Home / Blog / APK analysis toolkits

APK analysis toolkits

Posted on 03/10/2015, by Asier Martínez (INCIBE)
APK_analysis_toolkits

As demonstrated by the data gathered in the Android malware situation report, Google’s operating system has become the mobile platform that is affected most by malware, encompassing 99% of threats developed for smartphones.

As a result, a number of utilities have appeared that analyse these types of threats from different points of view. In general, there are two types of analysis: static and dynamic. The former analyses different aspects in applications without running them, whereas the latter focuses on analysing the application’s behaviour once it is running. Normally, the utilities and services of a dynamic analysis incorporate information obtained from a previous static analysis.

Following are some of the most commonly used applications that enable performing these two types of analysis, grouping together those that can run on the local client, requiring a previous installation, and those that correspond to online services.

APK analysis tools

In general, they can all be used free of charge, except for some cases where limitations are established if they are going to be used for commercial purposes.

Local tools

Static

  • Androguard: it is written in Python, and is therefore multiplatform, incorporating various functions and enabling access to a multitude of an APK’s characteristics. Some of the most notable options are:
    • Decompiling APKs, thus enabling access to permissions, Receivers, Activities, Content Providers, Servicers, Package Name, classes, methods, etc.
    • Threat indicator.
    • Risk indicator.
    • Comparing the code of both applications to verify the similarities between them.
    It is available at https://code.google.com/p/androguard/
  • APKInspector: also written in Python, its main feature is its graphical interface, which enables viewing different aspects of the analysed APKs such as AndroidManifest.xml. It is available at https://github.com/honeynet/apkinspector/
  • APKTool: a multiplatform utility that enables decompiling and subsequently re-compiling applications. It is available at https://code.google.com/p/android-apktool/
  • APKStudio: a multiplatform IDE (Integrated Development Environment) that enables decompiling and compiling APKs. It is available at https://apkstudio.codeplex.com/
  • Androwarn: a utility geared towards detecting and warning about potentially dangerous behaviours. To do so, it analyses a number of APK aspects such as:
    • The possibility of exfiltrating sensitive data such as the mobile device’s settings, geolocation, Wi-Fi access credentials, contact’s data, etc.
    • The possibility of sending Premium SMS messages or ability to make phone calls.
    • The ability to record videos and audios.
    The reports generated have a very intuitive and clear design. It is available at https://github.com/maaaaz/androwarn
  • Dex2Jar: enables converting an APK file into a JAR one so that the application’s code can be viewed. It is available at https://code.google.com/p/dex2jar/
  • JD-GUI: a tool with a graphical interface that enables interacting with .CLASS files in an intuitive way. It is available at http://jd.benow.ca/
  • JAD: a multiplatform application that enables converting .DEX files into .CLASS files. It is available at http://varaneckas.com

Dynamic

  • DroidBox: a command line utility that enables access to a multitude of information such as:
    • Communications established by the application.
    • Possibility of exfiltrating sensitive data.
    • Maps that show the APK’s behaviour.
    • Comparing the codes of two applications to verify the similarities between both.
    It is available at https://code.google.com/p/droidbox/

Online services

Static

  • Virustotal: analyses applications with more than 50 antivirus engines. It also performs a static analysis of applications with Androguard and it incorporates different modules such as ExifTool or TrID to obtain additional data. It is integrated by a public API with limitations and a private API. This service can be found at https://www.virustotal.com/
  • Andrototal: this service is in the BETA phase. It analyses applications with various antivirus engines, but fewer than Virustotal. It also displays information such as the permissions and activities of the analysed application. This service can be found at http://andrototal.org/ (Link currently unavailable)

Dynamic

  • APKScan: Displays a large amount of data:
    • General data: hashes, size, etc.
    • Analysis with Virustotal.
    • Screenshots of the running application.
    • Screenshot of the network traffic.
    • Possibility of exfiltrating data.
    It is integrated with a private API.
  • Mobile Sandbox: enables access to typical data in a static analysis such as requested permissions, receivers, services, content providers, etc. and it intuitively displays the data that the application makes access to, so the risks of installing the application can be seen clearly. This service can be found at http://mobilesandbox.org/
  • Akana: an online interactive environment that displays the typical data from a static analysis along with Virustotal’s analysis. This service can be found at http://www.mobiseclab.org/ (Link currently unavailable)
  • Anubis: along with the characteristic data from a static analysis, it displays different data such as the network traffic, a screenshot of the running application, significant chains, etc. This service can be found at http://anubis.iseclab.org/ (Link currently unavailable)

There are various distributions that gather these utilities and other ones to perform the aforementioned analyses. The most notable ones are the following:

  • Santoku: a Linux-based environment that incorporates a large amount of utilities, many of which aimed towards analysing malware for mobile devices. It is available at https://santoku-linux.com/
  • Android Reverse Engineering (A.R.E): a virtual machine with a multitude of tools specifically designed for analysing Android applications. It is available at https://github.com/hannoL/AREsoft
  • MobiSec Lab: an Ubuntu-based environment that includes the necessary infrastructure to perform analyses of applications. It is available at http://sourceforge.net/projects/mobisec/files/

If you do not possess any samples and wish to obtain some to test the tools described in the article, you can obtain them from different origins:

  • APK Downloader: an online service that enables downloading Google Play applications. It is available at https://apps.evozi.com/apk-downloader/?id= (Link currently unavailable)
  • MyAPPSharer: a utility available on Google Play that, once installed on the mobile device, enables extracting other applications installed in the terminal.
  • Contagio Mobile: a popular Android malware blog that contains a vast amount of samples that can be downloaded to be analysed.