout=30)
if result.returncode == 0:
for line in result.stdout.split("\n"):
perm_match = re.search(r"uses-permission.*'([^']+)'", line)
if perm_match:
perm = perm_match.group(1)
permissions.append(perm)
if perm in DANGEROUS_ANDROID_PERMISSIONS:
sev, desc = DANGEROUS_ANDROID_PERMISSIONS[perm]
findings.append({
"type": "dangerous_permission",
"permission": perm,
"severity": sev,
"description": desc,
})
except (FileNotFoundError, subprocess.TimeoutExpired):
try:
with zipfile.ZipFile(apk_path, 'r') as z:
if "AndroidManifest.xml" in z.namelist():
findings.append({"note": "Binary manifest found, use aapt or apktool to decode"})
except zipfile.BadZipFile:
findings.append({"error": "Invalid APK file"})
return {"permissions": permissions, "findings": findings}
def scan_decompiled_source(source_dir):
findings = []
source_path = Path(source_dir)
for java_file in source_path.rglob("*.java"):
try:
content = java_file.read_text(encoding="utf-8", errors="replace")
for pattern, severity, desc in MALWARE_API_PATTERNS:
matches = re.findall(pattern, content)
if matches:
findings.append({
"type": "suspicious_api",
"file": str(java_file),
"pattern": desc,
"match_count": len(matches),
"severity": severity,
})
except OSError:
continue
for smali_file in source_path.rglob("*.smali"):
try:
content = smali_file.read_text(encoding="utf-8", errors="replace")
if "Landroid/app/admin/DeviceAdminReceiver" in content:
findings.append({
"type": "device_admin",
"file": str(smali_file),
"severity": "CRITICAL",
"description": "App registers as device administrator",
})
except OSError:
continue
return findings
def calculate_risk(findings):
score = 0
for f in findings:
sev = f.get("severity", "LOW")
score += {"CRITICAL": 30, "HIGH": 15, "MEDIUM": 5, "LOW": 2}.get(sev, 0)
risk = "CRITICAL" if score >= 80 else "HIGH" if score >= 40 else \
"MEDIUM" if score >= 15 else "LOW"
return {"score": min(score, 100), "risk_level": risk}
def main():
parser = argparse.ArgumentParser(description="Mobile Malware Behavior Detector")
parser.add_argument("--apk", help="Path to APK file")
parser.add_argument("--source-dir", help="Path to decompiled source directory")
args = parser.parse_args()
results = {"timestamp": datetime.utcnow().isoformat() + "Z", "findings": []}
if args.apk:
apk_results = analyze_apk_manifest(args.apk)
results["permissions"] = apk_results["permissions"]
results["findings"].extend(apk_results["findings"])
if args.source_dir:
results["findings"].extend(scan_decompiled_source(args.source_dir))
results["risk"] = calculate_risk(results["findings"])
results["total_findings"] = len(results["findings"])
print(json.dumps(results, indent=2))
if __name__ == "__main__":
main()
process.py8.8 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
Mobile Malware Behavior Analyzer
Performs static indicator analysis on Android APK files to detect malware behaviors.
Checks permissions, code patterns, and VirusTotal reputation.
Usage:
python process.py --apk suspicious.apk [--vt-key API_KEY] [--output report.json]
"""
import argparse
import hashlib
import json
import subprocess
import sys
import zipfile
import re
from datetime import datetime
from pathlib import Path
try:
import requests
except ImportError:
requests = None
DANGEROUS_PERMISSIONS = {
"android.permission.READ_SMS": "SMS access - banking trojan indicator",
"android.permission.RECEIVE_SMS": "SMS interception - banking trojan indicator",
"android.permission.SEND_SMS": "SMS sending - premium SMS fraud indicator",
"android.permission.CAMERA": "Camera access - spyware indicator",
"android.permission.RECORD_AUDIO": "Microphone access - spyware indicator",
"android.permission.READ_CONTACTS": "Contact harvesting - worm/spyware indicator",
"android.permission.READ_CALL_LOG": "Call log access - spyware indicator",
"android.permission.ACCESS_FINE_LOCATION": "Location tracking - stalkerware indicator",
"android.permission.SYSTEM_ALERT_WINDOW": "Overlay capability - credential stealer indicator",
"android.permission.BIND_DEVICE_ADMIN": "Device admin - ransomware indicator",
"android.permission.BIND_ACCESSIBILITY_SERVICE": "Accessibility abuse - overlay attacks",
"android.permission.REQUEST_INSTALL_PACKAGES": "Silent app installation capability",
"android.permission.WRITE_EXTERNAL_STORAGE": "External storage write - data staging",
}
MALWARE_CODE_PATTERNS = {
"dynamic_dex_loading": r"DexClassLoader|InMemoryDexClassLoader|PathClassLoader",
"reflection": r"java\.lang\.reflect|Method\.invoke|Class\.forName",
"native_code_loading": r"System\.loadLibrary|System\.load\(",
"command_execution": r"Runtime\.getRuntime\(\)\.exec|ProcessBuilder",
"crypto_operations": r"javax\.crypto\.Cipher|javax\.crypto\.spec",
"base64_encoding": r"android\.util\.Base64|java\.util\.Base64",
"root_detection": r"\/system\/xbin\/su|\/system\/app\/Superuser|isRooted|RootBeer",
"emulator_detection": r"Build\.FINGERPRINT.*generic|goldfish|ranchu|sdk_gphone",
"keylogger": r"AccessibilityService|onAccessibilityEvent|TYPE_VIEW_TEXT_CHANGED",
"screen_capture": r"MediaProjection|createVirtualDisplay|CAPTURE_SECURE",
}
def compute_hashes(file_path: str) -> dict:
"""Compute file hashes."""
with open(file_path, "rb") as f:
data = f.read()
return {
"md5": hashlib.md5(data).hexdigest(),
"sha1": hashlib.sha1(data).hexdigest(),
"sha256": hashlib.sha256(data).hexdigest(),
"size": len(data),
}
def extract_permissions(apk_path: str) -> list:
"""Extract permissions from APK using aapt."""
try:
result = subprocess.run(
["aapt", "dump", "permissions", apk_path],
capture_output=True, text=True, timeout=30
)
perms = []
for line in result.stdout.split("\n"):
if "uses-permission:" in line:
perm = line.split("name='")[1].split("'")[0] if "name='" in line else line.strip()
perms.append(perm)
return perms
except (subprocess.TimeoutExpired, FileNotFoundError, IndexError):
return []
def scan_code_patterns(apk_path: str) -> dict:
"""Scan DEX code for malware patterns."""
findings = {}
try:
with zipfile.ZipFile(apk_path, "r") as z:
for name in z.namelist():
if name.endswith(".dex"):
dex_data = z.read(name).decode("utf-8", errors="replace")
for pattern_name, pattern in MALWARE_CODE_PATTERNS.items():
matches = re.findall(pattern, dex_data)
if matches:
findings[pattern_name] = {
"count": len(matches),
"samples": list(set(matches))[:3],
}
except zipfile.BadZipFile:
findings["error"] = "Invalid ZIP/APK file"
return findings
def check_virustotal(sha256: str, api_key: str) -> dict:
"""Query VirusTotal for file reputation."""
if not requests or not api_key:
return {"skipped": True}
try:
resp = requests.get(
f"https://www.virustotal.com/api/v3/files/{sha256}",
headers={"x-apikey": api_key},
timeout=15
)
if resp.status_code == 200:
data = resp.json().get("data", {}).get("attributes", {})
stats = data.get("last_analysis_stats", {})
return {
"malicious": stats.get("malicious", 0),
"suspicious": stats.get("suspicious", 0),
"undetected": stats.get("undetected", 0),
"total_engines": sum(stats.values()),
"detection_names": [
f"{engine}: {result.get('result')}"
for engine, result in data.get("last_analysis_results", {}).items()
if result.get("category") == "malicious"
][:10],
}
return {"status_code": resp.status_code}
except Exception as e:
return {"error": str(e)}
def assess_risk(permissions: list, code_patterns: dict, vt_result: dict) -> dict:
"""Calculate overall malware risk assessment."""
risk_score = 0
indicators = []
# Permission-based risk
dangerous_found = [p for p in permissions if p in DANGEROUS_PERMISSIONS]
risk_score += len(dangerous_found) * 10
# High-risk combinations
perm_set = set(permissions)
if {"android.permission.READ_SMS", "android.permission.INTERNET"} <= perm_set:
indicators.append("SMS stealer pattern (READ_SMS + INTERNET)")
risk_score += 30
if {"android.permission.CAMERA", "android.permission.RECORD_AUDIO", "android.permission.INTERNET"} <= perm_set:
indicators.append("Spyware pattern (CAMERA + AUDIO + INTERNET)")
risk_score += 40
if "android.permission.BIND_DEVICE_ADMIN" in perm_set:
indicators.append("Device admin capability (ransomware indicator)")
risk_score += 25
# Code pattern risk
if "dynamic_dex_loading" in code_patterns:
indicators.append("Dynamic DEX loading detected")
risk_score += 20
if "command_execution" in code_patterns:
indicators.append("Command execution capability")
risk_score += 15
if "emulator_detection" in code_patterns:
indicators.append("Anti-emulator checks (sandbox evasion)")
risk_score += 15
if "keylogger" in code_patterns:
indicators.append("Accessibility service abuse (keylogger)")
risk_score += 30
# VirusTotal
if vt_result.get("malicious", 0) > 0:
risk_score += min(vt_result["malicious"] * 5, 50)
indicators.append(f"VirusTotal: {vt_result['malicious']} engines detected as malicious")
risk_level = "CRITICAL" if risk_score >= 80 else "HIGH" if risk_score >= 50 else "MEDIUM" if risk_score >= 25 else "LOW"
return {
"risk_score": min(risk_score, 100),
"risk_level": risk_level,
"indicators": indicators,
}
def main():
parser = argparse.ArgumentParser(description="Mobile Malware Behavior Analyzer")
parser.add_argument("--apk", required=True, help="Path to APK file")
parser.add_argument("--vt-key", help="VirusTotal API key")
parser.add_argument("--output", default="malware_report.json", help="Output report")
args = parser.parse_args()
if not Path(args.apk).exists():
print(f"[-] File not found: {args.apk}")
sys.exit(1)
print("[*] Computing hashes...")
hashes = compute_hashes(args.apk)
print("[*] Extracting permissions...")
permissions = extract_permissions(args.apk)
print("[*] Scanning code patterns...")
code_patterns = scan_code_patterns(args.apk)
print("[*] Checking VirusTotal...")
vt_result = check_virustotal(hashes["sha256"], args.vt_key)
print("[*] Assessing risk...")
risk = assess_risk(permissions, code_patterns, vt_result)
report = {
"analysis": {
"file": args.apk,
"date": datetime.now().isoformat(),
"hashes": hashes,
},
"permissions": {
"total": len(permissions),
"dangerous": {p: DANGEROUS_PERMISSIONS[p] for p in permissions if p in DANGEROUS_PERMISSIONS},
},
"code_patterns": code_patterns,
"virustotal": vt_result,
"risk_assessment": risk,
}
with open(args.output, "w") as f:
json.dump(report, f, indent=2)
print(f"\n[+] Report saved: {args.output}")
print(f"[!] Risk Level: {risk['risk_level']} (Score: {risk['risk_score']}/100)")
for ind in risk["indicators"]:
print(f" - {ind}")
if __name__ == "__main__":
main()
Assets 1
template.mdtext/markdown · 0.9 KBKeep exploring