Adhrit is an open source Android APK ripping tool that does a basic recon on the provided APK file and extracts important imformation.

Pre-requisites :
+ Linux Machine
+ Java JDK
+ PYTHON 2.7.x

Adhrit

Uses :
– Extracts the apk contents.
– Does a strings on the dex and stores it in a file.
– Extracts the jar out of the dex.
– Checks for native libraries.
– Extracts java code from the APK.

Usage and Download fromm source:

git clone https://github.com/abhi-r3v0/Adhrit && cd Adhrit
1. Dowload or clone the package and extract the tool.
2. Place the application (Android apk) in the tool directory.
3. Open a terminal and cd into the directory.
4. Run "python adhrit.py -a your_app.apk"

Source: https://github.com/abhi-r3v0

Changelog Apktool v2.2.2-git:
* Added Android 7.1 Resources (Issue 1349)
* Update aapt to android-7.1.1_r4.
* Upgrade to gradle 3.3
* Fixed NPE with styles that had a parent that didn’t exist. (Issue 1370)
* Fixed issue with TYPE_DYNAMIC_ATTRIBUTE treating improperly which affected Nougat based applications. (Issue 1382) / Thanks xpirt
* Fixed issue with APKs that have invalid characters. (Issue 885), (Issue 1389)
* Fixed issue with versioning vector images during build. (Issue 1384)
* Fixed issue with APKs that have invalid characters in filename. (Issue 1369)
* Fixed build issue where space was in build path. (Issue 1394)
* Fixed issue with APKs that have 3 non positional attributes. (Issue 1360)
* Fixed issue with APKs that require non-standard pkgId. (Issue 1119), (Issue 989), (Issue 1278), (Issue 1377), (Issue 1091) / Thanks peter23
* Fixed issue with APKs that used reserved words do and if. (Issue 1404)

Apktool v2.2.2-git

Apktool v2.2.0

Apktool is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc.

It is NOT intended for piracy and other non-legal uses. It could be used for localizing, adding some features or support for custom platforms and other GOOD purposes. Just try to be fair with authors of an app, that you use and probably like.

Features:
+ Disassembling resources to nearly original form (including resources.arsc, classes.dex, 9.png. and XMLs)
+ Rebuilding decoded resources back to binary APK/JAR
+ Organizing and handling APKs that depend on framework resources
+ Smali Debugging (Removed in 2.1.0 in favor of IdeaSmali)
+ Helping with repetitive tasks

Requirements:
* JDK (7 or 8). No OpenJDK
* git

Usage & Download From git:

git clone git://github.com/iBotPeaches/Apktool.git && cd Apktool
./gradlew
./gradlew build fatJar
./gradlew build fatJar proguard
cd brut.apktool/apktool-cli/build/libs/
java -jar apktool-2.2.2-dd4a20-SNAPSHOT-small.jar

Source: https://github.com/iBotPeaches | Our Post Before

Changelog drozer v2.4.2:
+ [Bugfix] Updated PyOpenSSL to fix Issue #239
+ [Bugfix] Fixed setup.py to install Drozer without setting PYTHONPATH environment variable
+ [Documentation] Fixed documentation to resolve issue #240

Changelog drozer v2.4.0:
+ Fixed bug in sharedUID package search
+ Fixed bug in web delivery page
+ Fixed bug in busybox path
+ Updated busybox for PIE Support
+ Referenced aapt-osx in setup script
+ Added pyyaml support for latest apktool
+ Protobuf 2.6.1 jar update
+ Updated apktool arguments
+ Updated to Dx: android 19
+ Updated to apktool 2.0.3
+ Updated to protobuf 2.6.1
+ Fixed pyopenssl error
+ Support for Java 7 & 8

drozer

drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.

drozer provides tools to help you use, share and understand public Android exploits. It helps you to deploy a drozer Agent to a device through exploitation or social engineering. Using weasel (MWR’s advanced exploitation payload) drozer is able to maximise the permissions available to it by installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell to act as a Remote Access Tool (RAT).

drozer helps to provide confidence that Android apps and devices being developed by, or deployed across, your organisation do not pose an unacceptable level of risk. By allowing you to interact with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.

drozer provides tools to help you use and share public exploits for Android. For remote exploits, it can generate shellcode to help you to deploy the drozer Agent as a remote administrator tool, with maximum leverage on the device.

drozer console

* Faster Android Security Assessments
drozer helps to reduce the time taken for Android security assessments by automating the tedious and time-consuming.
+-+ Discover and interact with the attack surface exposed by Android apps.
+-+ Execute dynamic Java-code on a device, to avoid the need to compile and install small test scripts.

* Test against Real Android Devices
drozer runs both in Android emulators and on real devices. It does not require USB debugging or other development features to be enabled; so you can perform assessments on devices in their production state to get better results.

* Automate and Extend
drozer can be easily extended with additional modules to find, test and exploit other weaknesses; this, combined with scripting possibilities, helps you to automate regression testing for security issues.

* Test your Exposure to Public Exploits
drozer provides point-and-go implementations of many public Android exploits. You can use these to identify vulnerable devices in your organisation, and to understand the risk that these pose.

Use and download from git:

be sure your system has been install android SDK https://developer.android.com/

git clone https://github.com/mwrlabs/drozer/ && cd drozer
python setup.py build
python setup.py install

or
wget https://github.com/mwrlabs/drozer/releases/download/2.4.2/drozer-2.4.2-py2.7.egg
easy_install -Z drozer-2.4.2-py2.7.egg

Windows:
python easy_install -Z drozer-2.4.2-py2.7.egg (make sure your windows has been install easy_install)

Download: drozer-2.4.2-py2.7.egg | Our Post Before
Source: https://labs.mwrinfosecurity.com/tools/drozer/ | https://github.com/mwrlabs

Changelog From Hijackerv-1-RC to  Hijacker v1-stable version 22/1/2017:
* Add the option to mark Access Points or Stations to distinguish them easily, move options restore commands in onResume() of Fragments, change fifo to LinkedList to avoid a bug that still happens, use marked devices for ‘smart’ selection in MDKFragment, ReaverFragment and CustomActionFragment, create separate popup for attacks on Access Points, clear ‘marked’ lists on reset
* Fix duplicate watchdog thread running, remove reset() call in shell.done(), handle simultaneous calls to getFreeShell(), improve CustomAction saving
* Bug fixes, code optimization, cleanup, use Snackbar instead of Toast in Dialogs, stop only airodump with ‘stop’ button, add notification for ‘wpa handshake captured’, add SuperSU check, add ‘install in system’ warning

hijacker v1-stable

Hijacker is a Graphical User Interface for the wireless auditing tools airodump-ng, aireplay-ng and mdk3. It offers a simple and easy UI to use these tools without typing commands in a console and copy&pasting MAC addresses.
This application requires an android device with a wireless adapter that supports Monitor Mode. A few android devices do, but none of them natively. This means that you will need a custom firmware. Nexus 5 and any other device that uses the BCM4339 (and BCM4358 (although injection is not yet supported so no aireplay or mdk)) chipset will work with Nexmon. Also, devices that use BCM4330 can use bcmon. An alternative would be to use an external adapter that supports monitor mode in Android with an OTG cable.

The required tools are included in the app. To install them go to Settings and click “Install Tools”. This will install everything in the directory you select. If you have already installed them, you don’t have to do anything. You can also have them at any directory you want and set the directories in Settings, though this might cause the wireless tools not being found by the aircrack-ng suite. The Nexmon driver and management utility is also included.
Root is also necessary, as these tools need root to work. If you don’t grant root permissions to it, it hangs… for some reason… don’t know why…

Aircrack, Airodump, Aireplay, MDK3 and Reaver GUI Application for Android

Features:
* View a list of access points and stations (clients) around you (even hidden ones)
* View the activity of a network (by measuring beacons and data packets) and its clients
* Deauthenticate all the clients of a network
* Deauthenticate a specific client from the network it’s connected
* MDK3 Beacon Flooding with custom SSID list
* MDK3 Authentication DoS for a specific network or to everyone
* Try to get a WPA handshake or gather IVs to crack a WEP network
* Statistics about access points (only encryption for now)
* See the manufacturer of a device (AP or station) from a OUI database (pulled from IEEE)
* See the signal power of devices and filter the ones that are closer to you
* Leave the app running in the background, optionally with a notification
* Copy commands or MAC addresses to clipboard, so you can run them in a terminal if something goes wrong
* Include the tools
* Reaver WPS cracking (pixie-dust attack using NetHunter chroot and external adapter)
* .cap files cracking with custom wordlist
* Save captured packets in .cap file
* Create custom commands to be ran on an access point or a client with one click

Installation:
Make sure:
– you are on Android 5+
– you are rooted. SuperSU is required. If you are on CM, install SuperSU
– have installed busybox (opened and installed the tools)
– have a firmware to support Monitor Mode on your wireless interface

APK Download: Hijacker-release-v1.3-beta.2.2.apk(6.25 MB)
Source: https://github.com/chrisk44 | Our Post Before

Simplify virtually executes an app to understand its behavior and then tries to optimize the code so that it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn’t matter what the specific type of obfuscation is used.

There are three parts to the project: smalivm, simplify, and the demo app.
1. smalivm: Virtual machine library which can execute Android apps. It executes a method and returns a graph which contains the register and class values at every instruction for every possible execution path. It works even if certain values are unknown such as a network response from a server. If it encounters an if and doesn’t know the values of the conditional, it assumes either branch could happen and executes both paths.
2. simplify: Analyzes the graphs from smalivm and applies optimizations such as constant propagation, dead code removal, unreflection, and specific peephole optimizations. The optimizations are fairly simple, but when applied together and in succession, it can decrypt strings, peel back layers of obfuscation, and greatly simplify code.
3. demoapp: Contains simple, heavily commented examples of how to use smalivm. It’s a good place to start if you want to use smalivm in your own projects.

simplify

Dependencies:
+ Java 8

Usage and install from source:

git clone --recursive https://github.com/CalebFenton/simplify.git
cd simplify
git submodule update --init --recursive
./gradlew fatjar
java -jar simplify/build/libs/simplify.jar -it 'org/cf' simplify/obfuscated-example

Source:https://github.com/CalebFenton

HIDAAF is a python framework that makes it easy to generate HID attack scripts for the Android platform with corresponding phone models. The HIDAAF output format is intended for the Bash Bunny (Provided by the great guys behind Hak5) Due to the custom Android images released with certain phones (Like the Samsung Galaxy series) HIDAAF is heavily dependent on your contributions to cover as many phone models as possible.!

HIDAAF Alpha

Dependencies:
– Python 2.7.x
– Metasploit Framework

Usage:

git clone https://github.com/SkiddieTech/HIDAAF && cd HIDAAF
python hidaaf.py

Source: https://github.com/SkiddieTech

CHANGELOG TheFatRat v1.9 from 1.8:
+ v1.9.4 – Fatrat will be full terminal mode , Powerstage tool added , Setup script rebuilded
+ v1.9.3 – Added update scriptCHANGELOG
+ v1.9.4 – Fatrat will be full terminal mode , Powerstage tool added , Setup script rebuilded
+ v1.9.3 – Added update script
+ v1.9.3 – Dex2Jar will be installed from now on from Fatrat setup manually on user system (reason: Kali repo still uses old version)
+ v1.9.3 – Updated Android build tools to V.26 RC1 & Android Platform V. 25-R03
+ v1.9.3 – Updated dana travis backdoor-apk to 0.2.2 into fatrat / added openssl in setup
+ v1.9.2 – Msfvenom Android rat will be signed with android certificate , so it can be installed properly
+ v1.9.2 – Implemented Default Lhost & Lport config to fatrat & powerfull shell creator
+ v1.9.2 – Fixed payload in pnwinds option2
+ v1.9.2 – Implemented Stop functions in pnwinds
+ v1.9.2 – New signing process in old method backdoor apk & option to create listener
+ v1.9.2 – Implemented possibility for user to save msfconsole listeners
+ v1.9.2 – Fixes in Microsploit
+ v1.9.2 – Implemented local ip , public ip & hostname display to powerfull.sh
+ v1.9.2 – Implemented local ip , public ip & hostname display before user set Lhost
+ v1.9.2 – Implemented log creation for microsploit & fixed bugs
+ v1.9.2 – Added effective way to detect user linux distribution
+ v1.9.2 – Setup.sh ( patched )
+ v1.9.2 – bug in microsploit ( patched )
+ v1.9.2 – delt some function and variable
+ v1.9.1 – v1.9.1 – Implemented Microsploit (Office Exploitation Tool)
+ v1.9b – Implemented Backdoor-apk from Dana James Traversie in this version .{ Less tools to install during setup.sh }
+ v1.9.0 – update script setup.sh
+ v1.9.0 – del some variable and function
+ v1.9.0 – fixed typo and bugs
+ v1.9.0 – Backdoor APKS have a new payload hiding method in rat apk to not be detected .
+ v1.9.0 – APK (5) rat rebuild totally changed .(adapted backdoor-apk script to fatrat to both work together)
+ v1.9.0 – Apktool will not be installed no more by setup.sh , the same thing applies to : dx , zipalign (apktool on debian repo is 2.2.1 , and that version have a bug that gives error on compiling the apks , so , apktool and android tools were updated
+ v1.9.3 – Dex2Jar will be installed from now on from Fatrat setup manually on user system (reason: Kali repo still uses old version)
+ v1.9.3 – Updated Android build tools to V.26 RC1 & Android Platform V. 25-R03
+ v1.9.3 – Updated dana travis backdoor-apk to 0.2.2 into fatrat / added openssl in setup
+ v1.9.2 – Msfvenom Android rat will be signed with android certificate , so it can be installed properly
+ v1.9.2 – Implemented Default Lhost & Lport config to fatrat & powerfull shell creator
+ v1.9.2 – Fixed payload in pnwinds option2

thefatrat v1.9.4

TheFatRat v1.8

TheFatRat v1.7

thefatrat v1.6

TheFatRat v1.5

What is FatRat ??
Easy tool for generate backdoor with msfvenom ( part of metasploit framework ) and program compiles a C program with a meterpreter reverse_tcp payload In it that can then be executed on a windows host Program to create a C program after it is compiled that will bypass most AV.
Automating metasploit functions:
+ Checks for metasploit service and starts if not present
+ Easily craft meterpreter reverse_tcp payloads for Windows, Linux, Android and Mac and another
+ Start multiple meterpreter reverse_tcp listners
+ Fast Search in searchsploit
+ Bypass AV
+ Drop into Msfconsole
+ Some other fun stuff

Dependencies:
+ Metasploit Framework
+ MinGW
This Tools/Software has been totally test in Kali Linux 2.0 & Rolling 2016.1

Download & Usage:

apt-get install mingw32 (install requirement)
git clone https://github.com/Screetsec/TheFatRat.git && cd TheFatRat
cd setup
bash setup.sh
chmod +x fatrat
./fatrat

Note From Us:
Before updating using git pull origin master
please remove old fatrat & powerfull.sh : rm -f fatrat | rm -f powerfull.sh
then typing on console:
git pull origin master

Source: https://github.com/Screetsec | Our Post Before

glassdoor is a modern, autonomous security framework for Android APKs written in Scala.
Its purpose is to automatically find backdoors, security flaws and other data leakages in applications running on the Android system, without having any actual access to the code itself.
It uses a simple commandline interface like depicted above. Each command is realized as plugin, which defines dependencies and values it changes in order to support multithreading. The complete command basically uses all available plugins.

glassdoor

Dependencies:
+ Build Dependencies
+-+ Scala
+ Runtime Dependencies
– Java
– Grep
– Git
– John The Ripper
– the_silver_searcher [optional]
– Android SDK (including adb & aapt)
– SQLite

Installation & Build Instructions:

Install Scala Language Debian/Ubuntu
wget -c https://downloads.lightbend.com/scala/2.12.2/scala-2.12.2.deb
sudo dpkg -i scala-2.12.2.deb

Install Scala Redhat/CentOS/Fedora
wget -c https://downloads.lightbend.com/scala/2.12.2/scala-2.12.2.rpm
rpm -Uvh scala-2.12.2.rpm

git clone https://github.com/fschrofner/glassdoor && cd glassdoor
/gradlew build
cd build/distributions
unzip glassdoor.zip
./glassdoor

Source: https://github.com/fschrofner

What does it do?
Kwetza infects an existing Android application with either custom or default payload templates to avoid detection by antivirus. Kwetza allows you to infect Android applications using the target application’s default permissions or inject additional permissions to gain additional functionality.
Dependencies:
+ Apktool https://ibotpeaches.github.io/Apktool/install
+ Python 2.7.x & beautifulsoup4

kwetza v2.0

Information
– Kwetza has been developed to work with Python 2.
– Kwetza by default will use the template and keystore located in the folder “payload” to inject and sign the infected apk.
– If you would like to sign the infected application with your own certificate, generate a new keystore and place it in the “payload” folder and rename to the existing keystore or change the reference in the kwetza.py.
– The same can be done for payload templates.
– The password for the default keystore is, well, “password”.

Usage:

git clone https://github.com/sensepost/kwetza && cd kwetza
python kwetza.py your_sample.apk [your IP Address] https [your port] yes

Source: https://github.com/sensepost

AVPASS is a tool for leaking the detection model of Android malware detection systems (i.e., antivirus software), and bypassing their detection logics by using the leaked information coupled with APK obfuscation techniques. AVPASS is not limited to detection features used by detection systems, and can also infer detection rules so that it can disguise any Android malware as a benign application by automatically transforming the APK binary. To prevent leakage of the application logic during transformation, AVPASS provides an Imitation Mode that allows malware developers to safely query curious detection features without sending the entire binary.

AVPASS offers several useful features to transform any Android malware so it can bypass anti-virus software. Below are the main features AVPASS offers:
+ APK obfuscation with more than 10 modules
+ Feature inference for the detection system by using individual obfuscation
+ Rule inference of the detection system by using the 2k factorial experiment
+ Targeted obfuscation to bypass a specific detection system
+ Safe query support by using Imitation Mode

NOTICE:
* Recently, we add new features (Java reflection, complicate string encryptor) to bypass better. Unfortunately, these new modules are not compatible with some previous modules. We didn’t perform test much but we found one case of error. Since Java reflection hide all method names, pcm module (package/class/method name changer) can occur error when you run obfuscation APK. To solve this problem, we will quickly provide pc module (package/class) for only obfuscating package and class names when you already used Java reflection.
* Until the release, we recommend you not to use Java reflection with pcm module. If you just try to infer AVs feature, it’s fine to use because apktool can compile the smali into APK anyway.

avpass

Dependencies:
– apktool: https://ibotpeaches.github.io/Apktool/
– numpy: http://www.numpy.org/
– PIL: http://www.pythonware.com/products/pil/
– magic: https://pypi.python.org/pypi/python-magic
– python-utils: https://pypi.python.org/pypi/python-utils/2.1.0
– vt: https://pypi.python.org/pypi/virustotal-api

Usage and install:

git clone https://github.com/sslab-gatech/avpass && cd avpass
./install-dep.sh (Must Root user for install all Dependencies)

Please read avpass/docs/README.MD for configuration and How to use!
change configuration: Open the file: src/conf.py

Launch individual obfuscation:
python gen_disguise.py -i YOUR_MALWARE.apk individual

Obfuscate by using inferred rules:
python gen_disguise -i YOUR_MALWARE withrule -o OUTPUT_DIR

Source: https://github.com/sslab-gatech

trueseeing is a fast, accurate and resillient vulnerabilities scanner for Android apps. It operates on Android Packaging File (APK) and outputs a comprehensive report in HTML. It doesn’t matter if the APK is obfuscated or not.

Currently trueseeing can detect the following class of vulnerabilities:
+ Improper Platform Usage (M1)
* Debuggable
* Inadvent publishing of Activities, Services, ContentProviders, BroadcastReceivers

+ Insecure Data (M2)
* Backupable (i.e. suspectible to the backup attack)
* Insecure file permissions
* Logging

trueseeing

+ Insecure Commnications (M3)
* Lack of pinning (i.e. suspictible to the TLS interception attack)
* Use of cleartext HTTP
* Tamperable WebViews

+ Insufficient Cryptography (M5)
* Hardcoded passphrase/secret keys
* Vernum ciphers with static keys
* Use of the ECB mode

+ Client Code Quality Issues (M7)
* Reflectable WebViews (i.e. XSSs in such views should be escalatable to remote code executions via JS reflection)
* Usage of insecure policy on mixed contents

+ Code Tampering (M8)
* Hardcoded certificates

+ Reverse Engineering (M9)
* Lack of obfuscation

Dependencies:
+ Apktool
+ Python 3.x

Usage and Install:

git clone https://github.com/monolithworks/trueseeing && cd trueseeing
or using pip
pip3 install trueseeing

trueseeing /path/to/target.apk > report.html
trueseeing --output=gcc /path/to/target.apk
trueseeing --patch-all /path/to/target.apk

Source: https://github.com/monolithworks

APKStat – Automated Information Retrieval From APKs For Initial Analysis.
APKStat will use APK Tool to decompress and decode your APK file. APK Stat Will:
+ Breaks Permissions, Activities, Activity Aliases, Services, Providers and Receivers Into Easily Readable Groups
+ Scours All Files After Decoding For Hardcoded IP Addresses and Domain Names
+ Single Out The Launcher Activity
+ Automatically Creates a Strings.txt file

APKStat v1.0

Output Analysis:
+ RecoveredDomain.txt, recoveredips.txt, report.txt and string.txt

Dependencies:
+ Apktool
+ python 2.7.x

Usage:

git clone https://github.com/hexabin/APKStat && cd APKStat
python apkstat.py your_apk_file

Source: https://github.com/hexabin

TROMMEL – sifts through directories of files to identify indicators that may contain vulnerabilities.

TROMMEL identifies the following indicators related to:
– Secure Shell (SSH) key files
– Secure Socket Layer (SSL) key files
– Internet Protocol (IP) addresses
– Uniform Resource Locator (URL)
– email addresses
– shell scripts
– web server binaries
– configuration files
– database files
– specific binaries files (i.e. Dropbear, BusyBox, etc.)
– shared object library files
– web application scripting variables, and
– Android application package (APK) file permissions.
TROMMEL has also integrated vFeed which allows for further in-depth vulnerability analysis of identified indicator.

trommel

Dependencies:
+ Python-Magic https://pypi.python.org/pypi/python-magic
+ vFeed Database Community(free Edition) https://vfeed.io/pricing/
The vFeed.db (The Correlated Vulnerability and Threat Database) is a detective and preventive security information repository used for gathering vulnerability and mitigation data from scattered internet sources into an unified database

Notes
* TROMMEL has been tested using Python 2.7 on macOS Sierra and Kali Linux x86_64.
* TROMMEL was written with the intent to help with identifying indicators that may contain vulnerabilities found in firmware of embedded devices

Usage:

git clone https://github.com/CERTCC-Vulnerability-Analysis/trommel && cd trommel
./trommel.py --help
./trommel.py -p /directory -o output_file

Source: https://github.com/CERTCC-Vulnerability-Analysis

How it Works Dex-Oracle?
Oracle takes Android apps (APK), Dalvik executables (DEX), and Smali files as inputs. First, if the input is an APK or DEX, it is disassembled into Smali files. Then, the Smali files are passed to various plugins which perform analysis and modifications. Plugins search for patterns which can be transformed into something easier to read. In order to understand what the code is doing, some Dalvik methods are actually executed with and the output is collected. This way, some method calls can be replaced with constants. After that, all of the Smali files are updated. Finally, if the input was an APK or a DEX file, the modified Smali files are recompiled and an updated APK or DEX is created.

Method execution is performed by the Driver. The input APK, DEX, or Smali is combined with the Driver into a single DEX using dexmerge and is pushed onto a device or emulator. Plugins can then use Driver which uses Java reflection to execute methods from the input DEX. The return values can be used to improve semantic analysis beyond mere pattern recognition. This is especially useful for many string decryption methods, which usually take an encrypted string or some byte array. One limitation is that execution is limited to static methods.

dex-oracle

Dependencies:
– ruby-2.3.0
– apktools, smali and baksmali.

Install Latest apktools and Smali / Baksmali:

sudo -E sh -c 'wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.3.0.jar -O /usr/local/bin/apktool.jar'
sudo chmod +r /usr/local/bin/apktool.jar
sudo sh -c 'wget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool -O /usr/local/bin/apktool'
sudo chmod +x /usr/local/bin/apktool

Install Latest Smali / Baksmali:
sudo -E sh -c 'wget https://bitbucket.org/JesusFreke/smali/downloads/smali-2.2.1.jar -O /usr/local/bin/smali.jar'
sudo -E sh -c 'wget https://bitbucket.org/JesusFreke/smali/downloads/baksmali-2.2.1.jar -O /usr/local/bin/baksmali.jar'
sudo chmod +r /usr/local/bin/smali.jar
sudo chmod +r /usr/local/bin/baksmali.jar

sudo -E sh -c 'wget https://bitbucket.org/JesusFreke/smali/downloads/smali -O /usr/local/bin/smali'
sudo -E sh -c 'wget https://bitbucket.org/JesusFreke/smali/downloads/baksmali -O /usr/local/bin/baksmali'
sudo chmod +r /usr/local/bin/smali
sudo chmod +r /usr/local/bin/baksmali

Usage:

git clone https://github.com/CalebFenton/dex-oracle && cd dex-oracle
gem install bundler
bundle install
cd bin

Connect a Device or Emulator
android avd
./dex-oracle -i com/android/system/admin/CCOIoll sample.apk

Source: https://github.com/CalebFenton

A java tool that helps to pentest Android apps faster, more easily and more efficiently. AndroTickler offers many features of information gathering, static and dynamic checks that cover most of the aspects of Android apps pentesting. It also offers several features that pentesters need during their pentests. AndroTickler also integrates with Frida to provide method tracing and manipulation. It was previously published under the name of Tickler.

AndroTickler requires a linux host and a rooted Android device connected to its USB port. The tool does not install anything on the Android device, it only creates a Tickler directory on /sdcard . AndroTickler depends on Android SDK to run commands on the device and copy app’s data to TicklerWorkspace directory on the host for further analysis. TicklerWorkspace is the working directory of AndroTickler and each app has a separate subdirectory in TicklerWorkspace which can contain the following (depending on user actions):

+ DataDir directory: a copy of the data directory of the app
+ extracted directory: Output of apktool on the app, contains smali code, resources, libraries…etc.
+ bgSnapshots directory: Contains background snapshots copied from the device.
+ images directory: contains any screenshots taken for the app.
+ JavaCode directory: Contains app’s Java code decompiled by dex2jar and JD tools
+ logs directory: contains log files produced by -t -log, as explained below
+ transfers: files and directories copied from the device to the host using -copy2host
+ AndroidManifest.xml: The manifest file of the app as per apktool
+ base.apk: the APK file of the app, installed on the device
+ debuggable.apk: a debuggable version of the app, produced by -dbg

AndroTikler

libs directory and Tickler.conf configuration file exist in the same directory of the jar file. The configuration file sets the location of TicklerDir directory on the host and Tickler on /sdcard of the android device. If the configuration file does not exist or these 2 directories are not set, then default values will be used (Tickler_workspace on the current directory and /sdcard/Tickler respectively). Tickler_lib directory contains some Java libraries and external tools used by AndroTickler such as apktool and dex2jar.

AndroTickler highly depends on the following tools, so they should exist on your machine before using it:
+ Java 7 or higher
+ Android SDK tools (adb and friends)
+ sqlite3

Other tools are required for some features, but AndroTickler can still run without them:
+ Frida
+ jarsigner

Usage and Building:

git clone https://github.com/ernw/AndroTickler && cd AndroTikler
gradlew
gradlew build
cd build/libs
java -jar AndroTickler.jar -h

Source: https://github.com/ernw

Legal Disclamer:
Usage of SCI for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

Smali Code Injector (SCI)is an Automate assembly code (smali) injection within Android applications.

The initial ambition of this project was to automate stack trace injections within Android applications in order to facilitate my master thesis work. Being able to log and display applications’ runtime method calls along with their returned value greatly helps in reverse engineering complex applications by providing an insight into their logic and workflow.

Then, new features and payloads were progressively added in an attempt to create a framework fully capable of injecting any type of assembly code. Users familiar with Android development can easily implement compatible payloads. SCI is in charge of automating low level operation such as registers allocation, dependencie, type, etc.

Smali Code Injector (SCI)

Automation for a simpler world.
1. Code injections are performed at the assembly level (smali files) making the differenciation process between legit and modified applications complicated and time consuming – it would require considerable forensic work such as network, permissions, signature and code analysis -.
2. A high level overview of the steps involved during code injection is:
+++ Disassembling the application.
+++ Collecting relevant information about the application.
++++ Classes name.
++++ Methods name.
++++ Registers number and type.
++++ etc.
3. Editing the AndroidManifest.xml to add permissions, services and broadcastReceivers (depending on the payload requirements).
4. Injecting and tweaking up the selected payload within the targeted method(s). Some Android libraries are also injected in order to defeat obfuscation.
5. Reassembling and signing the app with a valid self-signed certificate.

Dependencies:
+ Python 2.7.x
+ ApkTools and ADB

Usage:

git clone https://github.com/AresS31/SCI && cd SCI
cd src
python sci.py -h
python sci.py -a (your app.apk) payload

Source: https://github.com/AresS31

MADLIRA is a tool for Android malware detection. It consists in two components: TFIDF component and SVM learning component. In gerneral, it takes an input a set of malwares and benwares and then extracts the malicious behaviors (TFIDF component) or computes training model (SVM classifier). Then, it uses this knowledge to detect malicious behaviors in the Android application.

Functionality
This tool have two main components: TFIDF component and SVM component.
For this component, there are two functions: the training function (Malicious behavior extraction) and the test function (Malicious behavior detection)

MADLIRA

TFIDF component
* Malicious behavior extraction
– Collect benign applications and malicious applications and oput them in folders named benginAPKFolder and maliciousApkFolder, respectively.
– Prepare training data and pack them in two files named benignPack and maliciousPack by using the command:

MADLIRA TFIDF packAPK -PB benignApkFolder -B benignPack -PM maliciousApkFolder -M maliciousPack

– Extracting malicious behaviors from two packed files (benignPack and maliciousPack) by using the command:

MADLIRA TFIDF train -B benignPack -M maliciousPack

* Malicious behavior detection
– Collect new applications and put them in a folder named checkApk.
– Detect malicious behaviors of applications in the folder checkApk by using the command:

MADLIRA TFIDF check -S checkApk

SVM component
For this component, there are two functions: the training function and the test function.
* Training phase
– Collect benign applications in a folder named benignApkFolder and malicious applications in a folder named maliciousApkFolder.
– Prepare training data by using the commands:

MADLIRA SVM packAPK -PB benignApkFolder -B benignPack -PM maliciousApkFolder -M maliciousPack

– Compute the training model by this command:

MADLIRA SVM train -B benignPack -M maliciousPack

* Malicious behavior detection
– Collect new applications and put them in a folder named checkApk
– Detect malicious behaviors of applications in the folder checkApk by using the command:

MADLIRA SVM check -S checkApk

Installed Data:
+ MADLIRA.jar is the main application.
+ noAPI.txt declares the prefix of APIs.
+ family.txt lists malwares by family.
+ Folder TrainData contains the training configuration and training model.
+ Folder Samples contains sample data.
+ Folder TempData contains data for kernel computation.

Use and Download:

Download file MADLIRA.7z and decompress it.
wget https://lipn.univ-paris13.fr/%7Edam/tool/androidTool/MADLIRA.7z
java -jar MADLIRA.jar svm -h
java -jar MADLIRA.jar TFIDF check -S checkApk

Source: https://github.com/dkhuuthe

What has changed androguard v3.1.0-rc1?
– Ported Androguard to python3! You can now use py2.7 or py>=3.3!
– Tainted Analysis is gone and will be replaced by XREFs using the androguard.core.analysis.analysis.Analysis module.
– Better support for Multidex
– Adding JADX decompiler support
– Fixed bugs in DEX and AXML parser
– Fixed bugs in DAD (decompiler)
– New certificate parsing using pyasn1 and cryptography. There is no need to use chilkat anymore.
– switched from PScout to axplorer. These data should be more accurate.
– removed elsim, as it depends on tained (might come back in the future)
Note that some API’s might have changed, are renamed or removed! If you used Tainted or RiskAnalysis before, you need to remove that code and port it to Analysis.

androguard v3.1.0-rc1

Androguard is mainly a tool written in python to play with :

Dex/Odex (Dalvik virtual machine) (.dex) (disassemble, decompilation),
APK (Android application) (.apk),
Android’s binary xml (.xml),
Android Resources (.arsc).
Androguard is available for Linux/OSX/Windows (python powered).

Androguard has the following features :

• Map and manipulate DEX/ODEX/APK/AXML/ARSC format into full Python objects,
• Diassemble/Decompilation/Modification of DEX/ODEX/APK format,
• Access to the static analysis of the code (basic blocks, instructions, permissions (with database from http://www.android-permissions.org/) …) and create your own static analysis tool,
• Analysis a bunch of android apps,
• Diffing of android applications,
• Measure the efficiency of obfuscators (proguard, …),
• Determine if your application has been pirated (plagiarism/similarities/rip-off indicator),
• Check if an android application is present in a database (malwares, goodwares ?),
• Open source database of android malware (this opensource database is done on my free time, of course my free time is limited, so if you want to help, you are welcome !),
• Detection of ad/open source librairies (WIP),
• Risk indicator of malicious application,
• Reverse engineering of applications (goodwares, malwares),
• Transform Android’s binary xml (like AndroidManifest.xml) into classic xml,
• Visualize your application with gephi (gexf format), or with cytoscape (xgmml format), or PNG/DOT output,
• Integration with external decompilers (JAD+dex2jar/DED/…)

Download Using git:

git clone https://github.com/androguard/androguard && cd androguard

sudo apt install python python-pyqt5 python-pyperclip python-networkx ipython python-future python-pyasn1 python-cryptography python-magic python-pydot

You should be able to use python3 as well:

apt install python3 python3-pyqt5 python3-pyperclip python3-networkx ipython3 python3-future python3-pyasn1 python3-cryptography python3-magic python3-pydot

python setup.py install
or
python3 setup.py install

Update:
git pull origin master

Download old stable version: v3.1.0-rc1.zip  | v3.1.0-rc1.tar.gz
Source: https://github.com/androguard | Our Post Before

DroidCarve is capable of analyzing an Android APK file and automate certain reverse engineering tasks.
Features:
+ Code disassembling into Smali bytecode.
+ APK signature extraction.
+ AndroidManifest parsing: permissions, services, intents, package information etc.

droidcarve

Dependencies:
+ Python 2.7.x
+ smali, baksmali and apktools

Install ApkTool, smali and Baksmali Debian/Ubuntu:

sudo -E sh -c 'wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.3.1.jar -O /usr/local/bin/apktool.jar'
sudo chmod +r /usr/local/bin/apktool.jar
sudo sh -c 'wget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool -O /usr/local/bin/apktool'
sudo chmod +x /usr/local/bin/apktool


sudo -E sh -c 'wget https://bitbucket.org/JesusFreke/smali/downloads/smali-2.2.2.jar -O /usr/local/bin/smali.jar'
sudo chmod +r /usr/local/bin/smali.jar
sudo sh -c 'wget https://bitbucket.org/JesusFreke/smali/downloads/smali -O /usr/local/bin/smali'
sudo chmod +x /usr/local/bin/smali

sudo -E sh -c 'wget https://bitbucket.org/JesusFreke/smali/downloads/baksmali-2.2.2.jar -O /usr/local/bin/baksmali.jar'
sudo chmod +r /usr/local/bin/baksmali.jar
sudo sh -c 'wget https://bitbucket.org/JesusFreke/smali/downloads/baksmali -O /usr/local/bin/baksmali'
sudo chmod +x /usr/local/bin/baksmali

Use and Download:

git clone https://github.com/DarioI/droidcarve && cd droidcrave
pip install -r requirements.txt
python droidcarve.py -a yourapplication.apk

Source: https://github.com/DarioI

+ droidstatx is a Python tool that generates an Xmind map with all the information gathered and any evidence of possible vulnerabilities identified via static analysis.
+ The map itself is an Android Application Pentesting Methodology component, which assists Pentesters to cover all important areas during an assessment. This was the main goal driving the tool development.
+ The tool also allows to add custom checks in a simple way, to confirm the existence of those patterns in the dalvik bytecode instructions.

Pre-requisites:
– pip (apt-get install python-pip)
– Java JRE (Probably already installed but if not, apt-get install default-jre)

droidstatx v0.3

Methodology
As stated above, this was the tool development’s main driving goal. The Xmind map Methodology topic is structured following the OWASP Mobile TOP 10 2016 categories
Each category has topics that you will need to cover in the format of a checklist, to guarantee and highlight coverage. Each topic has a URL to the respective chapter in the OWASP The Mobile Security Testing Guide (MSTG) explaining the vulnerability and how to confirm its existence. I collaborated a little bit on the OWASP MSTG project and have to give a big shout out to Bernhard and Sven for creating the project and bringing a lot of people together to develop it.

The tool will automatically fill some of the topics with evidences based on the analysis, to help confirm if it is a false or a true positive.
Each time the tool runs against a package, if the xmind map already exists,a new tab will be created on the workbook. This way it’s possible to keep a history file of every new version tested and compare it against previous runs.

Use and Download:

git clone https://github.com/integrity-sa/droidstatx && cd droidstatx
python install.py
* The setup will download the latest jar version of apktool and pip install androguard and xmind-sdk-python.

python droidstatx.py --apk [your_apk]
Best run on Kali Linux 2017, Ubuntu 16.04 and Debian 9.0

Source: https://github.com/integrity-sa