mobile security

Detecting Mobile Malware Behavior

Detects and analyzes malicious behavior in mobile applications through behavioral analysis, permission abuse detection, network traffic monitoring, and dynamic instrumentation. Use when analyzing suspicious mobile applications for data exfiltration, command-and-control communication, credential stealing, SMS interception, or other malware indicators. Activates for requests involving mobile malware analysis, app behavior monitoring, trojan detection, or suspicious app investigation.

androidiosmalware-analysismobile-securityowasp-mobilepenetration-testing
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

Use this skill when:

  • Analyzing suspicious mobile applications submitted by users or discovered during incident response
  • Monitoring enterprise mobile fleet for malicious app indicators
  • Performing malware triage on APK/IPA samples
  • Investigating data exfiltration or unauthorized device access from mobile apps

Do not use this skill to create, enhance, or distribute malware. This skill is for defensive analysis only.

Prerequisites

  • Isolated analysis environment (dedicated device or emulator, not connected to production networks)
  • MobSF for automated static+dynamic analysis
  • Frida/Objection for runtime behavior monitoring
  • Wireshark/tcpdump for network traffic capture
  • Android emulator (AVD) or Genymotion for safe execution
  • VirusTotal API key for hash lookups

Workflow

Step 1: Static Indicator Analysis

# Hash the sample
sha256sum suspicious.apk
 
# Check VirusTotal
curl -s "https://www.virustotal.com/api/v3/files/<SHA256>" \
  -H "x-apikey: <VT_API_KEY>" | jq '.data.attributes.last_analysis_stats'
 
# Extract permissions from AndroidManifest.xml
aapt dump permissions suspicious.apk
 
# High-risk permission combinations:
# READ_SMS + INTERNET = SMS stealer
# RECEIVE_SMS + SEND_SMS = SMS interceptor/banker trojan
# ACCESSIBILITY_SERVICE + INTERNET = overlay attack capability
# CAMERA + RECORD_AUDIO + INTERNET = spyware
# DEVICE_ADMIN + INTERNET = ransomware capability
# READ_CONTACTS + INTERNET = contact exfiltration

Step 2: MobSF Automated Malware Scan

# Upload to MobSF
curl -F "file=@suspicious.apk" http://localhost:8000/api/v1/upload \
  -H "Authorization: <API_KEY>"
 
# Review malware indicators in report:
# - Hardcoded C2 server addresses
# - Dynamic code loading (DexClassLoader)
# - Reflection-based API calls (to evade static analysis)
# - Encrypted/obfuscated payloads
# - Root detection (malware often checks for root)
# - Anti-emulator checks (malware evades sandbox)

Step 3: Network Behavior Monitoring

# Start packet capture on emulator
tcpdump -i any -w malware_traffic.pcap
 
# Or use mitmproxy for HTTP/HTTPS
mitmproxy --mode transparent
 
# Monitor for:
# - DNS lookups to suspicious/newly registered domains
# - Connections to known C2 infrastructure
# - Data exfiltration patterns (large POST requests)
# - Beaconing behavior (regular interval connections)
# - Non-standard ports and protocols
# - Domain Generation Algorithm (DGA) patterns

Step 4: Runtime Behavior Monitoring with Frida

// monitor_malware.js - Comprehensive behavior monitoring
Java.perform(function() {
    // Monitor SMS access
    var SmsManager = Java.use("android.telephony.SmsManager");
    SmsManager.sendTextMessage.overload("java.lang.String", "java.lang.String",
        "java.lang.String", "android.app.PendingIntent", "android.app.PendingIntent")
        .implementation = function(dest, sc, text, sent, delivery) {
            console.log("[SMS] Sending to: " + dest + " Text: " + text);
            // Allow or block based on analysis needs
            return this.sendTextMessage(dest, sc, text, sent, delivery);
        };
 
    // Monitor file operations
    var FileOutputStream = Java.use("java.io.FileOutputStream");
    FileOutputStream.$init.overload("java.lang.String").implementation = function(path) {
        console.log("[FILE-WRITE] " + path);
        return this.$init(path);
    };
 
    // Monitor network connections
    var URL = Java.use("java.net.URL");
    URL.openConnection.overload().implementation = function() {
        console.log("[NET] " + this.toString());
        return this.openConnection();
    };
 
    // Monitor dynamic code loading
    var DexClassLoader = Java.use("dalvik.system.DexClassLoader");
    DexClassLoader.$init.implementation = function(dexPath, optDir, libPath, parent) {
        console.log("[DEX-LOAD] Loading: " + dexPath);
        return this.$init(dexPath, optDir, libPath, parent);
    };
 
    // Monitor command execution
    var Runtime = Java.use("java.lang.Runtime");
    Runtime.exec.overload("java.lang.String").implementation = function(cmd) {
        console.log("[EXEC] " + cmd);
        return this.exec(cmd);
    };
 
    // Monitor camera/audio access
    var Camera = Java.use("android.hardware.Camera");
    Camera.open.overload("int").implementation = function(id) {
        console.log("[CAMERA] Camera opened: " + id);
        return this.open(id);
    };
 
    // Monitor content provider access (contacts, call log)
    var ContentResolver = Java.use("android.content.ContentResolver");
    ContentResolver.query.overload("android.net.Uri", "[Ljava.lang.String;",
        "java.lang.String", "[Ljava.lang.String;", "java.lang.String")
        .implementation = function(uri, proj, sel, selArgs, sort) {
            console.log("[QUERY] " + uri.toString());
            return this.query(uri, proj, sel, selArgs, sort);
        };
 
    console.log("[*] Malware behavior monitor active");
});

Step 5: Classify Malware Type

Based on observed behaviors, classify the sample:

Behavior Pattern Malware Type
SMS interception + C2 communication Banking Trojan
Camera/mic access + data upload Spyware/Stalkerware
File encryption + ransom note display Mobile Ransomware
Ad injection + click fraud traffic Adware
Root exploit + persistence Rootkit
Contact harvesting + SMS spam Worm/SMS Spammer
Overlay attacks + credential capture Credential Stealer
Crypto mining network activity Cryptojacker

Key Concepts

Term Definition
Dynamic Code Loading Loading executable code at runtime from external sources, commonly used by malware to evade static analysis
C2 Beacon Regular network check-in from malware to command-and-control server, identifiable by periodic timing patterns
DGA Domain Generation Algorithm creating pseudo-random domain names for resilient C2 infrastructure
Overlay Attack Drawing fake UI over legitimate apps to capture credentials, requiring SYSTEM_ALERT_WINDOW permission
Anti-Emulator Techniques malware uses to detect sandbox/emulator environments and suppress malicious behavior

Tools & Systems

  • MobSF: Automated static and dynamic analysis for initial malware triage
  • VirusTotal: Multi-engine malware scanning and hash reputation lookup
  • Frida: Runtime behavior monitoring through method hooking
  • Wireshark: Network traffic analysis for C2 communication patterns
  • Cuckoo Sandbox / CuckooDroid: Automated malware analysis sandbox for Android samples

Common Pitfalls

  • Anti-analysis evasion: Sophisticated malware detects emulators, debuggers, and Frida. Use hardware devices and stealthy Frida configurations for accurate analysis.
  • Time-delayed payloads: Some malware activates only after a delay or specific trigger. Monitor for extended periods and simulate various conditions.
  • Encrypted C2: Malware using encrypted communications requires TLS interception or memory inspection to observe payload content.
  • Multi-stage payloads: Initial APK may be benign; malicious payload downloads later. Monitor for dynamic code loading and file downloads.
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md1.7 KB

API Reference: Detecting Mobile Malware Behavior

Android Dangerous Permissions

Permission Risk Abuse Scenario
SEND_SMS HIGH Premium rate SMS fraud
READ_SMS HIGH OTP/2FA theft
BIND_ACCESSIBILITY_SERVICE CRITICAL Screen scraping, keylogging
BIND_DEVICE_ADMIN CRITICAL Device lockout, ransomware
INSTALL_PACKAGES CRITICAL Dropper functionality
SYSTEM_ALERT_WINDOW HIGH Overlay phishing attacks

Android Analysis Tools

# Extract permissions from APK
aapt dump permissions app.apk
 
# Decompile APK
apktool d app.apk -o output_dir/
 
# Decompile to Java source
jadx app.apk -d java_output/
 
# Run MobSF scan
docker run -p 8000:8000 opensecurity/mobile-security-framework-mobsf

Suspicious API Patterns

# Dynamic code loading
r"DexClassLoader|PathClassLoader"
# Shell execution
r"Runtime\.exec|ProcessBuilder"
# Device fingerprinting
r"TelephonyManager\.getDeviceId"

MobSF REST API

import requests
# Upload APK
resp = requests.post("http://localhost:8000/api/v1/upload",
    files={"file": open("app.apk", "rb")},
    headers={"Authorization": API_KEY})
 
# Get scan results
resp = requests.post("http://localhost:8000/api/v1/scan",
    data={"hash": file_hash},
    headers={"Authorization": API_KEY})

Android Broadcast Receivers (Persistence)

Action Malware Use
BOOT_COMPLETED Auto-start on reboot
SMS_RECEIVED SMS interception
PHONE_STATE Call monitoring
CONNECTIVITY_CHANGE Network-triggered C2

CLI Usage

python agent.py --apk suspicious.apk
python agent.py --source-dir jadx_output/
python agent.py --apk app.apk --source-dir decompiled/
standards.md0.9 KB

Standards Reference: Mobile Malware Detection

OWASP Mobile Top 10 2024

ID Risk Malware Relevance
M2 Inadequate Supply Chain Security Trojanized apps, repackaged malware
M8 Security Misconfiguration Excessive permissions enabling malware

NIST SP 800-163 Rev 1

  • Section 5: Mobile app vetting for malware indicators
  • Section 6: Enterprise mobile device management for malware prevention

MITRE ATT&CK Mobile Matrix

Tactic Technique Indicator
Initial Access T1444: Masquerade as Legitimate App App name/icon spoofing
Collection T1412: Capture SMS Messages SMS permission + network
Exfiltration T1437: Standard Application Layer Protocol HTTP POST to C2
Command and Control T1437.001: Web Protocols HTTPS beaconing
Impact T1471: Data Encrypted for Impact File encryption + ransom
workflows.md1.0 KB

Workflows: Mobile Malware Detection

Workflow 1: Malware Triage Pipeline

[Receive sample] --> [Hash & VirusTotal check] --> [Known malware?]
                                                    /            \
                                              [Yes: Report]  [No: Continue]
                                                                   |
                                              [MobSF static scan] --> [Permission analysis]
                                                                   |
                                              [Dynamic execution in sandbox]
                                              [Network monitoring]
                                              [Behavior monitoring with Frida]
                                                                   |
                                              [Classify malware type]
                                              [Extract IOCs (domains, IPs, hashes)]
                                              [Generate report]

Scripts 2

agent.py6.1 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Mobile malware behavior detection agent.

Analyzes Android APK manifests and iOS app metadata for suspicious permissions,
dangerous API usage, and known malware behavioral patterns.
"""

import argparse
import json
import re
import subprocess
import zipfile
from pathlib import Path
from datetime import datetime

DANGEROUS_ANDROID_PERMISSIONS = {
    "android.permission.SEND_SMS": ("HIGH", "Can send SMS (premium rate fraud)"),
    "android.permission.READ_SMS": ("HIGH", "Reads SMS (OTP theft)"),
    "android.permission.RECEIVE_SMS": ("HIGH", "Intercepts SMS"),
    "android.permission.READ_CONTACTS": ("MEDIUM", "Reads contacts"),
    "android.permission.RECORD_AUDIO": ("HIGH", "Records audio"),
    "android.permission.CAMERA": ("MEDIUM", "Camera access"),
    "android.permission.READ_CALL_LOG": ("HIGH", "Reads call logs"),
    "android.permission.ACCESS_FINE_LOCATION": ("MEDIUM", "Fine GPS location"),
    "android.permission.WRITE_EXTERNAL_STORAGE": ("LOW", "Write to external storage"),
    "android.permission.INSTALL_PACKAGES": ("CRITICAL", "Can install other apps"),
    "android.permission.REQUEST_INSTALL_PACKAGES": ("HIGH", "Request app install"),
    "android.permission.SYSTEM_ALERT_WINDOW": ("HIGH", "Overlay attacks"),
    "android.permission.BIND_ACCESSIBILITY_SERVICE": ("CRITICAL", "Accessibility abuse"),
    "android.permission.BIND_DEVICE_ADMIN": ("CRITICAL", "Device admin control"),
    "android.permission.READ_PHONE_STATE": ("MEDIUM", "Reads device identifiers"),
    "android.permission.PROCESS_OUTGOING_CALLS": ("HIGH", "Intercepts outgoing calls"),
}

SUSPICIOUS_RECEIVERS = [
    "BOOT_COMPLETED", "SMS_RECEIVED", "PHONE_STATE",
    "NEW_OUTGOING_CALL", "PACKAGE_ADDED", "CONNECTIVITY_CHANGE",
]

MALWARE_API_PATTERNS = [
    (r"DexClassLoader|PathClassLoader", "HIGH", "Dynamic code loading"),
    (r"Runtime\.exec|ProcessBuilder", "HIGH", "Command execution"),
    (r"TelephonyManager\.getDeviceId", "MEDIUM", "Device fingerprinting"),
    (r"Base64\.decode.*exec", "CRITICAL", "Encoded payload execution"),
    (r"loadLibrary|System\.load", "MEDIUM", "Native library loading"),
    (r"Cipher.*AES.*encrypt", "LOW", "Encryption (possible ransomware)"),
    (r"javax\.crypto", "LOW", "Cryptographic operations"),
    (r"HttpURLConnection|OkHttp", "LOW", "Network communication"),
    (r"getRuntime\(\)\.exec", "HIGH", "Shell command execution"),
]


def analyze_apk_manifest(apk_path):
    findings = []
    permissions = []
    try:
        result = subprocess.run(
            ["aapt", "dump", "permissions", apk_path],
            capture_output=True, text=True, timeout=30)
        if result.returncode == 0:
            for line in result.stdout.split("\n"):
                perm_match = re.search(r"uses-permission.*'([^']+)'", line)
                if perm_match:
                    perm = perm_match.group(1)
                    permissions.append(perm)
                    if perm in DANGEROUS_ANDROID_PERMISSIONS:
                        sev, desc = DANGEROUS_ANDROID_PERMISSIONS[perm]
                        findings.append({
                            "type": "dangerous_permission",
                            "permission": perm,
                            "severity": sev,
                            "description": desc,
                        })
    except (FileNotFoundError, subprocess.TimeoutExpired):
        try:
            with zipfile.ZipFile(apk_path, 'r') as z:
                if "AndroidManifest.xml" in z.namelist():
                    findings.append({"note": "Binary manifest found, use aapt or apktool to decode"})
        except zipfile.BadZipFile:
            findings.append({"error": "Invalid APK file"})

    return {"permissions": permissions, "findings": findings}


def scan_decompiled_source(source_dir):
    findings = []
    source_path = Path(source_dir)
    for java_file in source_path.rglob("*.java"):
        try:
            content = java_file.read_text(encoding="utf-8", errors="replace")
            for pattern, severity, desc in MALWARE_API_PATTERNS:
                matches = re.findall(pattern, content)
                if matches:
                    findings.append({
                        "type": "suspicious_api",
                        "file": str(java_file),
                        "pattern": desc,
                        "match_count": len(matches),
                        "severity": severity,
                    })
        except OSError:
            continue
    for smali_file in source_path.rglob("*.smali"):
        try:
            content = smali_file.read_text(encoding="utf-8", errors="replace")
            if "Landroid/app/admin/DeviceAdminReceiver" in content:
                findings.append({
                    "type": "device_admin",
                    "file": str(smali_file),
                    "severity": "CRITICAL",
                    "description": "App registers as device administrator",
                })
        except OSError:
            continue
    return findings


def calculate_risk(findings):
    score = 0
    for f in findings:
        sev = f.get("severity", "LOW")
        score += {"CRITICAL": 30, "HIGH": 15, "MEDIUM": 5, "LOW": 2}.get(sev, 0)
    risk = "CRITICAL" if score >= 80 else "HIGH" if score >= 40 else \
           "MEDIUM" if score >= 15 else "LOW"
    return {"score": min(score, 100), "risk_level": risk}


def main():
    parser = argparse.ArgumentParser(description="Mobile Malware Behavior Detector")
    parser.add_argument("--apk", help="Path to APK file")
    parser.add_argument("--source-dir", help="Path to decompiled source directory")
    args = parser.parse_args()

    results = {"timestamp": datetime.utcnow().isoformat() + "Z", "findings": []}

    if args.apk:
        apk_results = analyze_apk_manifest(args.apk)
        results["permissions"] = apk_results["permissions"]
        results["findings"].extend(apk_results["findings"])

    if args.source_dir:
        results["findings"].extend(scan_decompiled_source(args.source_dir))

    results["risk"] = calculate_risk(results["findings"])
    results["total_findings"] = len(results["findings"])
    print(json.dumps(results, indent=2))


if __name__ == "__main__":
    main()
process.py8.8 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
Mobile Malware Behavior Analyzer

Performs static indicator analysis on Android APK files to detect malware behaviors.
Checks permissions, code patterns, and VirusTotal reputation.

Usage:
    python process.py --apk suspicious.apk [--vt-key API_KEY] [--output report.json]
"""

import argparse
import hashlib
import json
import subprocess
import sys
import zipfile
import re
from datetime import datetime
from pathlib import Path

try:
    import requests
except ImportError:
    requests = None

DANGEROUS_PERMISSIONS = {
    "android.permission.READ_SMS": "SMS access - banking trojan indicator",
    "android.permission.RECEIVE_SMS": "SMS interception - banking trojan indicator",
    "android.permission.SEND_SMS": "SMS sending - premium SMS fraud indicator",
    "android.permission.CAMERA": "Camera access - spyware indicator",
    "android.permission.RECORD_AUDIO": "Microphone access - spyware indicator",
    "android.permission.READ_CONTACTS": "Contact harvesting - worm/spyware indicator",
    "android.permission.READ_CALL_LOG": "Call log access - spyware indicator",
    "android.permission.ACCESS_FINE_LOCATION": "Location tracking - stalkerware indicator",
    "android.permission.SYSTEM_ALERT_WINDOW": "Overlay capability - credential stealer indicator",
    "android.permission.BIND_DEVICE_ADMIN": "Device admin - ransomware indicator",
    "android.permission.BIND_ACCESSIBILITY_SERVICE": "Accessibility abuse - overlay attacks",
    "android.permission.REQUEST_INSTALL_PACKAGES": "Silent app installation capability",
    "android.permission.WRITE_EXTERNAL_STORAGE": "External storage write - data staging",
}

MALWARE_CODE_PATTERNS = {
    "dynamic_dex_loading": r"DexClassLoader|InMemoryDexClassLoader|PathClassLoader",
    "reflection": r"java\.lang\.reflect|Method\.invoke|Class\.forName",
    "native_code_loading": r"System\.loadLibrary|System\.load\(",
    "command_execution": r"Runtime\.getRuntime\(\)\.exec|ProcessBuilder",
    "crypto_operations": r"javax\.crypto\.Cipher|javax\.crypto\.spec",
    "base64_encoding": r"android\.util\.Base64|java\.util\.Base64",
    "root_detection": r"\/system\/xbin\/su|\/system\/app\/Superuser|isRooted|RootBeer",
    "emulator_detection": r"Build\.FINGERPRINT.*generic|goldfish|ranchu|sdk_gphone",
    "keylogger": r"AccessibilityService|onAccessibilityEvent|TYPE_VIEW_TEXT_CHANGED",
    "screen_capture": r"MediaProjection|createVirtualDisplay|CAPTURE_SECURE",
}


def compute_hashes(file_path: str) -> dict:
    """Compute file hashes."""
    with open(file_path, "rb") as f:
        data = f.read()
    return {
        "md5": hashlib.md5(data).hexdigest(),
        "sha1": hashlib.sha1(data).hexdigest(),
        "sha256": hashlib.sha256(data).hexdigest(),
        "size": len(data),
    }


def extract_permissions(apk_path: str) -> list:
    """Extract permissions from APK using aapt."""
    try:
        result = subprocess.run(
            ["aapt", "dump", "permissions", apk_path],
            capture_output=True, text=True, timeout=30
        )
        perms = []
        for line in result.stdout.split("\n"):
            if "uses-permission:" in line:
                perm = line.split("name='")[1].split("'")[0] if "name='" in line else line.strip()
                perms.append(perm)
        return perms
    except (subprocess.TimeoutExpired, FileNotFoundError, IndexError):
        return []


def scan_code_patterns(apk_path: str) -> dict:
    """Scan DEX code for malware patterns."""
    findings = {}
    try:
        with zipfile.ZipFile(apk_path, "r") as z:
            for name in z.namelist():
                if name.endswith(".dex"):
                    dex_data = z.read(name).decode("utf-8", errors="replace")
                    for pattern_name, pattern in MALWARE_CODE_PATTERNS.items():
                        matches = re.findall(pattern, dex_data)
                        if matches:
                            findings[pattern_name] = {
                                "count": len(matches),
                                "samples": list(set(matches))[:3],
                            }
    except zipfile.BadZipFile:
        findings["error"] = "Invalid ZIP/APK file"
    return findings


def check_virustotal(sha256: str, api_key: str) -> dict:
    """Query VirusTotal for file reputation."""
    if not requests or not api_key:
        return {"skipped": True}
    try:
        resp = requests.get(
            f"https://www.virustotal.com/api/v3/files/{sha256}",
            headers={"x-apikey": api_key},
            timeout=15
        )
        if resp.status_code == 200:
            data = resp.json().get("data", {}).get("attributes", {})
            stats = data.get("last_analysis_stats", {})
            return {
                "malicious": stats.get("malicious", 0),
                "suspicious": stats.get("suspicious", 0),
                "undetected": stats.get("undetected", 0),
                "total_engines": sum(stats.values()),
                "detection_names": [
                    f"{engine}: {result.get('result')}"
                    for engine, result in data.get("last_analysis_results", {}).items()
                    if result.get("category") == "malicious"
                ][:10],
            }
        return {"status_code": resp.status_code}
    except Exception as e:
        return {"error": str(e)}


def assess_risk(permissions: list, code_patterns: dict, vt_result: dict) -> dict:
    """Calculate overall malware risk assessment."""
    risk_score = 0
    indicators = []

    # Permission-based risk
    dangerous_found = [p for p in permissions if p in DANGEROUS_PERMISSIONS]
    risk_score += len(dangerous_found) * 10

    # High-risk combinations
    perm_set = set(permissions)
    if {"android.permission.READ_SMS", "android.permission.INTERNET"} <= perm_set:
        indicators.append("SMS stealer pattern (READ_SMS + INTERNET)")
        risk_score += 30
    if {"android.permission.CAMERA", "android.permission.RECORD_AUDIO", "android.permission.INTERNET"} <= perm_set:
        indicators.append("Spyware pattern (CAMERA + AUDIO + INTERNET)")
        risk_score += 40
    if "android.permission.BIND_DEVICE_ADMIN" in perm_set:
        indicators.append("Device admin capability (ransomware indicator)")
        risk_score += 25

    # Code pattern risk
    if "dynamic_dex_loading" in code_patterns:
        indicators.append("Dynamic DEX loading detected")
        risk_score += 20
    if "command_execution" in code_patterns:
        indicators.append("Command execution capability")
        risk_score += 15
    if "emulator_detection" in code_patterns:
        indicators.append("Anti-emulator checks (sandbox evasion)")
        risk_score += 15
    if "keylogger" in code_patterns:
        indicators.append("Accessibility service abuse (keylogger)")
        risk_score += 30

    # VirusTotal
    if vt_result.get("malicious", 0) > 0:
        risk_score += min(vt_result["malicious"] * 5, 50)
        indicators.append(f"VirusTotal: {vt_result['malicious']} engines detected as malicious")

    risk_level = "CRITICAL" if risk_score >= 80 else "HIGH" if risk_score >= 50 else "MEDIUM" if risk_score >= 25 else "LOW"

    return {
        "risk_score": min(risk_score, 100),
        "risk_level": risk_level,
        "indicators": indicators,
    }


def main():
    parser = argparse.ArgumentParser(description="Mobile Malware Behavior Analyzer")
    parser.add_argument("--apk", required=True, help="Path to APK file")
    parser.add_argument("--vt-key", help="VirusTotal API key")
    parser.add_argument("--output", default="malware_report.json", help="Output report")
    args = parser.parse_args()

    if not Path(args.apk).exists():
        print(f"[-] File not found: {args.apk}")
        sys.exit(1)

    print("[*] Computing hashes...")
    hashes = compute_hashes(args.apk)

    print("[*] Extracting permissions...")
    permissions = extract_permissions(args.apk)

    print("[*] Scanning code patterns...")
    code_patterns = scan_code_patterns(args.apk)

    print("[*] Checking VirusTotal...")
    vt_result = check_virustotal(hashes["sha256"], args.vt_key)

    print("[*] Assessing risk...")
    risk = assess_risk(permissions, code_patterns, vt_result)

    report = {
        "analysis": {
            "file": args.apk,
            "date": datetime.now().isoformat(),
            "hashes": hashes,
        },
        "permissions": {
            "total": len(permissions),
            "dangerous": {p: DANGEROUS_PERMISSIONS[p] for p in permissions if p in DANGEROUS_PERMISSIONS},
        },
        "code_patterns": code_patterns,
        "virustotal": vt_result,
        "risk_assessment": risk,
    }

    with open(args.output, "w") as f:
        json.dump(report, f, indent=2)

    print(f"\n[+] Report saved: {args.output}")
    print(f"[!] Risk Level: {risk['risk_level']} (Score: {risk['risk_score']}/100)")
    for ind in risk["indicators"]:
        print(f"    - {ind}")


if __name__ == "__main__":
    main()

Assets 1

template.mdtext/markdown · 0.9 KB
Keep exploring