././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1597312460.6089432 droidlysis-3.2.1/0000775000175100017510000000000000000000000014455 5ustar00axelleaxelle00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1584004538.0 droidlysis-3.2.1/MANIFEST.in0000664000175100017510000000005500000000000016213 0ustar00axelleaxelle00000000000000include conf/*.conf include conf/__init__.py ././@PaxHeader0000000000000000000000000000003300000000000011451 xustar000000000000000027 mtime=1597312460.604943 droidlysis-3.2.1/PKG-INFO0000664000175100017510000002443400000000000015561 0ustar00axelleaxelle00000000000000Metadata-Version: 2.1 Name: droidlysis Version: 3.2.1 Summary: DroidLysis: pre-analysis script for suspicious Android samples Home-page: https://github.com/cryptax/droidlysis Author: @cryptax Author-email: aafortinet@gmail.com License: MIT Description: # DroidLysis DroidLysis is a **property extractor for Android apps**. It automatically disassembles the Android application you provide and looks for various properties within the package or its disassembly. DroidLysis can be used over Android packages (apk), Dalvik executables (dex), Zip files (zip), Rar files (rar) or directories of files. ## Install ### Requirements 1. **Install required system packages**: Python3, Pip, unzip: `sudo apt-get install default-jre git python3 python3-pip unzip wget libmagic-dev` 2. **Install Android disassembly tools**. DroidLysis does not perform the disassembly itself, but relies on other tools to do so. Therefore, you must install: - [Apktool](https://ibotpeaches.github.io/Apktool/) - note we only need the Jar. - [Baksmali](https://bitbucket.org/JesusFreke/smali/downloads) - note we only need the Jar. - [Dex2jar](https://github.com/pxb1988/dex2jar) - dex2jar is now *optional*. If you don't need Dex to Jar transformation (useful for later decompiling!), you can skip it. - [Procyon](https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler) Some of these tools are redundant, but sometimes one fails on a sample while another does not. DroidLysis detects this and tries to switch to a tool that works for the sample. As of August 13 2020, the following installation works: ``` $ mkdir softs $ cd softs $ wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.4.1.jar $ wget https://bitbucket.org/JesusFreke/smali/downloads/baksmali-2.4.0.jar $ wget https://github.com/pxb1988/dex2jar/files/1867564/dex-tools-2.1-SNAPSHOT.zip $ unzip dex-tools-2.1-SNAPSHOT.zip $ wget https://bitbucket.org/mstrobel/procyon/downloads/procyon-decompiler-0.5.36.jar ``` ### Installation Once the necessary tools are installed, you have two options: Either **Clone the repository**: `git clone https://github.com/cryptax/droidlysis`, then install Python requirements: ``` $ git clone https://github.com/cryptax/droidlysis $ cd droidlysis $ pip3 install -r requirements.txt ``` **Or install using pip3**: `pip3 install droidlysis` ### Configuration The configuration is extremely simple, you only need to tune `droidconfig.py`: - `APKTOOL_JAR`: set the path to your apktool jar - `BAKSMALI_JAR`: set the path to your baksmali jar - `DEX2JAR_CMD`: set the path to the folder containing `d2j-dex2.jar.sh`. If you did not install dex2jar, simply provide an invalid path here, for example pointing to a non-existant file. - `PROCYON_JAR`: set the path to the procyon decompiler jar - `INSTALL_DIR`: set the path to your DroidLysis instance. Do not forget to set this or DroidLysis won't work correctly! Example: ```python APKTOOL_JAR = os.path.join( os.path.expanduser("~/softs"), "apktool_2.4.1.jar") BAKSMALI_JAR = os.path.join(os.path.expanduser("~/softs"), "baksmali-2.4.0.jar") DEX2JAR_CMD = os.path.join(os.path.expanduser("~/softs/dex-tools-2.1-SNAPSHOT"), "d2j-dex2jar.s h") PROCYON_JAR = os.path.join( os.path.expanduser("~/softs"), "procyon-decompiler-0.5.36.jar") INSTALL_DIR = os.path.expanduser("~/droidlysis") ``` Optionally, if you need a specific situation, you might need to tune the following too. Normally, the default options will work and you won't have to touch these: - `SQLALCHEMY`: specify your SQL database. - `KEYTOOL`: absolute path of `keytool` which generally ships with Java - `SMALI_CONFIGFILE`: smali patterns - `WIDE_CONFIGFILE`: resource patterns - `ARM_CONFIGFILE`: ARM executable patterns - `KIT_CONFIGFILE`: 3rd party SDK patterns ## Usage DroidLysis has been ported to Python 3. To launch it and get options: ``` python3 ./droidlysis3.py --help ``` For example, test it on [Signal's APK](https://signal.org/android/apk/): ``` python3 ./droidlysis3.py --input Signal-website-universal-release-4.52.4.apk --output /tmp ``` ![](./example.png) DroidLysis outputs: - A summary on the console (see example.png) - The unzipped, pre-processed sample in a subdirectory of your output dir. The subdirectory is named using the sample's filename and sha256 sum. For example, if we analyze the Signal application and set `--output /tmp`, the analysis will be written to `/tmp/Signalwebsiteuniversalrelease4.52.4.apk-f3c7d5e38df23925dd0b2fe1f44bfa12bac935a6bc8fe3a485a4436d4487a290`. - A database (by default, SQLite `droidlysis.db`) containing properties it noticed. ## Options Get usage with `python3 ./droidlysis3.py --help` - The input can be a file or a directory of files to recursively look into. DroidLysis knows how to process Android packages, DEX, ODEX and ARM executables, ZIP, RAR. DroidLysis won't fail on other type of files (unless there is a bug...) but won't be able to understand the content. - When processing directories of files, it is typically quite helpful to move processed samples to another location to know what has been processed. This is handled by option `--movein`. Also, if you are only interested in statistics, you should probably clear the output directory which contains detailed information for each sample: this is option `--clearoutput`. - When dealing with single samples, on the contrary, statistics are typically not so interesting, and their generation can be disabled with `--disable-sql` - DEX decompilation is quite long with Procyon, so this option is disabled by default. If you want to decompile to Java, use `--enable-procyon`. - DroidLysis's analysis does not inspect known 3rd party SDK by default, i.e. for instance it won't report any suspicious activity from these. If you want them to be inspected, use option `--no-kit-exception`. This usually creates many more detected properties for the sample, as SDKs (e.g. advertisment) use lots of flagged APIs (get GPS location, get IMEI, get IMSI, HTTP POST...). ## Sample output directory (`--output DIR`) This directory contains (when applicable): - A readable `AndroidManifest.xml` - Readable resources in `res` - Libraries `lib`, assets `assets` - Disassembled Smali code: `smali` (and others) - Package meta information: `META-INF` - Package contents when simply unzipped in `./unzipped` - DEX executable `classes.dex` (and others), and converted to jar: `classes-dex2jar.jar`, and unjarred in `./unjarred` The following files are generated by DroidLysis: - `autoanalysis.md`: lists each pattern DroidLysis detected and where. - `report.md`: same as what was printed on the console If you do not need the sample output directory to be generated, use the option `--clearoutput`. ## SQLite database This field is particularly useful when you are processing a directory of samples and later want to scan through properties DroidLysis found in them. By default, you will find the database in the directory `droidlysis.db`. The results are stored in a table named `samples`. Each entry in the table is relative to a given sample. Each column is properties DroidLysis tracks. For example, to retrieve all filename, SHA256 sum and smali properties of the database: ``` sqlite> select sha256, sanitized_basename, smali_properties from samples; f3c7d5e38df23925dd0b2fe1f44bfa12bac935a6bc8fe3a485a4436d4487a290|Signalwebsiteuniversalrelease4.52.4.apk|{"send_sms": true, "receive_sms": true, "abort_broadcast": true, "call": false, "email": false, "answer_call": false, "end_call": true, "phone_number": false, "intent_chooser": true, "get_accounts": true, "contacts": false, "get_imei": true, "get_external_storage_stage": false, "get_imsi": false, "get_network_operator": false, "get_active_network_info": false, "get_line_number": true, "get_sim_country_iso": true, ... ``` ## Property patterns What DroidLysis detects can be configured and extended in the files of the `./conf` directory. A pattern consist of: - a **tag** name: example `send_sms`. This is to name the property. Must be unique across the `.conf` file. - a **pattern**: this is a regexp to be matched. Ex: `;->sendTextMessage|;->sendMultipartTextMessage|SmsManager;->sendDataMessage`. In the `smali.conf` file, this regexp is match on Smali code. In this particular case, there are 3 different ways to send SMS messages from the code: sendTextMessage, sendMultipartTextMessage and sendDataMessage. - a **description** (optional): explains the importance of the property and what it means. ``` [send_sms] pattern=;->sendTextMessage|;->sendMultipartTextMessage|SmsManager;->sendDataMessage description=Sending SMS messages ``` ## Updates v3.2.1 - IP address detection v3.2.0 - Dex2jar is optional v3.1.0 - Detection of Base64 strings Keywords: android malware reverse Platform: UNKNOWN Classifier: Programming Language :: Python :: 3 Classifier: License :: OSI Approved :: MIT License Classifier: Development Status :: 3 - Alpha Classifier: Operating System :: Unix Classifier: Topic :: Software Development :: Disassemblers Requires-Python: >=3.0.* Description-Content-Type: text/markdown ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1597312304.0 droidlysis-3.2.1/README.md0000664000175100017510000002051200000000000015734 0ustar00axelleaxelle00000000000000# DroidLysis DroidLysis is a **property extractor for Android apps**. It automatically disassembles the Android application you provide and looks for various properties within the package or its disassembly. DroidLysis can be used over Android packages (apk), Dalvik executables (dex), Zip files (zip), Rar files (rar) or directories of files. ## Install ### Requirements 1. **Install required system packages**: Python3, Pip, unzip: `sudo apt-get install default-jre git python3 python3-pip unzip wget libmagic-dev` 2. **Install Android disassembly tools**. DroidLysis does not perform the disassembly itself, but relies on other tools to do so. Therefore, you must install: - [Apktool](https://ibotpeaches.github.io/Apktool/) - note we only need the Jar. - [Baksmali](https://bitbucket.org/JesusFreke/smali/downloads) - note we only need the Jar. - [Dex2jar](https://github.com/pxb1988/dex2jar) - dex2jar is now *optional*. If you don't need Dex to Jar transformation (useful for later decompiling!), you can skip it. - [Procyon](https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler) Some of these tools are redundant, but sometimes one fails on a sample while another does not. DroidLysis detects this and tries to switch to a tool that works for the sample. As of August 13 2020, the following installation works: ``` $ mkdir softs $ cd softs $ wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.4.1.jar $ wget https://bitbucket.org/JesusFreke/smali/downloads/baksmali-2.4.0.jar $ wget https://github.com/pxb1988/dex2jar/files/1867564/dex-tools-2.1-SNAPSHOT.zip $ unzip dex-tools-2.1-SNAPSHOT.zip $ wget https://bitbucket.org/mstrobel/procyon/downloads/procyon-decompiler-0.5.36.jar ``` ### Installation Once the necessary tools are installed, you have two options: Either **Clone the repository**: `git clone https://github.com/cryptax/droidlysis`, then install Python requirements: ``` $ git clone https://github.com/cryptax/droidlysis $ cd droidlysis $ pip3 install -r requirements.txt ``` **Or install using pip3**: `pip3 install droidlysis` ### Configuration The configuration is extremely simple, you only need to tune `droidconfig.py`: - `APKTOOL_JAR`: set the path to your apktool jar - `BAKSMALI_JAR`: set the path to your baksmali jar - `DEX2JAR_CMD`: set the path to the folder containing `d2j-dex2.jar.sh`. If you did not install dex2jar, simply provide an invalid path here, for example pointing to a non-existant file. - `PROCYON_JAR`: set the path to the procyon decompiler jar - `INSTALL_DIR`: set the path to your DroidLysis instance. Do not forget to set this or DroidLysis won't work correctly! Example: ```python APKTOOL_JAR = os.path.join( os.path.expanduser("~/softs"), "apktool_2.4.1.jar") BAKSMALI_JAR = os.path.join(os.path.expanduser("~/softs"), "baksmali-2.4.0.jar") DEX2JAR_CMD = os.path.join(os.path.expanduser("~/softs/dex-tools-2.1-SNAPSHOT"), "d2j-dex2jar.s h") PROCYON_JAR = os.path.join( os.path.expanduser("~/softs"), "procyon-decompiler-0.5.36.jar") INSTALL_DIR = os.path.expanduser("~/droidlysis") ``` Optionally, if you need a specific situation, you might need to tune the following too. Normally, the default options will work and you won't have to touch these: - `SQLALCHEMY`: specify your SQL database. - `KEYTOOL`: absolute path of `keytool` which generally ships with Java - `SMALI_CONFIGFILE`: smali patterns - `WIDE_CONFIGFILE`: resource patterns - `ARM_CONFIGFILE`: ARM executable patterns - `KIT_CONFIGFILE`: 3rd party SDK patterns ## Usage DroidLysis has been ported to Python 3. To launch it and get options: ``` python3 ./droidlysis3.py --help ``` For example, test it on [Signal's APK](https://signal.org/android/apk/): ``` python3 ./droidlysis3.py --input Signal-website-universal-release-4.52.4.apk --output /tmp ``` ![](./example.png) DroidLysis outputs: - A summary on the console (see example.png) - The unzipped, pre-processed sample in a subdirectory of your output dir. The subdirectory is named using the sample's filename and sha256 sum. For example, if we analyze the Signal application and set `--output /tmp`, the analysis will be written to `/tmp/Signalwebsiteuniversalrelease4.52.4.apk-f3c7d5e38df23925dd0b2fe1f44bfa12bac935a6bc8fe3a485a4436d4487a290`. - A database (by default, SQLite `droidlysis.db`) containing properties it noticed. ## Options Get usage with `python3 ./droidlysis3.py --help` - The input can be a file or a directory of files to recursively look into. DroidLysis knows how to process Android packages, DEX, ODEX and ARM executables, ZIP, RAR. DroidLysis won't fail on other type of files (unless there is a bug...) but won't be able to understand the content. - When processing directories of files, it is typically quite helpful to move processed samples to another location to know what has been processed. This is handled by option `--movein`. Also, if you are only interested in statistics, you should probably clear the output directory which contains detailed information for each sample: this is option `--clearoutput`. - When dealing with single samples, on the contrary, statistics are typically not so interesting, and their generation can be disabled with `--disable-sql` - DEX decompilation is quite long with Procyon, so this option is disabled by default. If you want to decompile to Java, use `--enable-procyon`. - DroidLysis's analysis does not inspect known 3rd party SDK by default, i.e. for instance it won't report any suspicious activity from these. If you want them to be inspected, use option `--no-kit-exception`. This usually creates many more detected properties for the sample, as SDKs (e.g. advertisment) use lots of flagged APIs (get GPS location, get IMEI, get IMSI, HTTP POST...). ## Sample output directory (`--output DIR`) This directory contains (when applicable): - A readable `AndroidManifest.xml` - Readable resources in `res` - Libraries `lib`, assets `assets` - Disassembled Smali code: `smali` (and others) - Package meta information: `META-INF` - Package contents when simply unzipped in `./unzipped` - DEX executable `classes.dex` (and others), and converted to jar: `classes-dex2jar.jar`, and unjarred in `./unjarred` The following files are generated by DroidLysis: - `autoanalysis.md`: lists each pattern DroidLysis detected and where. - `report.md`: same as what was printed on the console If you do not need the sample output directory to be generated, use the option `--clearoutput`. ## SQLite database This field is particularly useful when you are processing a directory of samples and later want to scan through properties DroidLysis found in them. By default, you will find the database in the directory `droidlysis.db`. The results are stored in a table named `samples`. Each entry in the table is relative to a given sample. Each column is properties DroidLysis tracks. For example, to retrieve all filename, SHA256 sum and smali properties of the database: ``` sqlite> select sha256, sanitized_basename, smali_properties from samples; f3c7d5e38df23925dd0b2fe1f44bfa12bac935a6bc8fe3a485a4436d4487a290|Signalwebsiteuniversalrelease4.52.4.apk|{"send_sms": true, "receive_sms": true, "abort_broadcast": true, "call": false, "email": false, "answer_call": false, "end_call": true, "phone_number": false, "intent_chooser": true, "get_accounts": true, "contacts": false, "get_imei": true, "get_external_storage_stage": false, "get_imsi": false, "get_network_operator": false, "get_active_network_info": false, "get_line_number": true, "get_sim_country_iso": true, ... ``` ## Property patterns What DroidLysis detects can be configured and extended in the files of the `./conf` directory. A pattern consist of: - a **tag** name: example `send_sms`. This is to name the property. Must be unique across the `.conf` file. - a **pattern**: this is a regexp to be matched. Ex: `;->sendTextMessage|;->sendMultipartTextMessage|SmsManager;->sendDataMessage`. In the `smali.conf` file, this regexp is match on Smali code. In this particular case, there are 3 different ways to send SMS messages from the code: sendTextMessage, sendMultipartTextMessage and sendDataMessage. - a **description** (optional): explains the importance of the property and what it means. ``` [send_sms] pattern=;->sendTextMessage|;->sendMultipartTextMessage|SmsManager;->sendDataMessage description=Sending SMS messages ``` ## Updates v3.2.1 - IP address detection v3.2.0 - Dex2jar is optional v3.1.0 - Detection of Base64 strings ././@PaxHeader0000000000000000000000000000003300000000000011451 xustar000000000000000027 mtime=1597312460.604943 droidlysis-3.2.1/conf/0000775000175100017510000000000000000000000015402 5ustar00axelleaxelle00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1584004538.0 droidlysis-3.2.1/conf/__init__.py0000664000175100017510000000000000000000000017501 0ustar00axelleaxelle00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1584004538.0 droidlysis-3.2.1/conf/arm.conf0000664000175100017510000000304400000000000017031 0ustar00axelleaxelle00000000000000[ch***] pattern=chmod|chown|chgrp|chcon|chattr [exec] pattern=system|exec[a-z][a-z]|fork description=Tries to execute a process [shell] pattern=/system/bin/sh [mounts] pattern=/proc/mounts|mount description=Mounting or list mounts - used in several exploits [geteuid] pattern=geteuid [adb] pattern=sbin/adb [pm_install] pattern=pm install [pm_list] pattern=pm list [am_broadcast] pattern=am broadcast [am_start] pattern=am start [kill] pattern=kill [ptrace] pattern=ptrace [proc_version] pattern=/proc/version description=Gets description of device [possible_exploit] pattern=root exploit|rootshell|spray|privileges escalated|/proc/kallsyms|0wned [ragecage] pattern=CVE-2010-EASY description=Exploit CVE-2010-EASY rage against the cage spotted [exploid] pattern=exploid|shakalaca description=Exploit CVE-2009-1185 spotted [zerg] pattern=Zerg rush|zerglings|speedlings description=Exploit CVE-2011-3874 (zergRush) spotted [levitator] pattern=clobbering kmem with poisoned pointers description=Exploit CVE-2011-1350 (levitator) spotted [mempodroid] pattern=Mempodipper|Calculating su padding|Opening parent mem description=Exploit CVE-2012-0025 (mempodroid) spotted [towelroot] pattern=towelroot|rootTheShit [supersu] pattern=/system/xbin/daemonsu|/system/xbin/sugote [dalvikvm] pattern=dalvikvm description=Possible way to loads Zips containing DEXs [url_in_exec] pattern=http://[^ "]* description=URL in executable [mtk_su] description=MTK-SU CVE-2020-0069 root on MediaTek pattern=Temporary root by diplomatic@XDA|amazing-temp-root-mediatek-armv8 ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1584004538.0 droidlysis-3.2.1/conf/kit.conf0000664000175100017510000002376700000000000017057 0ustar00axelleaxelle00000000000000[acra] pattern=org/acra description=Application Crash Reports for Android (ACRA) [appbrain] pattern=com/appbrain description=AppBrain marketplace [adchina] pattern=com/adchina/android description=AdChina advertisment library [adcolony] pattern=com/adcolony/sdk|com/jirbo/adcolony description=AdColony mobile advertisment library [adfonic] pattern=com/adfonic/android [adjustio] pattern=com/adeven/adjustio description=Adeven Adjust io analyzer [adlantis] pattern=jp/adlantis/android/ [admob] pattern=admob/android/ads|com/admob/android [admoda] pattern=com/admoda [admogo] pattern=com/admogo [adscend] pattern=com/adscendmedia/sdk [adsdk] pattern=com/adsdk/sdk/ [adserver] pattern=com/adserver/adview [adtech] pattern=com/adtech/mobilesdk [aduu] pattern=cn/aduu/android [adwhirl] pattern=com/adwhirl [adwo] pattern=com/adwo/adsdk [air] pattern=/air/.*/AppEntry/|com/adobe/air/ description=Adobe AIR [airad] pattern=com/mt/airad/ [airpush] pattern=com/airpush/android [algolia] pattern=com/algolia/search description=Search and Discovery SDK [amazon] pattern=com/amazon/venezia/service|com/amazon/inapp/purchasing|com/amazonaws/services [amazonads] pattern=com/amazon/device/ads description=Amazon DTB Ads API [amadrive] pattern=com/amazon/identity/auth [amobee] pattern=com/amobee/onlineHapi [amulyakhare] pattern=com/amulyakhare/textdrawable description=TextDrawable Images with letters [anjlab] pattern=com/anjlab/android/iab/ [ansca] pattern=com/ansca/corona description=Ansca/Corona Labs SDK [anywhere] pattern=anywheresoftware/b4a description=Basic For Android (B4A) [apache] pattern=org/apache/commons/ [apperhand] pattern=com/apperhand/device [appcompat] pattern=androidx/ description=AndroidX Support Library [appflood] pattern=com/appflood/ [applovin] pattern=com/applovin [appmedia] pattern=cn/appmedia/ad/ [appnext] pattern=com/appnext [badlogic] pattern=com/badlogic/gdx [baidu] pattern=com/baidu/ [bangcle] pattern=com/secapk/wrapper [beta] pattern=com/beta/ads [bolts] pattern=bolts/ description=Bolts low-level libraries [bottomsheet] pattern=com/cocosw/bottomsheet description=Bottom sheets library [bugsense] pattern=com/bugsense description=BugSense crashlytics [bumptech] pattern=com/bumptech/glide description=Bumptech Glide Image loading and caching library [butterknife] pattern=butterknife/internal [burstly] pattern=com/burstly/lib [bypush] pattern=com/bypush [chartboost] pattern=com/chartboost/sdk [circleprogress] pattern=at/grabner/circleprogress description=Animated circular progress view for Android [codewaves] pattern=com/codewaves/stickyheadergrid description=Sticky header grid layout manager for RecycleView [cordova] pattern=org/apache/cordova description=Apache Cordova - mobile apps with HTML, CSS and JS for multiple platforms [crashlytics] pattern=com/crashlytics [crittercism] pattern=crittercism/android [countly] pattern=ly/count/android/sdk description=Countly SDK product analytics [dagger] pattern=dagger/internal [dexter] pattern=com/karumi/dexter description=Karumi Dexter Library to request permissions at runtime [domob] pattern=cn/domob/android description=Domob.cn [dom4j] pattern=org/dom4j/dom description=Dom4j [emagsoft] pattern=cn/emagsoftware/gamebilling [energysource] pattern=com/energysource/szj/embeded [exoplayer] pattern=com/google/android/exoplayer2 description=ExoPlayer Media Player for Android [fabric] pattern=io/fabric/sdk/android description=Fabric.io Crashlytics [facebook] pattern=com/facebook/ [fancypush] pattern=com/fancypush [firebase] pattern=com/google/firebase [flexion] pattern=com/eamobile/nbajam_sxperia_wf/FlexionActivity [flurry] pattern=com/flurry/android|com/flurry/sdk description=Flurry analytics [fractal] pattern=com/fractalist/android/ads/ [ganalytics] description=Google Analytics pattern=com/google/analytics/tracking/android|com/android/apps/analytics|com/google/android/apps/analytics/|com/google/analytics/|com/google/android/gms/analytics [gameloft_billing] description=Gameloft billing pattern=gameloft/.*?/Billing/ [gdt] pattern=com/qq/e/ads/ [googleads] pattern=com/google/ads [googleapis] pattern=com/google/api/services|com/google/api/client/googleapis|com/google/api/client/ description=Google API Services [googleauth] pattern=com/google/api/client/auth [googlec2dm] description=Google C2DM pattern=com/google/android/c2dm [googledrive] pattern=com/google/api/services/drive [googlegcm] pattern=com/google/android/gcm [googlegms] pattern=com/google/android/gms/ [googlegson] pattern=com/google/gson/ [googlehttp] pattern=com/google/api/http/ [googleprotobuf] pattern=com/google/protobuf/ [googletag] pattern=com/google/tagmanager [gplus] pattern=com/google/android/apps/plus/ [greendao] pattern=org/greenrobot/greendao [greystripe] pattern=com/greystripe/android/android/sdk [gsf] pattern=com/google/android/gsf [gson] pattern=com/google/mygson/internal/UnsafeAllocator [gtalkservice] pattern=com/google/android/gtalkservice [hockey] pattern=net/hockeyapp/android [http] pattern=org/apache/http/ [huntmads] pattern=com/huntmads/admobadaptor [iadpush] pattern=com/iadpush/adp [idreamsky] pattern=com/idreamsky/gc [imadpush] pattern=com/imadpush/ad [inmobi] pattern=com/inmobi/androidsdk [indvseng] pattern=com/indvseng/ [iusys828] pattern=net/iusys828 description=Iusys [izp] pattern=com/izp/views/ [jackson] pattern=org/codehaus/jackson/ [jackpal] pattern=jackpal/androidterm/Exec [jaxen] pattern=org/jaxen/ [j2me] description=J2ME Security pattern=javax/microedition/io/SecurityInfo [ju6] pattern=com/ju6 [jumptap] pattern=com/jumptap/adtag [kuaiyou] pattern=com/kuaiyou/ [airpush_klyv] pattern=com/klYv/TsrC111182 description=Airpush [kuguo] pattern=com/kuguo/ad [leadbolt] pattern=com/Leadbolt|com/dlbuuxnusaeyuq [leolin] pattern=me/leolin/shortcutbadger description=Leolin Badge notification library [lmmob] pattern=cn/immob/sdk/ [localytics] pattern=com/Localytics/android [looksery] pattern=com/looksery description=Looksery Real Time Face Transformation Filters [lottie] pattern=com/airbnb/lottie description=Airbnb Adobe After Effects animations [lsense] pattern=com/l/adlib_android/ [madhouse] pattern=com/madhouse/android/ads [mdotm] pattern=com/mdotm/android [medialets] pattern=com/medialets/advertising [mediba] pattern=mediba/ad/sdk/android [millennial] pattern=com/millennialmedia/android [mime4j] pattern=apache/james/mime4j description=Mime4J [mineralt] pattern=blue/analytics/mlt [mixpanel] pattern=com/mixpanel/android [moat] pattern=com/moat/analytics [mobclick] pattern=com/mobclick/android [mobclix] pattern=com/mobclix/android/sdk [mobfox] pattern=com/mobfox [mobihelp] pattern=com/freshdesk/mobihelp [momark] pattern=com/donson/momark/view [mopub] pattern=com/mopub/mobileads [nexage] pattern=com/nexage/android|com/nexage/admaxsdk [nitrodesk] pattern=com/nitrodesk [oauth] pattern=oauth/signpost/signature/ [okhttp] description=Square OkHttp client for Android pattern=okhttp3 [okio] description=Square I/O API for Java pattern=okio [ooyala] pattern=com/ooyala/android [opencensus] pattern=io/opencensus description=OpenCensus libraries for application metrics and distributed traces [openfeint] pattern=com/openfeint [paypal] pattern=com/paypal/android [papaya] pattern=com/papaya/social [picasa] description=Picasa Services pattern=com/google/android/picasastore|com/google/android/picasasync [picasso] pattern=com/squareup/picasso [piwik] pattern=org/piwik/sdk description=Matomo Analytics (formerly piwik) [pollfish] pattern=com/pollfish [pontiflex] pattern=com/pontiflex/mobile [protobuf] pattern=com/google/protobuf [punchbox] pattern=com/punchbox/ [quclix] pattern=com/quclix/android [qwapi] pattern=com/qwapi/adclient/android [revmob] pattern=com/revmob/ads|com/revmob/RevMob #[rixallab] #pattern=com/rixallab/ads [rootbeer] pattern=com/scottyab/rootbeer [rootsoft] pattern=com/rootsoft/adhub [scribe] pattern=org/scribe [socialize] pattern=com/socialize [senddroid] pattern=com/senddroid [slf4j] pattern=org/slf4j|uk/uuid/slf4j description=Simple Logging Facade for Java (SLF4J) [smaato] pattern=com/smaato/SOMA [smartadserver] pattern=com/smartadserver/android/library|cn/smartmad/ads/android/ [spotify] pattern=com/spotify [startapp] pattern=com/startapp/android [suizong] pattern=com/suizong/mobile/ads [superrewards] pattern=com/adknowledge/superrewards [support] pattern=android/support/ description=Android Support [springframework] pattern=org/springframework [spongycastle] pattern=org/spngycastle [sponsorpay] pattern=com/sponsorpay/sdk/android/advertiser [squareup] pattern=com/squareup/okhttp/ [tapcontext] pattern=com/tapcontext [tapjoy] pattern=com/tapjoy/ [tapit] pattern=com/tapit/advertising [tencent] pattern=com/tencent/ [timber] pattern=timber/log description=Timber.io Logging tools [tinmoo] pattern=com/ignitevision/android/ads/ [transpera] pattern=com/transpera/sdk/android/videoad [tremorvideo] pattern=com/tremorvideo/sdk/android [trialpay] pattern=com/trialpay/android [twitter4j] pattern=twitter4j/ [twitter] pattern=com/twitter/sdk/android [umeng] pattern=com/umeng/ [unity] description=Unity 3D Game Development pattern=com/unity3d/player [urbanairship] pattern=com/urbanairship/ [vdopia] pattern=com/vdopia/client/android [vending] description=Google In App Billing pattern=com/android/vending|com/google/android/vending/licensing/ [vdroid] pattern=com/vdroid/ads [volley] pattern=com/android/volley/ [vpon] pattern=com/vpon/adon/android [waps] description=Waps pattern=com/waps|cn/waps [weather] pattern=com/go/weather/ [wiyun] pattern=com/wiyun/ad/ [wooboo] pattern=com/wooboo/adlib_android [wq] pattern=com/wqmobile/sdk [ximad] pattern=com/ximad/ad [xtremelabs] description=Xtreme Labs Image Utilities pattern=com/xtremelabs/imageutils|com/xtremelabs/utilities [yandex] pattern=com/yandex [youmi] pattern=net/youmi/android [yume] pattern=com/yume/android/sdk [zestadz] pattern=com/zestadz/android [zhidian] pattern=com/adzhidian/ui [zong] pattern=com/zong/android/engine [zxcvbn] pattern=com/nulabinc/zxcvbn description=JavaScript password strength generator ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1584457026.0 droidlysis-3.2.1/conf/manifest.conf0000664000175100017510000000361700000000000020066 0ustar00axelleaxelle00000000000000[permission_gps] pattern=ACCESS_COARSE_LOCATION|ACCESS_FINE_LOCATION description=Allows an app to access location from location sources such as GPS, cell towers, and Wi-Fi [permission_send_sms] pattern=SEND_SMS|WRITE_SMS description=Allows to send SMS messages [permission_receive_sms] pattern=RECEIVE_SMS|RECEIVE_WAP_PUSH|SMS_RECEIVE description=Allows an application to monitor incoming SMS messages, to record or perform processing on them, or or to process WAP Push messages [permission_call] pattern=CALL_PHONE|CALL_PRIVILEGED|PROCESS_OUTGOING_CALLS description=Allows to call or process outgoing calls [permission_contacts] pattern=READ_CONTACTS [permission_install] pattern=INSTALL_PACKAGES [permission_wifi] pattern=CHANGE_WIFI_STATE [permission_access_wifi_state] pattern=ACCESS_WIFI_STATE [permssion_capture_audio] pattern=CAPTURE_AUDIO_OUTPUT [permission_accounts] pattern=GET_ACCOUNTS [permission_logs] pattern=READ_LOGS [permission_internet] pattern=INTERNET [permission_bluetooth] pattern=BLUETOOTH description=Allows to use Bluetooth [permission_nfc] pattern=NFC description=Allows to use NFC [permission_set_time] pattern=SET_TIME description=Allows to set time or timezone [vibrate] pattern=VIBRATE [permission_orientation] pattern=SET_ORIENTATION [permission_device_admin] pattern=BIND_DEVICE_ADMIN [permission_wallpaper] pattern=BIND_WALLPAPER [permission_accessibility] pattern=BIND_ACCESSIBILITY_SERVICE [permission_history_bookmarks] pattern=READ_HISTORY_BOOKMARKS [permission_forward_lock] pattern=INSTALL_FORWARD_LOCK [permission_authenticate_accounts] pattern=AUTHENTICATE_ACCOUNTS [permission_disable_keyguard] pattern=DISABLE_KEYGUARD [permission_inject_events] pattern=INJECT_EVENTS [permission_master_clear] pattern=MASTER_CLEAR [permission_kill_background_processes] pattern=KILL_BACKGROUND_PROCESSES [permission_substrate] pattern=SUBSTRATE [permission_camera] pattern=CAMERA ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1597309432.0 droidlysis-3.2.1/conf/smali.conf0000664000175100017510000002725400000000000017370 0ustar00axelleaxelle00000000000000[abort_broadcast] pattern=abortBroadcast description=abortBroadcast() is used to remove an incoming SMS from the queue before other receivers (with lower priority) can process them [accessibility_service] pattern=onAccessibilityEvent description=Implements an accessibility service meant to help users with disabilities. Also abused maliciously to lock them up [account_pwd] pattern=android/accounts/AccountManager;->getPassword description=Tries to get the password of the phone account [airplane] pattern=android.intent.action.AIRPLANE_MODE description=Detects phone airplane mode [android_id] pattern=const-string v[0-9]*, "android_id" description=Retrieves the Android ID [andy] pattern=fstab.andy|ueventd.andy.rc description=Andy emulator detection [answer_call] pattern=;->answerRingingCall description=Answer a ringing call [apkprotect] pattern=APKProtect description=Obfuscation with APKProtect [base64] pattern=Landroid/util/Base64;-> description=Uses Base64 encoder/decoder [battery] pattern=android.intent.action.BATTERY_CHANGED description=Gets battery info (e.g. how charged, temperature) [bluestacks] pattern=com.bluestacks description=Bluestacks emulator detection [board] pattern=Build;->BOARD description=Retrieves hardware board information [bookmarks] pattern=BOOKMARKS_URI|Landroid/provider/Browser;->getAllBookmarks description=Adds or reads bookmarks to the phone browser [bootloader] pattern=Build;->BOOTLOADER description=Retrieves version of bootloader [brand] pattern=Build;->BRAND description=Retrieves phone brand name [busybox] pattern=busybox description=Uses busybox, probably to issue native shell commands or run other processes [call] pattern=ACTION_CALL|ACTION_DIAL|android.intent.action.CALL description=Can place calls [call_log] pattern=android/provider/CallLog description=Reads the call log [camera] pattern=Landroid/hardware/Camera;->open description=Uses the phone camera [check_permission] pattern=Landroid/content/pm/PackageManager;->checkPermission|Landroid/content/Context;->checkPermission description=Checks for given permissions [contacts] pattern=android/provider/ContactsContract description=Reads or lists phone contacts [cookie_manager] pattern=android/webkit/CookieManager;-> description=Looks into cookies [cpu_abi] pattern=Build;->CPU_ABI description=Retreives CPU ABI [crc32] pattern=java/util/zip/CRC32;->init description=Computes CRC32 [c2dm] pattern=intent.REGISTER|intent.UNREGISTER|Lcom/google/android/gcm/GCMRegistrar;->getRegistrationId description=Registers or unregisters C2DM (Cloud to Device Messaging) [debugger] pattern=Debug;->isDebuggerConnected description=Detects connected debugger [device_admin] pattern=DeviceAdminReceiver|isAdminActive description=Creates or uses a device administrator app [dex_class_loader] pattern=DexClassLoader description=Potentially trying to silently run another DEX executable [dex_file] pattern=Ldalvik/system/DexFile;-> description=Manipulates DEX files [dhcp_server] pattern=Landroid/net/DhcpInfo;->serverAddress description=Queries the address of a DHCP server [dns] pattern=Landroid/net/DhcpInfo;->dns description=Queries the address of a DNS server [email] pattern=EXTRA_EMAIL|EXTRA_SUBJECT|EXTRA_BCC|EXTRA_CC|extra\.SUBJECT|android/net/MailTo description=Reading/writing or sending an email [emulator] pattern=15555215554|310260000000000|e21833235b6eef10|com.framgia.android.emulator description=Emulator detection techniques [encryption] pattern=KeySpec|SecretKey|Cipher description=Uses encryption [end_call] pattern=;->endCall description=End a phone call [execute_native] pattern=Runtime;->exec|createSubprocess|Ljava/lang/ProcessBuilder;->start|android.os.Exec description=Executes shell or native executables [fingerprint] pattern=Build;->FINGERPRINT description=Retrieves hardware Build fingerprint [genymotion] pattern=/dev/socket/baseband_genyd|/dev/socket/genyd|genymotion description=Detect GenyMotion emulator [get_accounts] pattern=AccountManager;->getAccounts|ContactsContract\$CommonDataKinds\$Email|Patterns\$EMAIL_ADDRESS description=Possibly trying to retrieve the phone operational email address [get_active_network_info] pattern=getActivateNetworkInfo description=Returns details about the currently active default data network [get_external_storage_stage] pattern=Landroid/os/Environment;->getExternalStorageState description=Reads storage state, possibly to tell if SD card mounted read-only or read-write [get_imei] pattern=getDeviceId description=Retrieves phone IMEI [get_imsi] pattern=getSubscriberId description=Retrieves user IMSI [get_installed_packages] pattern=PackageManager;->getInstalledPackages|PackageManager;->getInstalledApplications description=Lists installed packages [get_installer_package_name] pattern=PackageManager;->getInstallerPackageName description=Gives the name of the app which installed a given package [get_line_number] pattern=getLine1Number description=Retrieves end user Phone number (line number) [get_mac] pattern=getMacAddress description=Retrieves MAC address [get_network_operator] # this will also match NetworkOperatorName pattern=getNetworkOperator description=Retrieves Network operator [get_package_info] pattern=PackageManager;->getPackageInfo description=Gets information on package [get_sim_country_iso] pattern=getSimCountryIso description=Retrieves SIM country [get_sim_operator] pattern=getSimOperator description=Retrieves SIM operator [get_sim_serial_number] pattern=getSimSerialNumber description=Retrieves SIM serial number [gps] pattern=Location;->getLatitude|Location;->getLongitude|;->getCid|;->getLac|LocationManager;->getLastKnownLocation|TelephonyManager;->getCellLocation|LocationManager;->requestLocationUpdates|TelephonyManager;->getNeighboringCellInfo description=Uses GPS location [hardware] pattern=Build;->HARDWARE description=Retrieves phone hardware information [hide_softkeyboard] pattern=hideSoftInputFromWindow description=Hides software keyboard [http] pattern=HttpGet|HttpMessage|HttpRequest|URLConnection;->openConnection description=Performs HTTP GET [intent_chooser] pattern=Intent;->createChooser description=Uses intent chooses to ask end-user what application to use when a given event occurs (e.g which email app to use to send an email) [ip_address] pattern=Landroid/net/DhcpInfo;->ipAddress|getIpAddress|net/InetAddress;->getHostAddress description=Retrieves the device IP address [ip_properties] pattern=Landroid/net/DhcpInfo;->netmask|Landroid/net/DhcpInfo;->gateway description=Gets the netmask or gateway used by the device [javascript] pattern=Landroid/webkit/WebSettings;->setJavaScriptEnabled|Landroid/webkit/WebView;->addJavascriptInterface description=Loads JavaScript in WebView [jni] pattern=JNIEnv| native |jclass|jmethodID|jfieldID|FindClass description=Uses Java JNI [json] pattern=org/json/JSONObject description=Uses JSON objects [keyguard] pattern=KeyguardManager$KeyguardLock;->|FLAG_DISMISS_KEYGUARD description=Probably tries to unlock the phone [kill_proc] pattern=android/app/ActivityManager;->killBackgroundProcesses description=Kills background process [link_speed] pattern=android/net/wifi/WifiInfo;->getLinkSpeed description=Gets link speed for Wifi [load_dex] pattern=openDexFile|loadDex description=Loads a DEX executable [load_library] pattern=System;->loadLibrary description=Loads a native library [logcat] pattern=logcat description=Inspects or manipulates system logs [manufacturer] pattern=Build;->MANUFACTURER description=Retrieves hardware manufacturer name [microphone] pattern=android/media/AudioManager;->setMicrophoneMute description=Mutes the microphone [model] pattern=Build;->MODEL description=Retrieves hardware build model [nop] pattern= nop description=DEX bytecode contains NOP instructions. [nox] pattern=fstab.nox|init.nox.rc|ueventd.nox.rc|com.bignox.app description=NOX emulator detection [obfuscation] pattern=/a/a;->a|AESObfuscator-1 description=Obvious traces of code obfuscation [open_non_asset] pattern=openNonAsset description=Opens a non asset file [package_delete] pattern=android.intent.action.DELETE description=Uninstalls a package [package_sig] pattern=PackageInfo;->signatures|GET_SIGNATURES description=Reads signatures of packages [pangxie] pattern=PangXie description=Uses PangXie obfuscation [phone_number] pattern=android.intent.extra.PHONE_NUMBER description=Retrieves an Incoming or outgoing phone number [post] pattern=POST |HttpPost|"POST"|POST description=Tries to perform an HTTP POST. There might be False Positives... [product] pattern=Build;->PRODUCT description=Retrieves hardware build product [receive_sms] pattern=SmsReceiver|;->createFromPdu|SmsObserver|;->getOriginatingAddress|content://sms|SmsMessage|SMS_RECEIVED description=Receiving SMS [record] pattern=android/media/AudioRecord;->startRecording description=Records audio on the phone [reflection] pattern=Class;->forName|Method;->invoke|Class;->getDeclaredMethods|Method;->setAccessible description=Uses Java Reflection [ringer] pattern=android/media/AudioManager;->setRingerMode|android/media/AudioManager;->getRingerMode description=Gets or sets ringer mode [rooting] pattern=com.cyanogenmod|com.noshufou.android.su|Superuser.apk|eu.chainfire.supersu description=Searches for or uses applications typically installed on rooted phones. [rssi] pattern=android/net/wifi/WifiInfo;->getRssi description=Gets Wifi RSSI [scp] pattern=const-string v[0-9]*, ".*scp.*" description=Sends or retrieves files via SCP [search_url] pattern=Landroid/provider/Browser;->addSearchUrl description=Adds a new search URL to the browser [send_sms] pattern=;->sendTextMessage|;->sendMultipartTextMessage|SmsManager;->sendDataMessage description=Sending SMS messages [sensor] pattern=android/hardware/SensorManager;->getSensorList description=Lists hardware sensors [set_component] pattern=PackageManager;->setComponentEnabledSetting description=Might be trying to hide the application icon [shortcut] pattern=INSTALL_SHORTCUT description=Adds a new app shortcut to the phone [socket] pattern=Ljava/net/Socket;-> description=Creates a socket. Used to communicate... [ssh] pattern= const-string v[0-9]*, ".*ssh.*" description=Application uses SSH [ssid] pattern=android/net/wifi/WifiInfo;->getSSID description=Retrieves SSID used by Wifi [su] pattern="su"|/system/xbin/daemonsu|/system/xbin/sugote description=Uses Su. Perhaps to test if device is rooted. [substrate] pattern=com/saurik/substrate/MS description=Uses or refers to Saurik substrate [tasks] pattern=android/app/ActivityManager;->getRunningTasks description=Lists running tasks [uri] pattern=Landroid/net/Uri;->parse description=Parses a URL. Will usually just display the URL, but not post info. [url_history] pattern=Landroid/provider/Browser;->getAllVisitedUrls description=Gets all URLs the phone browser visited [user_agent] pattern=User-Agent description=Specifies a HTTP User Agent [uuid] pattern=UUID;->randomUUID description=Creates a random identifier. Used to identify the user. [vibrate] pattern=android/os/Vibrator;->vibrate description=Uses phone vibrations [vnd_package] pattern=application/vnd.android.package_archive description=Probably tries to load an app [wallpaper] pattern=android/app/WallpaperManager;->getDrawable|android/app/WallpaperManager;->setBitmap description=Gets or sets the current wallpaper [webview] pattern=Landroid/webkit/WebView;->loadUrl|;->setWebChromeClient description=Displays a URL in the WebView. Very much used to display custom pages with JavaScript, sometimes malicious... [wifi] pattern=android/net/wifi/WifiManager;->setWifiEnabled|android/net/wifi/WifiManager;->isWifiEnabled|android/net/wifi/WifiManager;->startScan description=Tests or scans for WiFi [zip] pattern=java/util/zip/ZipOutputStream|java/util/zip/ZipInputStream|java/util/zip/ZipEntry description=Zips or unzips files ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1597311407.0 droidlysis-3.2.1/conf/wide.conf0000664000175100017510000000437100000000000017206 0ustar00axelleaxelle00000000000000[am_start] pattern=am start description=Start an activity via shell command [android_wear] pattern=Android\ Wear|android_wear description=Uses or references Android Wear [china_mobile] pattern=cmwap|cmnet description=Detects China Mobile network [china_unicom] pattern=uniwap|uninet description=Detects China Unicom network [china_telecom] pattern=ctwap|ctnet description=Detects China Telecom network [coinhive] pattern=CoinHive description=CoinHive JavaScript SDK for mining Monero [cryptocurrency] pattern=CoinHive|crypta\.js|crypto-loot|ethereum|dogecoin|litecoin| ripple |bitcoin|ledger|blockchain|trezor description=Uses cryptocurrencies [cryptoloot] pattern=crypta\.js|crypto-loot [c2_anon] pattern=portmap\.io|ngrok\.io description=Port forwarding or secure tunneling service - often used to anonymize C2 [gps] pattern=LocationManager description=Use of GPS noticed in assets, libraries or other unusual directories [javascript] pattern=