maaaaz / androwarn Goto Github PK

in androguard/core/bytecodes/dvm.py->Instruction21* sevral function,unpack use ”=h"，in some case，self.BBBB will be negative number。and i have a question: why in androwarn/core/core.py->match_current_instruction do not have aget?

┌──(root㉿kali)-[/home/kali/Desktop/androwarn-master]
└─# python androwarn.py -i /home/kali/Desktop/ig-learner-master.zip -r html -v 3
Traceback (most recent call last):
File "/home/kali/Desktop/androwarn-master/warn/search/application/application.py", line 28, in
import play_scraper
ModuleNotFoundError: No module named 'play_scraper'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/kali/Desktop/androwarn-master/androwarn.py", line 34, in
from warn.search.search import grab_application_package_name
File "/home/kali/Desktop/androwarn-master/warn/search/search.py", line 33, in
from warn.search.application.application import *
File "/home/kali/Desktop/androwarn-master/warn/search/application/application.py", line 30, in
sys.exit("[!] The play-scraper module is not installed, please install it and try again")
^^^
NameError: name 'sys' is not defined

Can you please share us the structure of the code that is written for androwarn. I am trying to find malicous apk file but I am unable to run them with this tools.
Hoping to hear soon from you.

Hello, could you please guide me on how to obtain the API call information of an APK? I want to know which APIs the current APK is invoking to determine whether it is a malicious APK.

Is it possible to add an overall Risk Score to Androwarn? I think this would greatly increase its value, particularly with MDM/EMM analysts that are responsible for ensuring the safety of apps on their organization's devices, but that do not have the expertise to know if a vulnerability detected by Androwarn is low, medium, high or critical risk. For most other Android static analyzers, the Common Vulnerability Scoring System (CVSS) is the standard used for describing risk. It seems that it would be a relatively light lift to add a CVSS score for the overall risk, as well as possibly for each of the underlying vulnerability categories. We are currently using Androwarn but its lack of risk scores is making its continued use less likely.

I have tried this tool by analyzing application writen by myself.
It has a sensitive smsMessage sending API to read content from user 's input (editText) and then send it to a constant number.

But from the report we can see:

it seems contradictary from my source codes becasue it shows sending "1" to "1".

Then I output the telephone-service part:

Class 'Landroid/telephony/SmsManager;' - Method 'sendTextMessage' - Register state before call [{'0': 'Landroid/telephony/SmsManager;->getDefault()Landroid/telephony/SmsManager;'}, {'1': '1'}, {'2': 'button pressed'}, {'1': '1'}, {'4': 'v2'}, {'5': 'v2'}]

also why {'4': 'v2'} exists is becasue we have a instruction "move-object v4, v2", but it seems match_current_instruction() method does not split it correctly and regards "v2" as a constant value not a register.

Then I found that the bug contained in the backtrace_registers_before_call method in core.py.
It seems that there is a misunderstanding about how opcode "move-result" works.
After I modified the code, Here is new results output from the same apk I tested:

I am currently working on this and will update the codes after I finishing it.

After installing the requirements. I start the program as explained in the Readme file. But I faced this error message :

Traceback (most recent call last):
  File "androwarn.py", line 30, in <module>
    from androguard.misc import AnalyzeAPK
ImportError: No module named androguard.misc

when I run the command line python androwarn.py -i 0a7f7.apk -r html -v 3,I get the following message

Traceback (most recent call last):
File "androwarn.py", line 116, in
main(options, arguments)
File "androwarn.py", line 99, in main
data = perform_analysis(APK_FILE, a, d, x, no_connection)
File "/home/chenjun/androwarn/androwarn/analysis/analysis.py", line 94, in perform_analysis
app_name, app_desc, app_icon = grab_application_name_description_icon(app_package_name, no_connection)
File "/home/chenjun/androwarn/androwarn/search/application/application.py", line 67, in grab_application_name_description_icon
response = urllib2.urlopen(req, timeout=REQUEST_TIMEOUT)
File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python2.7/urllib2.py", line 429, in open
response = self._open(req, data)
File "/usr/lib/python2.7/urllib2.py", line 447, in _open
'_open', req)
File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 1228, in http_open
return self.do_open(httplib.HTTPConnection, req)
File "/usr/lib/python2.7/urllib2.py", line 1198, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [Errno 101] Network is unreachable>

The running environment of my computer is ubuntu16.04 ,python2.7 and java1.7.How could I solve this problem?
Thanks.

Androwarn had an issue processing this app:

https://play.google.com/store/apps/details?id=com.epocrates

I'm using Python 2.7:

Traceback (most recent call last):
File "/data/androwarn/androwarn.py", line 116, in
main(options, arguments)
File "/data/androwarn/androwarn.py", line 95, in main
a, d, x = AnalyzeAPK(APK_FILE)
File "/data/androwarn/androwarn/analysis/analysis.py", line 48, in AnalyzeAPK
a = APK(filename, raw)
File "/data/androwarn/androguard/core/bytecodes/apk.py", line 156, in init
self.zip = zipfile.ZipFile( StringIO.StringIO( self.__raw ), mode=mode )
File "/usr/lib64/python2.7/zipfile.py", line 766, in init
self._RealGetContents()
File "/usr/lib64/python2.7/zipfile.py", line 853, in _RealGetContents
x._decodeExtra()
File "/usr/lib64/python2.7/zipfile.py", line 388, in _decodeExtra
tp, ln = unpack(

Hi,

I've run into an Androwarn bug on following app:

https://play.google.com/store/apps/details?id=com.aisense.otter

Traceback (most recent call last):
File "/data/androwarn_1.6/androwarn-master/androwarn.py", line 96, in <module>
main()
File "/data/androwarn_1.6/androwarn-master/androwarn.py", line 91, in main
dump_analysis_results(data,sys.stdout)
File "/data/androwarn_1.6/androwarn-master/warn/report/report.py", line 93, in dump_analysis_results
flush_simple_string(wrapper.fill(element), file_descriptor)
File "/data/androwarn_1.6/androwarn-master/warn/report/report.py", line 67, in flush_simple_string
file.write("%s\n" % string)
UnicodeEncodeError: 'ascii' codec can't encode character '\u02ce' in position 68: ordinal not in range(128)

Can this be fixed or possibly ignored in the code so the analysis can complete?

Thanks in advance!

I got the following Androwarn "Suspicious Connection Establishment" finding:

"This application opens a Socket and connects it to the remote address ' returned no addresses for ; port is out of
range' on the 'N/A' port".

Can you elaborate on 'returned no addresses for', 'port is out of range', and 'N/A' port? Also, is it possible to get the file and line number for this finding?

Thanks,
Steve

Some antivirus vendors seem to be flagging AndroWarn as a virus, see here:
https://www.virustotal.com/gui/file/db851627421f19842feb04a62b8b2beac1b44173c0c4b94f35546cdbce229fba/detection

APP - https://play.down-apk.com/download/by-token/download?token=AOTCm0Q2S0Y9oJJYCbac4h6T2MtUEqMt2A1iNDyeBiKzOa_6tgOctmDhrJ_IC3nF9T9ckMZ0CHHh8m1O-AwpnEThBK6tduUM8l2HM3AraV0mn-J1VXgyO3BCRLDPV6AQ_oY9jGLwYIaVDb8zZCqrMuUZLx6QlPTjQdCPRp5luKFtqeOZgouR2XkB733YdqNfWI8RpTt5kfyW5GtBBS2iMKhTBH5jbT0bPE3jXFvKDk-CQwx8sDpVg4o_ZaG5i_IhA4NFTLJIs4OhmaQqltTIo-zUw_LA-7QWi5OEZXvmVEyVYROJGtW_YTazwSGYcU_NsfhHsjBJ5J7tr6n50Xv9HE7t5_TtctotHDNJElLPbps&cpn=c-GXKuyrIhX4S4QD&name=kz.anytime.mobile.android_20.285

# python2 androwarn.py -i kz.anytime.mobile.android_20.285.apk -v 3 -w
[+] Androwarn version 1.6

[+] Loading the APK file...
Traceback (most recent call last):
  File "androwarn.py", line 96, in <module>
    main()
  File "androwarn.py", line 86, in main
    data = perform_analysis(options.input, a, d, x, options.with_playstore_lookup)
  File "/data/Learning/Labs/Mobile/Android/androwarn/warn/analysis/analysis.py", line 65, in perform_analysis
    ( 'device_settings_harvesting',              gather_device_settings_harvesting(x) ),
  File "/data/Learning/Labs/Mobile/Android/androwarn/warn/search/malicious_behaviours/device_settings.py", line 102, in gather_device_settings_harvesting
    result.extend( detect_log(x) )
  File "/data/Learning/Labs/Mobile/Android/androwarn/warn/search/malicious_behaviours/device_settings.py", line 44, in detect_log
    for registers in data_flow_analysis(structural_analysis_results, x):
  File "/data/Learning/Labs/Mobile/Android/androwarn/warn/core/core.py", line 412, in data_flow_analysis
    registers = backtrace_registers_before_call(x, parent_method, calling_offset)
  File "/data/Learning/Labs/Mobile/Android/androwarn/warn/core/core.py", line 239, in backtrace_registers_before_call
    instruction_name, local_register_number, local_register_value, registers_found = match_current_instruction(current_instruction, registers_found)
  File "/data/Learning/Labs/Mobile/Android/androwarn/warn/core/core.py", line 67, in match_current_instruction
    current_instruction = "{} {}".format(current_instruction.get_name(), current_instruction.get_output())
UnicodeEncodeError: 'ascii' codec can't encode character u'\u02ce' in position 34: ordinal not in range(128)

Hello. I see that the project depends on future but I cannot find a single usage of it in the codebase.

I see today the Androwarn vulnerability categories include:

• Telephony identifiers exfiltration
• Device settings exfiltration
• Geolocation information leakage
• Connection interfaces information exfiltration
• Telephony services abuse
• Audio/video flow interception
• Remote connection establishment
• PIM data leakage
• External memory operations
• PIM data modification
• Arbitrary code execution
• Denial of Service

However, a few months ago I wrote down these categories:

• Telephony Identifiers Leakage
• Location Lookup
• Connection Interfaces Exfiltration
• Telephony Services Abuse
• Audio Video Eavesdropping
• Suspicious Connection Establishment
• Pim Data Leakage
• Code Execution

Have the categories changed?

For some apps, we are getting a python struct error. I don't know if this is a problem with androwarn, python, or the APK file itself. Below is an example error message. How can we fix this?

Traceback (most recent call last):
File "/home/blive/androwarn/androwarn-master/androwarn.py", line 116, in
main(options, arguments)
File "/home/blive/androwarn/androwarn-master/androwarn.py", line 95, in main
a, d, x = AnalyzeAPK(APK_FILE)
File "/home/blive/androwarn/androwarn-master/androwarn/analysis/analysis.py", line 48, in AnalyzeAPK
a = APK(filename, raw)
File "/home/blive/androwarn/androwarn-master/androguard/core/bytecodes/apk.py", line 156, in init
self.zip = zipfile.ZipFile( StringIO.StringIO( self.raw ), mode=mode )
File "/usr/lib/python2.7/zipfile.py", line 714, in __init
self._GetContents()
File "/usr/lib/python2.7/zipfile.py", line 748, in _GetContents
self._RealGetContents()
File "/usr/lib/python2.7/zipfile.py", line 807, in _RealGetContents
x._decodeExtra()
File "/usr/lib/python2.7/zipfile.py", line 373, in _decodeExtra
tp, ln = unpack('<HH', extra[:4])
struct.error: unpack requires a string argument of length 4

Thanks,
Steve Quirolgico

the updates that were made here:
SHA: 6b9845b

cause an error on RHEL6 boxes with FIPS-compliant mode active. In this mode md5 is not allowed, and forces androwarn to segfault.

The most direct fix is the following:

in apk.py line 47:

md5 = hashlib.md5()

update to

md5 = hashlib.md5(usedforsecurity=False)

this has been noted in the commit as well.

I just installed androwarn and try to scan apk fiile, but getting this error.
Anyone know how to solve it?

Traceback (most recent call last):
File "androwarn.py", line 116, in
main(options, arguments)
File "androwarn.py", line 95, in main
a, d, x = AnalyzeAPK(APK_FILE)
File "/root/androwarn/androwarn/analysis/analysis.py", line 48, in AnalyzeAPK
a = APK(filename, raw)
File "/root/androwarn/androguard/core/bytecodes/apk.py", line 163, in init
self.xml[i] = minidom.parseString( AXMLPrinter( self.zip.read( i ) ).getBuff() )
File "/root/androwarn/androguard/core/bytecodes/apk.py", line 871, in init
_type = self.axml.next()
File "/root/androwarn/androguard/core/bytecodes/apk.py", line 622, in next
self.doNext()
File "/root/androwarn/androguard/core/bytecodes/apk.py", line 662, in doNext
raise("ooo")
TypeError: exceptions must be old-style classes or derived from BaseException, not str

We are also getting "IndexError: list index out of range" errors but I cannot send the app for this. We have also seen a "ValueError: invalid literal for int() with base 10: 'android.intent.action.PACKAGE_ADDED 11'" error but cannot find the app that generated this error.

Thomas,

We are getting "Index out of range errors" on some APKs. Unfortunately, I am not permitted to send the APKs to you for debugging. However, we can send you the output after running the APKs through androwarn. Is it possible to update androwarn to provide more debugging information, particularly with "index out of range" errors? Here is the output from the latest APK with this error:

Traceback (most recent call last):
File "/home/test/androwarn/androwarn.py", line 116, in
main(options, arguments)
File "/home/test/androwarn/androwarn.py", line 99, in main
data = perform_analysis(APK_FILE, a, d, x, no_connection)
File "/home/test/androwarn/androwarn/analysis/analysis.py", line 120, in perform_analysis
( 'suspicious_connection_establishment', gather_suspicious_connection_establishment(x) ),
File "/home/test/androwarn/androwarn/search/malicious_behaviours/remote_connection.py", line 68, in gather_suspicious_connection_establishment
result.extend( detect_Socket_use(x) )
File "/home/test/androwarn/androwarn/search/malicious_behaviours/remote_connection.py", line 52, in detect_Socket_use
remote_port = get_register_value(2, registers)
File "/home/test/androwarn/androwarn/core/core.py", line 426, in get_register_value
dict = registers[index]
IndexError: list index out of range

I got an error using Androwarn on the following Android app:

https://play.google.com/store/apps/details?id=com.vaytek.crossfireremote

Note that I am using Python 2.7.

Traceback (most recent call last):
File "/data/androwarn/androwarn.py", line 116, in
main(options, arguments)
File "/data/androwarn/androwarn.py", line 95, in main
a, d, x = AnalyzeAPK(APK_FILE)
File "/data/androwarn/androwarn/analysis/analysis.py", line 48, in AnalyzeAPK
a = APK(filename, raw)
File "/data/androwarn/androguard/core/bytecodes/apk.py", line 163, in init
self.xml[i] = minidom.parseString( AXMLPrinter( self.zip.read( i ) ).getBuff() )
File "/data/androwarn/androguard/core/bytecodes/apk.py", line 877, in init
self.buff += "<%s%s\n" % ( self.getPrefix( self.axml.getPrefix() ), self.axml.getName() )
File "/data/androwarn/androguard/core/bytecodes/apk.py", line 749, in getName
return self.sb.getRaw(self.m_name)
File "/data/androwarn/androguard/core/bytecodes/apk.py", line 556, in getRaw
data += unichr( self.getShort(self.m_strings, offset) )
File "/data/androwarn/androguard/core/bytecodes/apk.py", line 567, in getShort
value = array[offset/4].get_value()
IndexError: list index out of range

Androwarn.py

hello, am new to python & don't know how to fix this issue...can anybody tell me how to solve it?

kali@kali:~/androwarn$ python androwarn.py -i SampleApplication.apk -r html -v 3
[+] Androwarn version 1.6

[+] Loading the APK file...
Traceback (most recent call last):
File "androwarn.py", line 96, in
main()
File "androwarn.py", line 82, in main
a, d, x = AnalyzeAPK(options.input)
File "/home/kali/.local/lib/python3.8/site-packages/androguard/misc.py", line 63, in AnalyzeAPK
a = APK(_file, raw=raw)
File "/home/kali/.local/lib/python3.8/site-packages/androguard/core/bytecodes/apk.py", line 274, in init
self.__raw = bytearray(read(filename))
File "/home/kali/.local/lib/python3.8/site-packages/androguard/util.py", line 13, in read
with open(filename, 'rb' if binary else 'r') as f:
FileNotFoundError: [Errno 2] No such file or directory: 'SampleApplication.apk'

When using androwarn to analyze an approximately 23MB Xamarin application, I received an IndexError on line 426 of core.py. The full traceback is below:

Traceback (most recent call last):
  File "androwarn.py", line 116, in <module>
    main(options, arguments)
  File "androwarn.py", line 99, in main
    data = perform_analysis(APK_FILE, a, d, x, no_connection)
  File ".../androwarn/analysis/analysis.py", line 120, in perform_analysis
    ( 'suspicious_connection_establishment',	 gather_suspicious_connection_establishment(x) ),
  File ".../androwarn/search/malicious_behaviours/remote_connection.py", line 68, in gather_suspicious_connection_establishment
    result.extend( detect_Socket_use(x) )
  File ".../androwarn/search/malicious_behaviours/remote_connection.py", line 52, in detect_Socket_use
    remote_port		= get_register_value(2, registers)
  File ".../androwarn/core/core.py", line 426, in get_register_value
    dict = registers[index]
IndexError: list index out of range

We were able to work around this temporarily by wrapping the offending block in a try/except and returning ERROR_VALUE_NOT_FOUND.

I'm unable to run androwarn, do you know what is it connecting to?

The apk is copied from the SampleApplication directory

%> ./androwarn.py -v 1 -i mal.apk -r txt
Traceback (most recent call last):
  File "./androwarn.py", line 116, in <module>
    main(options, arguments)
  File "./androwarn.py", line 99, in main
    data = perform_analysis(APK_FILE, a, d, x, no_connection)
  File "/Users/xxxx/Library/Caches/shm/androwarn-master/androwarn/analysis/analysis.py", line 94, in perform_analysis
    app_name, app_desc, app_icon = grab_application_name_description_icon(app_package_name, no_connection)
  File "/Users/xxxx/Library/Caches/shm/androwarn-master/androwarn/search/application/application.py", line 67, in grab_application_name_description_icon
    response = urllib2.urlopen(req, timeout=REQUEST_TIMEOUT)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 431, in open
    response = self._open(req, data)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 449, in _open
    '_open', req)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 409, in _call_chain
    result = func(*args)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 1227, in http_open
    return self.do_open(httplib.HTTPConnection, req)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 1197, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [Errno 65] No route to host>

I

Can you please adjust the file permissions? Most files don't need the executable bit set.

hello, I just need some information as i have install the androwarn but i am not sure that how i can use it on some application from google store or some application on my laptop? python3 androwarn.py -i ...... now what should i type after -i, i am confused can anyone help me out and make me understand this.

Traceback (most recent call last):
File "/TOOLS/Static/androwarn/test/androwarn-master/androwarn.py", line 116, in
main(options, arguments)
File "/TOOLS/Static/androwarn/test/androwarn-master/androwarn.py", line 99, in main
data = perform_analysis(APK_FILE, a, d, x, no_connection)
File "/TOOLS/Static/androwarn/test/androwarn-master/androwarn/analysis/analysis.py", line 115, in perform_analysis
( 'device_settings_harvesting', gather_device_settings_harvesting(x) ),
File "/TOOLS/Static/androwarn/test/androwarn-master/androwarn/search/malicious_behaviours/device_settings.py", line 96, in gather_device_settings_harvesting
result.extend( detect_get_package_info(x) )
File "/TOOLS/Static/androwarn/test/androwarn-master/androwarn/search/malicious_behaviours/device_settings.py", line 79, in detect_get_package_info
flags = recover_bitwise_flag_settings(flag, PackageManager_PackageInfo)
File "/TOOLS/Static/androwarn/test/androwarn-master/androwarn/util/util.py", line 257, in recover_bitwise_flag_settings
if (int(flag) & option_value) == option_value :
ValueError: invalid literal for int() with base 10: 'Lcom/tumblr/App;->getAppContext()Landroid/content/Context;'

im testing the tumblr app. can you help me?

The dependency on chilkat is really a pain. Its a swig wrapper around a closed source binary and it requires a license to use for more than 30 days.

Please remove the shebang from all files which don't need it.

For the Fedora package I have to:

sed -i -e '/^#!\//, 1d' androwarn/{__init__.py,androwarn.py,warn/*/*.py,warn/*/*/*.py}

[+] Androwarn version 1.6

[+] Loading the APK file...
Requested API level 31 is larger than maximum we have, returning API level 28 instead.
Traceback (most recent call last):
File "/home/shan/.local/bin/androwarn", line 8, in
sys.exit(main())
File "/home/shan/.local/lib/python3.8/site-packages/androwarn/androwarn.py", line 86, in main
data = perform_analysis(options.input, a, d, x, options.with_playstore_lookup)
File "/home/shan/.local/lib/python3.8/site-packages/androwarn/warn/analysis/analysis.py", line 65, in perform_analysis
( 'device_settings_harvesting', gather_device_settings_harvesting(x) ),
File "/home/shan/.local/lib/python3.8/site-packages/androwarn/warn/search/malicious_behaviours/device_settings.py", line 102, in gather_device_settings_harvesting
result.extend( detect_log(x) )
File "/home/shan/.local/lib/python3.8/site-packages/androwarn/warn/search/malicious_behaviours/device_settings.py", line 44, in detect_log
for registers in data_flow_analysis(structural_analysis_results, x):
File "/home/shan/.local/lib/python3.8/site-packages/androwarn/warn/core/core.py", line 412, in data_flow_analysis
registers = backtrace_registers_before_call(x, parent_method, calling_offset)
File "/home/shan/.local/lib/python3.8/site-packages/androwarn/warn/core/core.py", line 214, in backtrace_registers_before_call
bc = method.get_code().get_bc()
AttributeError: 'MethodAnalysis' object has no attribute 'get_code'