Hoja de Referencia de AndroGuard¶
Descripción General¶
AndroGuard es una herramienta de Python diseñada para ingeniería inversa y análisis de malware de aplicaciones Android. Proporciona capacidades potentes para analizar archivos APK, bytecode DEX y recursos de Android.
Instalación¶
Requisitos Previos¶
# Install Python 3.6+
sudo apt update
sudo apt install python3 python3-pip
# Install required dependencies
sudo apt install python3-dev libxml2-dev libxslt1-dev zlib1g-dev
Instalar AndroGuard¶
# Install from PyPI
pip3 install androguard
# Install with optional dependencies
pip3 install androguard[GUI,magic]
# Install from source
git clone https://github.com/androguard/androguard.git
cd androguard
pip3 install -e .
Uso Básico¶
Analizar Archivos APK¶
# Basic APK analysis
androguard analyze app.apk
# Interactive analysis
androguard shell app.apk
# Generate analysis report
androguard analyze app.apk --output report.txt
Herramientas de Línea de Comandos¶
# APK information
apkinfo app.apk
# DEX analysis
dexdump classes.dex
# Resource analysis
axml AndroidManifest.xml
Uso de API de Python¶
Análisis Básico¶
from androguard.misc import AnalyzeAPK
# Analyze APK
a, d, dx = AnalyzeAPK("app.apk")
# Get APK information
print("Package name:", a.get_package())
print("App name:", a.get_app_name())
print("Version:", a.get_androidversion_code())
print("Permissions:", a.get_permissions())
Análisis Avanzado¶
from androguard.core.bytecodes import apk, dvm
from androguard.core.analysis import analysis
# Load APK
apk_obj = apk.APK("app.apk")
dex = dvm.DalvikVMFormat(apk_obj.get_dex())
dx = analysis.Analysis(dex)
# Analyze classes and methods
for cls in dx.get_classes():
print(f"Class: \\\\{cls.name\\\\}")
for method in cls.get_methods():
print(f" Method: \\\\{method.name\\\\}")
Análisis de APK¶
Información Básica¶
# APK metadata
print("Package:", a.get_package())
print("App name:", a.get_app_name())
print("Version code:", a.get_androidversion_code())
print("Version name:", a.get_androidversion_name())
print("Min SDK:", a.get_min_sdk_version())
print("Target SDK:", a.get_target_sdk_version())
Análisis de Permisos¶
# Get all permissions
permissions = a.get_permissions()
for perm in permissions:
print(f"Permission: \\\\{perm\\\\}")
# Check for dangerous permissions
dangerous_perms = [
"android.permission.READ_SMS",
"android.permission.SEND_SMS",
"android.permission.ACCESS_FINE_LOCATION",
"android.permission.CAMERA"
]
for perm in permissions:
if perm in dangerous_perms:
print(f"Dangerous permission found: \\\\{perm\\\\}")
Análisis de Certificados¶
# Get certificate information
certificates = a.get_certificates()
for cert in certificates:
print(f"Certificate: \\\\{cert\\\\}")
print(f"Subject: \\\\{cert.subject\\\\}")
print(f"Issuer: \\\\{cert.issuer\\\\}")
print(f"Serial: \\\\{cert.serial_number\\\\}")
Análisis de Código¶
Análisis de Métodos¶
# Find specific methods
for cls in dx.get_classes():
for method in cls.get_methods():
if "crypto" in method.name.lower():
print(f"Crypto method: \\\\{cls.name\\\\}->\\\\{method.name\\\\}")
Análisis de Cadenas¶
# Extract strings
strings = dx.get_strings()
for string in strings:
if "http" in string.get_value():
print(f"URL found: \\\\{string.get_value()\\\\}")
Análisis de Referencias Cruzadas¶
# Find method calls
for method in dx.get_methods():
if method.is_external():
continue
for ref in method.get_xref_from():
print(f"\\\\{ref.class_name\\\\}->\\\\{ref.method_name\\\\} calls \\\\{method.name\\\\}")
Análisis de Seguridad¶
Análisis Criptográfico¶
# Find crypto usage
crypto_methods = [
"javax.crypto.Cipher",
"java.security.MessageDigest",
"javax.crypto.spec.SecretKeySpec"
]
for method in dx.get_methods():
for crypto in crypto_methods:
if crypto in str(method.get_method()):
print(f"Crypto usage: \\\\{method.name\\\\}")
Análisis de Red¶
# Find network operations
network_classes = [
"java.net.URL",
"java.net.HttpURLConnection",
"okhttp3.OkHttpClient"
]
for cls in dx.get_classes():
for net_class in network_classes:
if net_class in str(cls):
print(f"Network class: \\\\{cls.name\\\\}")
Análisis de Reflexión¶
# Find reflection usage
reflection_methods = [
"java.lang.Class.forName",
"java.lang.reflect.Method.invoke"
]
for method in dx.get_methods():
for ref_method in reflection_methods:
if ref_method in str(method.get_method()):
print(f"Reflection usage: \\\\{method.name\\\\}")
Detección de Malware¶
Patrones Sospechosos¶
# Check for suspicious patterns
suspicious_strings = [
"getDeviceId",
"getSubscriberId",
"sendTextMessage",
"android.intent.action.BOOT_COMPLETED"
]
strings = dx.get_strings()
for string in strings:
for suspicious in suspicious_strings:
if suspicious in string.get_value():
print(f"Suspicious string: \\\\{string.get_value()\\\\}")
Detección de Carga Dinámica¶
# Find dynamic loading
dynamic_methods = [
"dalvik.system.DexClassLoader",
"dalvik.system.PathClassLoader"
]
for method in dx.get_methods():
for dyn_method in dynamic_methods:
if dyn_method in str(method.get_method()):
print(f"Dynamic loading: \\\\{method.name\\\\}")
Análisis de Recursos¶
Análisis de Manifiesto¶
# Parse AndroidManifest.xml
manifest = a.get_android_manifest_xml()
print("Manifest content:")
print(manifest.toprettyxml())
# Get activities
activities = a.get_activities()
for activity in activities:
print(f"Activity: \\\\{activity\\\\}")
# Get services
services = a.get_services()
for service in services:
print(f"Service: \\\\{service\\\\}")
Extracción de Recursos¶
# Extract resources
for file_name in a.get_files():
if file_name.endswith('.xml'):
content = a.get_file(file_name)
print(f"XML file: \\\\{file_name\\\\}")
Características Avanzadas¶
Análisis de Flujo de Control¶
Would you like me to continue with the remaining sections?```python
Analyze control flow¶
for method in dx.get_methods(): if method.is_external(): continue
# Get basic blocks
for bb in method.get_basic_blocks():
print(f"Basic block: \\\\{bb\\\\}")
### Análisis de Flujo de Datospython
Trace data flow¶
for method in dx.get_methods():
# Get method instructions
instructions = method.get_instructions()
for instruction in instructions:
if instruction.get_name() == "const-string":
print(f"String constant: \\{instruction\\}")
### Generación de Grafo de Llamadaspython
Generate call graph¶
import networkx as nx
G = nx.DiGraph() for method in dx.get_methods(): for ref in method.get_xref_from(): G.add_edge(f"\\{ref.class_name\\}.\\{ref.method_name\\}", f"\\{method.class_name\\}.\\{method.name\\}")
Export call graph¶
nx.write_gml(G, "call_graph.gml")
## Scripts de Automatizaciónpython
!/usr/bin/env python3¶
import os import sys from androguard.misc import AnalyzeAPK
def analyze_apk_batch(directory): for filename in os.listdir(directory): if filename.endswith('.apk'): print(f"Analyzing \\{filename\\}") try: a, d, dx = AnalyzeAPK(os.path.join(directory, filename)) print(f"Package: \\{a.get_package()\\}") print(f"Permissions: \\{len(a.get_permissions())\\}") print("-" * 50) except Exception as e: print(f"Error analyzing \\{filename\\}: \\{e\\}")
if name == "main":
analyze_apk_batch(sys.argv[1])
### Análisis por Lotespython
!/usr/bin/env python3¶
from androguard.misc import AnalyzeAPK
def security_scan(apk_path): a, d, dx = AnalyzeAPK(apk_path)
# Check permissions
dangerous_perms = [
"android.permission.READ_SMS",
"android.permission.SEND_SMS",
"android.permission.ACCESS_FINE_LOCATION"
]
found_perms = []
for perm in a.get_permissions():
if perm in dangerous_perms:
found_perms.append(perm)
# Check for crypto usage
crypto_usage = False
for method in dx.get_methods():
if "crypto" in str(method.get_method()).lower():
crypto_usage = True
break
print(f"Dangerous permissions: \\\\{found_perms\\\\}")
print(f"Crypto usage detected: \\\\{crypto_usage\\\\}")
if name == "main":
security_scan("app.apk")
### Escáner de Seguridadbash
Launch GUI¶
androguard gui
Open APK in GUI¶
androguard gui app.apk
### Características
- Análisis visual de código
- Exploración interactiva
- Visualización de grafos
- Capacidades de exportaciónbash
1. Basic APK information
2. Permission analysis
3. Code structure review
4. Security pattern detection
5. Malware signature matching
6. Report generation
### Flujo de Trabajo de Análisispython
Use lazy loading for large APKs¶
from androguard.core.bytecodes.apk import APK a = APK("large_app.apk", raw=False)
Process in chunks for batch analysis¶
import multiprocessing pool = multiprocessing.Pool() results = pool.map(analyze_apk, apk_list) ```### Consejos de Rendimiento https://github.com/androguard/androguard- Documentación Oficial: [AndroGuard GitHub]( https://androguard.readthedocs.io/- Referencia de API: [Documentación de AndroGuard]( https://owasp.org/www-project-mobile-security-testing-guide/- Seguridad Android: [Seguridad Móvil OWASP](