Advance Android Malware Analysis Framework – Droidefense

Last Release: 12/20/2017     Last Commit: 11/22/2018

Advance Android Malware Analysis Framework – Droidefense

Introduction

Droidefense (originally named atom: analysis through observation machine) is an open source Android App Scanner written in Java. It attempts to bypass every anti-analysis routine that malware may have, in order to get to the code (techniques can be: VM detection, emulator detection, self certificate checking, pipes detection. tracer pid check, etc.)

Droidefense: Advance Android Malware Analysis Framework

 

Droidefense: Advance Android Malware Analysis Framework

Droidefense is an application/malware analyzer and reversing tool, licensed under GLPv3. According to the official description, Droidefense engine uses an innovative idea in where the code is not decompiled rather than viewed. It generates results in html report that are easy to understand. Supported platforms:

  • Linux, Mac OS X, Windows.

Features:

  • .apk unpacker
  • .apk resource decoder
  • Binary xml decoder
  • .apk file enumeration
  • .apk file classification and identification
  • In-memory processing using a virtual filesystem
  • Resource fuzzing and hashing
  • Entropy calculator
  • Native code dump
  • Certificate analysis
  • Debug certificate detection
  • Opcode analysis
  • Unused opcode detection
  • androidManifest.xml analysis
  • Internal structure analysis
  • Dalvik bytecode flow analysis
  • Multipath analysis implementation (not tested)
  • CFG generation
  • Simple reflection resolver
  • String classification
  • Simulated workflow generation
  • Dynamic rules engine

Modules:

  • PSCout data module
  • Full Android manifest parser, based on official SDK documentation v23.
  • Plugins
  • Machine Learning (Weka based) module

Plugins:

  • Hidden ELF file detector plugin
  • Hidden APK file detector plugin
  • Application UID detector plugin
  • Privacy plugin

Compilation

Prerequisites:

  •  Java JDK 1.7+
  • Maven

Clone it from the Droidefense Github repo:

$ git clone https://github.com/droidefense/engine

Then navigate to the engine directory, and executebuild.sh script:

$ cd engine
$ ./build.sh

Basic Usage

$ java -jar droidefense-cli-1.0-SNAPSHOT.jar

________               .__    .___      _____                            
\______ \_______  ____ |__| __| _/_____/ ____\____   ____   ______ ____  
 |    |  \_  __ \/  _ \|  |/ __ |/ __ \   __\/ __ \ /    \ /  ___// __ \ 
 |    `   \  | \(  <_> )  / /_/ \  ___/|  | \  ___/|   |  \\___ \\  ___/ 
/_______  /__|   \____/|__\____ |\___  >__|  \___  >___|  /____  >\___  >
        \/                     \/    \/          \/     \/     \/     \/ 

* Current build: 			2018_03_09__09_17_34
* Check out on Github: 			https://github.com/droidefense/
* Report your issue: 			https://github.com/droidefense/engine/issues
* Lead developer: 			@zerjioang

usage: droidefense
 -d,--debug                 print debugging information
 -h,--help                  print this message
 -i,--input <apk>           input .apk to be analyzed
 -o,--output <format>       select prefered output:
                            json
                            json.min
                            html
 -p,--profile               Wait for JVM profiler
 -s,--show                  show generated report after scan
 -u,--unpacker <unpacker>   select prefered unpacker:
                            zip
                            memapktool
 -v,--verbose               be verbose
 -V,--version               show current version information

To scan your android app, run:

$ java -jar droidefense-cli-1.0-SNAPSHOT.jar -i /path/to/your/sample.apk

There is a report example, you can take a look before you start. You can also see checkout execution logs.

Documentation Box
Download Box