❱ EVALUATION OF OBFUSCATED ANDROID MALWARE

A python script is proposed to automate android malware analysis which includes static and dynamic analysis methods.

NOTE: To run this script you should have the Androzoo API key & Virus Total API key

❱ Author

• Dr. Sergey Butakov - Research Faculty/Advisor
• Deep Patel - Research Student/ Core Developer
• Himanshu Patel - Research Student/ Core Developer
• Jaspreet Ahluwalia - Research Student
• Vaishali Kapoor - Research Student
• Karthik Narasimhan - Research Student
• Gadi Harshitha Reddy - Research Student
• Harmanjot - Research Student
• Harmanpreet Singh - Research Student
• Sai Sushma Peruboina - Research Student

❱ Getting started

1. Go to project folder and install python packages:

pip install -r requirements.txt

2. Add the Androzoo API key in start.py file at line number 57.
3. Verify the value inside count.txt value, it should be 1 for the first-time execution.
4. Add android APKs Hash values (Sha256 values) from the csv file you get from the Androzoo in sha256.txt file. Note: each sha256 value should be on the new line, don’t use comma (,) for separation.
5. Run start.py using python3.

Python3 start.py

❱ Project structure

APKs/                        Downloaded APK (non-obfuscated)
|- main.py                   Main python File to run the script
|- obfuscat.sh               Call the docker function inside bash script
|- sha256.txt                Hash value of APks
|- count.txt                 Log the processed APk file count
Automation/
|- r2d_droidy.py             Fetching The results
|- sort.py                   Sorting APKs
|- vt-scan1.py               Uploading To the Virus Total
cuckoo
|- cuckoo.py                 calling cuckoodroid function
|- utils/
|  |- submit.py              Submit APk for dynamic analysis
|  +- ...                    additional modules and components
obfuscatedAPK                Folders to Store obfuscated APks as per methods
|- Code/
|- Encryption/
|- High/
|- Low/
|- Medium/
|- Rename/
Reports/                     Folders to store reports
|- Static/
|  |- APK_Report/
|  |- Obfuscapk_Report/
|- Dynamic/
|  |- APK_Report/
|  |- Obfuscapk_Report/

❱ Main Functions

Script automation is based on Python scripts.

Functions	Description
main	There is a loop to run the program continuously until all values in sha256.txt have been processed.
Obfuscation	Six types of analyses are performed (Encryption, Code, Rename, High, Medium and low)
static_analysis	Conduct a Qurak-engine analysis
dynamic_analysis	Perform Dynamic Analysis
last_processed_APK	Update the count.txt file.
processed_APK	Get the last processed APK Sha256 value line number from count.txt.

❱ Coding Guides

• Python
• Bash Script

❱ Other Documentation

• Docker
• androzoo
• Obfuscapk
• Quark-engine
• CuckooDroid

Tasks are mostly based on the python script. Use python --help to get more help or go check out the Python Doc.

❱ Contributing

Questions, bug reports and pull requests are welcome on GitHub at https://github.com/ddeepp109/Android-Malware-Analysis/

❱ License

You are free to use this code under the MIT License.

❱ Credits

This software was developed for research purposes at the Concordia University of Edmonton.

Libraries Used

• [aiohttp==3.7.4.post0]
• [androguard==3.4.0a1]
• [asn1crypto==1.4.0]
• [async-timeout==3.0.1]
• [attrs==20.3.0]
• [backcall==0.2.0]
• [blinker==1.3]
• [chardet==2.3.0]
• [click==7.1.2]
• [cloud-init==20.4]
• [colorama==0.4.4]
• [command-not-found==0.3]
• [configobj==5.0.6]
• [coverage==5.5]
• [cryptography==1.2.3]
• [cycler==0.10.0]
• [decorator==4.4.2]
• [docopt==0.6.2]
• [et-xmlfile==1.0.1]
• [gitdb==4.0.5]
• [GitPython==3.1.14]
• [graphviz==0.16]
• [hurry.filesize==0.9]
• [idna==2.0]
• [importlib-metadata==3.7.2]
• [iniconfig==1.1.1]
• [ipython==7.21.0]
• [ipython-genutils==0.2.0]
• [jedi==0.18.0]
• [Jinja2==2.8]
• [jsonpatch==1.10]
• [jsonpointer==1.9]
• [kiwisolver==1.3.1]
• [language-selector==0.1]
• [lxml==4.6.2]
• [MarkupSafe==0.23]
• [matplotlib==3.3.4]
• [multidict==5.1.0]
• [networkx==2.5]
• [numpy==1.20.1]
• [oauthlib==1.0.3]
• [openpyxl==3.0.7]]
• [packaging==20.9]
• [parso==0.8.1]
• [pexpect==4.8.0]
• [pickleshare==0.7.5]
• [Pillow==8.1.2]
• [pipdeptree==2.0.0]
• [pipreqs==0.4.10]
• [pluggy==0.13.1]
• [prettytable==2.1.0]
• [prompt-toolkit==3.0.16]
• [ptyprocess==0.7.0]
• [pure-python-adb==0.3.0.dev0]
• [py==1.10.0]
• [pyasn1==0.1.9]
• [pycryptodome==3.9.9]
• [pycurl==7.43.0]
• [pydot==1.4.2]
• [Pygments==2.8.1]
• [pygobject==3.20.0]
• [PyJWT==1.3.0]
• [pyparsing==2.4.7]
• [pyserial==3.0.1]
• [pytest==6.2.4]
• [pytest-cov==2.10.1]
• [python-apt==1.1.0b1+ubuntu0.16.4.11]
• [python-dateutil==2.8.1]
• [python-debian==0.1.27]
• [python-systemd==231]
• [python3-wget==0.0.2b1]
• [PyYAML==3.11]
• [quark-engine==21.3.2]
• [requests==2.9.1]