Androwarn – Yet Another Static Code Analyzer For Malicious Android Applications

Androwarn is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.The detection is performed with the static analysis of the application’s Dalvik bytecode, represented as Smali, with the androguard library.This analysis leads to the generation of a report, according to a technical detail level chosen from the user.FeaturesStructural and data flow analysis of the bytecode targeting different malicious behaviours categories Telephony identifiers exfiltration: IMEI, IMSI, MCC, MNC, LAC, CID, operator’s name…Device settings exfiltration: software version, usage statistics, system settings, logs…Geolocation information leakage: GPS/WiFi geolocation…Connection interfaces information exfiltration: WiFi credentials, Bluetooth MAC adress…Telephony services abuse: premium SMS sending, phone call composition…Audio/video flow interception: call recording, video capture…Remote connection establishment: socket open call, Bluetooth pairing, APN settings edit…PIM data leakage: contacts, calendar, SMS, mails, clipboard…External memory operations: file access on SD card…PIM data modification: add/delete contacts, calendar events…Arbitrary code execution: native code using JNI, UNIX command, privilege escalation…Denial of Service: event notification deactivation, file deletion, process killing, virtual keyboard disable, terminal shutdown/reboot…Report generation according to several detail levels Essential (-v 1) for newbiesAdvanced (-v 2)Expert (-v 3)Report generation according to several formats Plaintext txtFormatted html from a Bootstrap templateJSONUsageOptionsusage: androwarn [-h] -i INPUT [-o OUTPUT] [-v {1,2,3}] [-r {txt,html,json}] [-d] [-L {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}] [-w]version: 1.4optional arguments: -h, –help show this help message and exit -i INPUT, –input INPUT APK file to analyze -o OUTPUT, –output OUTPUT Output report file (default “./_<timestamp>.<report_type>") -v {1,2,3}, –verbose {1,2,3} Verbosity level (ESSENTIAL 1, ADVANCED 2, EXPERT 3) (default 1) -r {txt,html,json}, –report {txt,html,json} Report type (default "html") -d, –display-report Display analysis results to stdout -L {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}, –log-level {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL} Log level (default "ERROR") -w, –with-playstore-lookup Enable online lookups on Google PlayCommon usage$ python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3By default, the report is generated in the current folder.An HTML report is now contained in a standalone file, CSS/JS resources are inlined.Sample applicationA sample application has been built, concentrating several malicious behaviours.The APK is available in the _SampleApplication/bin/ folder and the HTML report is available in the _SampleReports folder.Dependencies and installationPython 2.7 + androguard + jinja2 + play_scraper + argparseThe easiest way to setup everything: pip install androwarn and then directly use $ androwarnOr git clone that repository and pip install -r requirements.txtChangelogversion 1.5 – 2019/01/05: few fixesversion 1.4 – 2019/01/04: code cleanup and use of the latest androguard versionversion 1.3 – 2018/12/30: few fixesversion 1.2 – 2018/12/30: few fixesversion 1.1 – 2018/12/29: fixing few bugs, removing Chilkat dependencies and pip packagingversion 1.0 – from 2012 to 2013ContributingYou’re welcome, any help is appreciated :)ContactThomas Debize < tdebize at mail d0t com >Join #androwarn on FreenodeGreetingsStéphane Coulondre, for supervising my Final Year projectAnthony Desnos, for his amazing Androguard project and his help through my Final Year projectDownload Androwarn

Link: http://feedproxy.google.com/~r/PentestTools/~3/CXJc4Zacvso/androwarn-yet-another-static-code.html

FIR – Fast Incident Response

FIR (Fast Incident Response) is an cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents.FIR is for anyone needing to track cybersecurity incidents (CSIRTs, CERTs, SOCs, etc.). It was tailored to suit our needs and our team’s habits, but we put a great deal of effort into making it as generic as possible before releasing it so that other teams around the world may also use it and customize it as they see fit.See the wiki for the user manual and more screenshots !InstallationThere are two ways to install FIR. If you want to take it for a test-drive, just follow the instructions for setting up a development environment in the Wiki.If you like it and want to set it up for production, here’s how to do it.A dockerfile for running a dev-quality FIR setup is also available in docker/Dockerfile.Deploy to Heroku via fir/heroku_settings.pyCommunityA dedicated users mailing list is available https://groups.google.com/d/forum/fir-usersTechnical specsFIR is written in Python (but you probably already knew that), using Django 1.9. It uses Bootstrap 3 and some Ajax and d3js to make it pretty. We use it with a MySQL back-end, but feel free to use any other DB adaptor you might want – as long as it’s compatible with Django, you shouldn’t run into any major issues.FIR is not greedy performance-wise. It will run smoothly on a Ubuntu 14.04 virtual machine with 1 core, a 40 GB disk and 1 GB RAM. Download FIR

Link: http://feedproxy.google.com/~r/PentestTools/~3/ppBJPOSeiE4/fir-fast-incident-response.html