AndroGuard Cheatsheet

Sinopsis

AndroGuard es una herramienta Python diseñada para ingeniería inversa y análisis de malware de aplicaciones Android. Proporciona capacidades poderosas para analizar archivos APK, DEX bytecode y recursos Android.

Instalación

Prerrequisitos

# Install Python 3.6+
sudo apt update
sudo apt install python3 python3-pip

# Install required dependencies
sudo apt install python3-dev libxml2-dev libxslt1-dev zlib1g-dev

Instala a AndroGuard

# Install from PyPI
pip3 install androguard

# Install with optional dependencies
pip3 install androguard[GUI,magic]

# Install from source
git clone https://github.com/androguard/androguard.git
cd androguard
pip3 install -e .

Uso básico

Analyze APK Archivos

# Basic APK analysis
androguard analyze app.apk

# Interactive analysis
androguard shell app.apk

# Generate analysis report
androguard analyze app.apk --output report.txt

Herramientas de línea de comandos

# APK information
apkinfo app.apk

# DEX analysis
dexdump classes.dex

# Resource analysis
axml AndroidManifest.xml

Python API Usage

Análisis básico

from androguard.misc import AnalyzeAPK

# Analyze APK
a, d, dx = AnalyzeAPK("app.apk")

# Get APK information
print("Package name:", a.get_package())
print("App name:", a.get_app_name())
print("Version:", a.get_androidversion_code())
print("Permissions:", a.get_permissions())

Análisis avanzado

from androguard.core.bytecodes import apk, dvm
from androguard.core.analysis import analysis

# Load APK
apk_obj = apk.APK("app.apk")
dex = dvm.DalvikVMFormat(apk_obj.get_dex())
dx = analysis.Analysis(dex)

# Analyze classes and methods
for cls in dx.get_classes():
    print(f"Class: \\\\{cls.name\\\\}")
    for method in cls.get_methods():
        print(f"  Method: \\\\{method.name\\\\}")

APK Analysis

Información básica

# APK metadata
print("Package:", a.get_package())
print("App name:", a.get_app_name())
print("Version code:", a.get_androidversion_code())
print("Version name:", a.get_androidversion_name())
print("Min SDK:", a.get_min_sdk_version())
print("Target SDK:", a.get_target_sdk_version())

Permissions Analysis

# Get all permissions
permissions = a.get_permissions()
for perm in permissions:
    print(f"Permission: \\\\{perm\\\\}")

# Check for dangerous permissions
dangerous_perms = [
    "android.permission.READ_SMS",
    "android.permission.SEND_SMS",
    "android.permission.ACCESS_FINE_LOCATION",
    "android.permission.CAMERA"
]

for perm in permissions:
    if perm in dangerous_perms:
        print(f"Dangerous permission found: \\\\{perm\\\\}")

Análisis del certificado

# Get certificate information
certificates = a.get_certificates()
for cert in certificates:
    print(f"Certificate: \\\\{cert\\\\}")
    print(f"Subject: \\\\{cert.subject\\\\}")
    print(f"Issuer: \\\\{cert.issuer\\\\}")
    print(f"Serial: \\\\{cert.serial_number\\\\}")

Code Analysis

Análisis del método

# Find specific methods
for cls in dx.get_classes():
    for method in cls.get_methods():
        if "crypto" in method.name.lower():
            print(f"Crypto method: \\\\{cls.name\\\\}->\\\\{method.name\\\\}")

String Analysis

# Extract strings
strings = dx.get_strings()
for string in strings:
    if "http" in string.get_value():
        print(f"URL found: \\\\{string.get_value()\\\\}")

Análisis de las referencias cruzadas

# Find method calls
for method in dx.get_methods():
    if method.is_external():
        continue

    for ref in method.get_xref_from():
        print(f"\\\\{ref.class_name\\\\}->\\\\{ref.method_name\\\\} calls \\\\{method.name\\\\}")

Análisis de seguridad

Cryptographic Analysis

# Find crypto usage
crypto_methods = [
    "javax.crypto.Cipher",
    "java.security.MessageDigest",
    "javax.crypto.spec.SecretKeySpec"
]

for method in dx.get_methods():
    for crypto in crypto_methods:
        if crypto in str(method.get_method()):
            print(f"Crypto usage: \\\\{method.name\\\\}")

Análisis de redes

# Find network operations
network_classes = [
    "java.net.URL",
    "java.net.HttpURLConnection",
    "okhttp3.OkHttpClient"
]

for cls in dx.get_classes():
    for net_class in network_classes:
        if net_class in str(cls):
            print(f"Network class: \\\\{cls.name\\\\}")

Análisis de la reflexión

# Find reflection usage
reflection_methods = [
    "java.lang.Class.forName",
    "java.lang.reflect.Method.invoke"
]

for method in dx.get_methods():
    for ref_method in reflection_methods:
        if ref_method in str(method.get_method()):
            print(f"Reflection usage: \\\\{method.name\\\\}")

Detección de malware

Patrones sospechosos

# Check for suspicious patterns
suspicious_strings = [
    "getDeviceId",
    "getSubscriberId",
    "sendTextMessage",
    "android.intent.action.BOOT_COMPLETED"
]

strings = dx.get_strings()
for string in strings:
    for suspicious in suspicious_strings:
        if suspicious in string.get_value():
            print(f"Suspicious string: \\\\{string.get_value()\\\\}")

Detección de carga dinámica

# Find dynamic loading
dynamic_methods = [
    "dalvik.system.DexClassLoader",
    "dalvik.system.PathClassLoader"
]

for method in dx.get_methods():
    for dyn_method in dynamic_methods:
        if dyn_method in str(method.get_method()):
            print(f"Dynamic loading: \\\\{method.name\\\\}")

Análisis de recursos

Manifest Analysis

# Parse AndroidManifest.xml
manifest = a.get_android_manifest_xml()
print("Manifest content:")
print(manifest.toprettyxml())

# Get activities
activities = a.get_activities()
for activity in activities:
    print(f"Activity: \\\\{activity\\\\}")

# Get services
services = a.get_services()
for service in services:
    print(f"Service: \\\\{service\\\\}")

Extracción de recursos

# Extract resources
for file_name in a.get_files():
    if file_name.endswith('.xml'):
        content = a.get_file(file_name)
        print(f"XML file: \\\\{file_name\\\\}")

Características avanzadas

Análisis de flujo de control

# Analyze control flow
for method in dx.get_methods():
    if method.is_external():
        continue

    # Get basic blocks
    for bb in method.get_basic_blocks():
        print(f"Basic block: \\\\{bb\\\\}")

Análisis de flujo de datos

# Trace data flow
for method in dx.get_methods():
    # Get method instructions
    instructions = method.get_instructions()
    for instruction in instructions:
        if instruction.get_name() == "const-string":
            print(f"String constant: \\\\{instruction\\\\}")

Generación de Gráficos

# Generate call graph
import networkx as nx

G = nx.DiGraph()
for method in dx.get_methods():
    for ref in method.get_xref_from():
        G.add_edge(f"\\\\{ref.class_name\\\\}.\\\\{ref.method_name\\\\}",
                  f"\\\\{method.class_name\\\\}.\\\\{method.name\\\\}")

# Export call graph
nx.write_gml(G, "call_graph.gml")

Scripts de automatización

Batch Analysis

#!/usr/bin/env python3
import os
import sys
from androguard.misc import AnalyzeAPK

def analyze_apk_batch(directory):
    for filename in os.listdir(directory):
        if filename.endswith('.apk'):
            print(f"Analyzing \\\\{filename\\\\}")
            try:
                a, d, dx = AnalyzeAPK(os.path.join(directory, filename))
                print(f"Package: \\\\{a.get_package()\\\\}")
                print(f"Permissions: \\\\{len(a.get_permissions())\\\\}")
                print("-" * 50)
            except Exception as e:
                print(f"Error analyzing \\\\{filename\\\\}: \\\\{e\\\\}")

if __name__ == "__main__":
    analyze_apk_batch(sys.argv[1])

Escáner de seguridad

#!/usr/bin/env python3
from androguard.misc import AnalyzeAPK

def security_scan(apk_path):
    a, d, dx = AnalyzeAPK(apk_path)

    # Check permissions
    dangerous_perms = [
        "android.permission.READ_SMS",
        "android.permission.SEND_SMS",
        "android.permission.ACCESS_FINE_LOCATION"
    ]

    found_perms = []
    for perm in a.get_permissions():
        if perm in dangerous_perms:
            found_perms.append(perm)

    # Check for crypto usage
    crypto_usage = False
    for method in dx.get_methods():
        if "crypto" in str(method.get_method()).lower():
            crypto_usage = True
            break

    print(f"Dangerous permissions: \\\\{found_perms\\\\}")
    print(f"Crypto usage detected: \\\\{crypto_usage\\\\}")

if __name__ == "__main__":
    security_scan("app.apk")

GUI Usage

AndroGuard GUI

# Launch GUI
androguard gui

# Open APK in GUI
androguard gui app.apk

Características

• Análisis de código visual
• Exploración interactiva
• Visualización de gráficos
• Capacidades de exportación

Buenas prácticas

Análisis del flujo de trabajo

1. Basic APK information
2. Permission analysis
3. Code structure review
4. Security pattern detection
5. Malware signature matching
6. Report generation

Consejos de rendimiento

# Use lazy loading for large APKs
from androguard.core.bytecodes.apk import APK
a = APK("large_app.apk", raw=False)

# Process in chunks for batch analysis
import multiprocessing
pool = multiprocessing.Pool()
results = pool.map(analyze_apk, apk_list)

Recursos

• ** Documentación oficial**: AndroGuard GitHub
• ** Referencia de la API**: Documentación de AndroGuard
• Seguridad de Android: Seguridad Móvil de la OFASP