Permalink
Browse files

SMS interception detection routine added

  • Loading branch information...
1 parent 8e39740 commit 9f3e685deffc3f90fc15f0e00e99cccdd7c9eec0 maaaaz committed Jul 31, 2012
@@ -144,7 +144,7 @@ <h3>This application reads the WiFi credentials</h3>
<div class="tab-pane" id="telephony-services-abuse">
<h2>Telephony Services Abuse</h2>
- <h3>This application makes phone calls</h3><h3>This application sends an SMS message 'Premium SMS' to the '12345' phone number</h3>
+ <h3>This application makes phone calls</h3><h3>This application intercepts your SMS</h3><h3>This application disables incoming SMS notifications</h3><h3>This application sends an SMS message 'Premium SMS' to the '12345' phone number</h3>
</div>
<div class="tab-pane" id="audio-video-eavesdropping">
@@ -115,7 +115,7 @@ def perform_analysis(apk_file, a, d, x, no_connection) :
( 'device_settings_harvesting', gather_device_settings_harvesting(x) ),
( 'location_lookup', gather_location_lookup(x) ),
( 'connection_interfaces_exfiltration', gather_connection_interfaces_exfiltration(x) ),
- ( 'telephony_services_abuse', gather_telephony_services_abuse(x) ),
+ ( 'telephony_services_abuse', gather_telephony_services_abuse(a,x) ),
( 'audio_video_eavesdropping', gather_audio_video_eavesdropping(x) ),
( 'suspicious_connection_establishment', gather_suspicious_connection_establishment(x) ),
( 'PIM_data_leakage', gather_PIM_data_leakage(x) ),
@@ -21,6 +21,8 @@
# Global imports
import logging
+from io import BytesIO
+from xml.etree.ElementTree import ElementTree
# Androguard imports
from androguard.core.analysis import analysis
@@ -56,6 +58,47 @@ def detect_Telephony_SMS_abuse(x) :
formatted_str.append(local_formatted_str)
return formatted_str
+def detect_SMS_interception(a,x) :
+ """
+ @param a : an APK instance
+ @param x : a VMAnalysis instance
+
+ @rtype : a list of formatted strings
+ """
+ formatted_str = []
+ tree = ElementTree()
+
+ manifest = AXMLPrinter( a.zip.read("AndroidManifest.xml") ).getBuff()
+
+ tree.parse(BytesIO(manifest))
+
+ root = tree.getroot()
+
+ for parent, child, grandchild in get_parent_child_grandchild(root):
+
+ # Criteria 1: "android.provider.Telephony.SMS_RECEIVED" + "intentfilter 'android:priority' a high number" => SMS interception
+ if '{http://schemas.android.com/apk/res/android}name' in grandchild.attrib.keys() :
+
+ if grandchild.attrib['{http://schemas.android.com/apk/res/android}name'] == "android.provider.Telephony.SMS_RECEIVED" :
+
+ if child.tag == 'intentfilter' and '{http://schemas.android.com/apk/res/android}priority' in child.attrib.keys() :
+ formatted_str.append("This application intercepts your SMS")
+
+ # Grab the interceptor's class name
+ class_name = parent.attrib['{http://schemas.android.com/apk/res/android}name']
+ package_name = a.package
+
+ # Convert("com.test" + "." + "interceptor") to "Lcom/test/interceptor"
+ class_name = convert_canonical_to_dex(package_name + "." + class_name[1:])
+
+ # Criteria 2: if we can find 'abortBroadcast()' call => notification deactivation
+ structural_analysis_results = x.tainted_packages.search_methods(class_name,"abortBroadcast", ".")
+ if structural_analysis_results :
+ formatted_str.append("This application disables incoming SMS notifications")
+
+
+ return formatted_str
+
def detect_Telephony_Phone_Call_abuse(x) :
"""
@param x : a VMAnalysis instance
@@ -83,15 +126,17 @@ def detect_Telephony_Phone_Call_abuse(x) :
return formatted_str
-def gather_telephony_services_abuse(x) :
+def gather_telephony_services_abuse(a,x) :
"""
+ @param a : an APK instance
@param x : a VMAnalysis instance
@rtype : a list strings for the concerned category, for exemple [ 'This application makes phone calls', "This application sends an SMS message 'Premium SMS' to the '12345' phone number" ]
"""
result = []
result.extend( detect_Telephony_Phone_Call_abuse(x) )
+ result.extend( detect_SMS_interception(a,x) )
result.extend( detect_Telephony_SMS_abuse(x) )
return result
View
@@ -47,6 +47,9 @@ def convert_dex_to_canonical(dex_name) :
return "[!] Conversion to canonical dotted name failed : \"" + dex_name + "\" is not a valid library dex name"
return final_name
+def convert_canonical_to_dex(canonical_name) :
+ return 'L' + canonical_name.replace('.', '/')
+
def detector_tab_is_not_empty(list) :
"""
@param list : a list of result
@@ -207,3 +210,15 @@ def search_package_in_the_list(canonical_package_list,canonical_package_name):
l = filter(ex.search, canonical_package_list)
return l
+
+# XML parsing
+def get_parent_child_grandchild(tree):
+ """
+ @param tree : xml root Element
+
+ @rtype : parent, child and grandchild Element
+ """
+ for parent in tree.iter() :
+ for child in parent :
+ for grandchild in child :
+ yield parent, child, grandchild

0 comments on commit 9f3e685

Please sign in to comment.