Posted on by mspreitz

Androguard: A simple step by step guide

Reversing Android applications is something I’m doing very regularly. Thus, I thought writing some small and simple step by step guides for available tools could be helpful for the community, especially for people that are just starting to work on this topic.

Today I will start with Androguard, but I hope that there will be enough time in the future to continue those guides for other tools.

In general, there are a few simple steps every Android reverser follows:

  1. Analyzing the Android-Manifest for permissions and activities
  2. Unpacking of the Android application (apk file) to get all files and especially the classes.dex
  3. Translating the Dalvik-Bytecode to Java-Bytecode (or similar)
  4. Analyzing the generated code

With the help of Androguard you can perform all those steps with one single interactive tool.

First of all you need to download the most current Androguard release and install potentially missing python dependencies/packages. Afterwards you can start the real analysis by starting the interactive Androguard shell through entering the following command:

python androlyze.py -s

Now we can tell Androguard which apk we like to analyze and which decompiler we like to use:

In [1]: a,d,dx = AnalyzeAPK("malware.apk", decompiler="dad")

As described in the workflow above, we now want to get some information from the manifest. In this case we start with the requested permissions:

In [2]: a.get_permissions()
Out[2]: 
['android.permission.SEND_SMS',
'android.permission.RECEIVE_SMS',
'android.permission.ACCESS_GPS',
'android.permission.ACCESS_LOCATION']

Additionally, we can get some more information like package name and the displayed name of the application in question:

In [3]: a.get_package()
Out[3]: u'com.magicsms.own'

In [4]: a.get_app_name()
Out[4]: u'SuiConFo'

For a in-depth analysis of an application we now need some entry point into the application. The easiest way for finding such a point, is searching for the main activity, as this is the normal entry point that is called as soon as a user is clicking the app icon on his home-screen:

In [5]: a.get_main_activity()
Out[5]: u'com.magicsms.own.MagicSMSActivity'

OPTIONAL: We also can get all activities an application has, but the main activity should always be a good choice to start with:

In [6]: a.get_activities()
Out[6]: 
['com.magicsms.own.MagicSMSActivity',
........]

OPTIONAL: At this point we could also display every Java class within the application in question and have a look for suspicious class-names (if available):

In [7]: d.get_classes_names()
Out[7]: 
['Lcom/magicsms/own/MagicSMSActivity;',
'Lcom/magicsms/own/R$attr;',
'Lcom/magicsms/own/R$drawable;',
'Lcom/magicsms/own/R$id;',
'Lcom/magicsms/own/R$layout;',
'Lcom/magicsms/own/R$string;',
'Lcom/magicsms/own/R;',
'Lcom/magicsms/own/receiver/SMSReceiver;']

Within this output we see, that there are only two classes of interest – MagicSMSActivity as well as SMSReceiver – and one of these is our main activity. Now it is time to dive deeper into the application and check what it is really doing. Therefore, we can use the decompiler of Androguard and look at the source of the main activity (the output is truncated because we just want to demonstrate the power of the tools used):

In [8]: d.get_class('Lcom/magicsms/own/MagicSMSActivity;').source()
Out[8]: 
package com.magicsms.own;
public class MagicSMSActivity extends android.app.Activity {

public MagicSMSActivity()
  {
  return;
  }

public void onCreate(android.os.Bundle p10)
  {
  String v3;
  String v1;
  super.onCreate(p10);
  android.widget.Toast.makeText(this, "ERROR: Android version is not compatible", 1).show();
  String v6 = ((android.telephony.TelephonyManager) this.getSystemService("phone")).getSimCountryIso();
  if (!v6.equals("fr")) {
    if (!v6.equals("be")) {
      if (!v6.equals("ch")) {
        if (!v6.equals("lu")) {
              ........
  } else {
              ........

    }
    android.telephony.SmsManager v0 = android.telephony.SmsManager.getDefault();
    v0.sendTextMessage(v1, 0, v3, 0, 0);
    v0.sendTextMessage(v1, 0, v3, 0, 0);
    v0.sendTextMessage(v1, 0, v3, 0, 0);
    v0.sendTextMessage(v1, 0, v3, 0, 0);
    return;
  }
}

Now we know that the application is trying to send out SMS messages and displaying some strange error message to the user. The next question is: Is the app also checking for incoming messages? So we need to check for registered receivers:

In [9]: a.get_receivers()
Out[9]: ['com.magicsms.own.receiver.SMSReceiver']

And again we can get the Java sources of this class:

In [10]: d.get_class('Lcom/magicsms/own/receiver/SMSReceiver;').source()
Out [10]:
package com.magicsms.own.receiver;
public class SMSReceiver extends android.content.BroadcastReceiver {
  .......
}

Androguard still has a lot more power, but I think this should be enough for a first hands-on.

 

6 Replies to “Androguard: A simple step by step guide”

  2. Pingback: Codeinspect: The all-in-one Platform for Android App Analysis – forensic blog

  3. Hello there, can someone please help. I’ve downloaded Androguard via git repository and installed it properly.
    However, while executing the following:
    a,d,dx = AnalyzeAPK(“path_to_apk”, decompiler=”dad”)

    It shows a TypeError: AnalyzeAPK() got an unexpected keyword argument ‘decompiler’.

    I’ve downloaded and installed androguard twice, but it shows the same error again. Please help me through this. (I’ve python 2.7 currently installed in my system)

  4. Command that worked for me was – a,d,dx = AnalyzeAPK(“path_to_apk”). It doesn’t expect any decompiler argument. In case you want to use decompilers, try androdd.py script.

  5. Pingback: Malware onder Android opsporen en verwijderen - c't magazine

  6. Hi everyone,
    I am looking for a python script on how to get permissions of many APK files at once.
    Any help,please?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.