rednaga / apkid Goto Github PK

Android Application Identifier for Packers, Protectors, Obfuscators and Oddities - PEiD for Android

License: Other

Python 15.39% Shell 0.22% Dockerfile 0.26% YARA 84.13%

android antivirus machine-learning malware-detection malware-analysis malware-research yara yara-forensics packers android-protection

apkid's Introduction

APKiD

APKiD gives you information about how an APK was made. It identifies many compilers, packers, obfuscators, and other weird stuff. It's PEiD for Android.

For more information on what this tool can be used for, check out:

Installing

pip install apkid

Docker

You can also run APKiD with Docker! Of course, this requires that you have git and Docker installed.

Here's how to use Docker:

git clone https://github.com/rednaga/APKiD
cd APKiD/
docker build . -t rednaga:apkid
docker/apkid.sh ~/reverse/targets/android/example/example.apk
[+] APKiD 2.1.0 :: from RedNaga :: rednaga.io
[*] example.apk!classes.dex
 |-> compiler : dx

Usage

usage: apkid [-h] [-v] [-t TIMEOUT] [-r] [--scan-depth SCAN_DEPTH]
             [--entry-max-scan-size ENTRY_MAX_SCAN_SIZE] [--typing {magic,filename,none}] [-j]
             [-o DIR]
             [FILE [FILE ...]]

APKiD - Android Application Identifier v2.1.2

positional arguments:
  FILE                                       apk, dex, or directory

optional arguments:
  -h, --help                                 show this help message and exit
  -v, --verbose                              log debug messages

scanning:
  -t TIMEOUT, --timeout TIMEOUT              Yara scan timeout (in seconds)
  -r, --recursive                            recurse into subdirectories
  --scan-depth SCAN_DEPTH                    how deep to go when scanning nested zips
  --entry-max-scan-size ENTRY_MAX_SCAN_SIZE  max zip entry size to scan in bytes, 0 = no limit
  --typing {magic,filename,none}             method to decide which files to scan

output:
  -j, --json                                 output scan results in JSON format
  -o DIR, --output-dir DIR                   write individual results here (implies --json)

Submitting New Packers / Compilers / Obfuscators

If you come across an APK or DEX which APKiD does not recognize, please open a GitHub issue and tell us:

what you think it is -- obfuscated, packed, etc.
the file hash (either MD5, SHA1, SHA256)

We are open to any type of concept you might have for "something interesting" to detect, so do not limit yourself solely to packers, compilers or obfuscators. If there is an interesting anti-disassembler, anti-vm, anti-* trick, please make an issue.

Pull requests are welcome. If you're submitting a new rule, be sure to include a file hash of the APK / DEX so we can check the rule.

License

This tool is available under a dual license: a commercial one suitable for closed source projects and a GPL license that can be used in open source software.

Depending on your needs, you must choose one of them and follow its policies. A detail of the policies and agreements for each license type are available in the LICENSE.COMMERCIAL and LICENSE.GPL files.

Hacking

If you want to install the latest version in order to make changes, develop your own rules, and so on, simply clone this repository, compile the rules, and install the package in editable mode:

git clone https://github.com/rednaga/APKiD
cd APKiD
./prep-release.py
pip install -e .[dev,test]

If the above doesn't work, due to permission errors dependent on your local machine and where Python has been installed, try specifying the --user flag. This is likely needed if you're not using a virtual environment:

pip install -e .[dev,test] --user

If you update any of the rules, be sure to run prep-release.py to recompile them.

For Package Maintainers

When releasing a new version, make sure the version has been updated in apkid/init.py.

As for running tests, check out .travis.yml to see how the dev and test environments are setup and tests are run.

Update the compiled rules, the readme, build the package and upload to PyPI:

./prep-release.py readme
rm -f dist/*
python setup.py sdist bdist_wheel
twine upload --repository-url https://upload.pypi.org/legacy/ dist/*

For more information see Packaging Projects.

apkid's People

Contributors

Stargazers

Watchers

Forkers

melbshark virqdroid secpersu terry2012 chubbymaggie lucabongiorni amanaksu diggold halfkiss hackertool wflk qingchen1984 aylhex psuedoelastic forsun23 pyq881120 deki0r techlord-rce rpennellcccs gaurav9991 jasi2169 zsshen rover12421 s4n7h0 circleous mrmugiwara a170785 bigfoxses talk114 reox tamerplatform rybnik ialexar strazzere ryanfu jmdebugger plutec cdchen python3pkg cys3c runelabs kunnet songofhack fjh658 moriarty2016 dineshdinz grukz mr-polite enovella idone glery primmus pspace whb224117 jgrover danigoland guozanhua matandobr secice heruix jhansol wanlie yehgdotnet lukw00heck kernullist benjamin-promon gitqqqhs ahmadmansoor paulyd210 nbg0x1 programming086 p0r0 getwindow sandsux snollyg0st3r primekun mmg1 formaldet tigerwood opera583 aicfr ufwt sanjingshou11 ourobouros teraxl syndrill gavz yangboyd piowind ro9ueadmin ninovalboskoni xiabodan abandonedcart manouchehri l9sk umbrell4 voyagerjz hakimkt fo0nikens freemanzyq

apkid's Issues

yara-python does not "satisfy requirements"

Hi,
I've compiled yara-python (3.4.0.999), but APKiD is still complaining it can't find the right version.

[~/softs/APKiD]$ pip install apkid
Downloading/unpacking apkid
  Downloading apkid-0.9.3-py2.py3-none-any.whl
Downloading/unpacking yara-python==3.4.0.999 (from apkid)
  Could not find a version that satisfies the requirement yara-python==3.4.0.999 (from apkid) (from versions: 3.5.0, 3.4.0.00)
Cleaning up...
No distributions matching the version for yara-python==3.4.0.999 (from apkid)
Storing debug log for failure in /tmp/tmpVjlWNk

To my understanding, the debug logs show we're trying to download yara-python from the official place (https://pypi.python.org/simple/yara-python/) where there is only a 3.4.0 and a 3.5.0. Not a 3.4.0.999.
This is probably the issue. How do I tell it to use the version I just compiled?!

Downloading/unpacking apkid
  Getting page https://pypi.python.org/simple/apkid/
  URLs to search for versions for apkid:
  * https://pypi.python.org/simple/apkid/
  Analyzing links from page https://pypi.python.org/simple/apkid/
    Found link https://pypi.python.org/packages/36/9c/4db1239d0f14835214ec50c696665139a3658e922c3676932cb9094ff2ae/apkid-0.9.2-py2.py3-none-any.whl#md5=3f8cda2b40f18f5252230e781713debc (from https://pypi.python.org/simple/apkid/), version: 0.9.2
    Found link https://pypi.python.org/packages/95/87/919246ba87ea7292c7c01f8d1c80b73631b978320825ed3912a90035a187/apkid-0.9.3-py2.py3-none-any.whl#md5=da56eb6ffb4ab0f8474934dfbc87a7ee (from https://pypi.python.org/simple/apkid/), version: 0.9.3
  Using version 0.9.3 (newest of versions: 0.9.3, 0.9.2)
  Downloading apkid-0.9.3-py2.py3-none-any.whl
  Downloading from URL https://pypi.python.org/packages/95/87/919246ba87ea7292c7c01f8d1c80b73631b978320825ed3912a90035a187/apkid-0.9.3-py2.py3-none-any.whl#md5=da56eb6ffb4ab0f8474934dfbc87a7ee (from https://pypi.python.org/simple/apkid/)
Downloading/unpacking yara-python==3.4.0.999 (from apkid)
  Getting page https://pypi.python.org/simple/yara-python/
  URLs to search for versions for yara-python==3.4.0.999 (from apkid):
  * https://pypi.python.org/simple/yara-python/3.4.0.999
  * https://pypi.python.org/simple/yara-python/
  Getting page https://pypi.python.org/simple/yara-python/3.4.0.999
  Could not fetch URL https://pypi.python.org/simple/yara-python/3.4.0.999: 404 Client Error: Not Found
  Will skip URL https://pypi.python.org/simple/yara-python/3.4.0.999 when looking for download links for yara-python==3.4.0.999 (from apkid)
  Analyzing links from page https://pypi.python.org/simple/yara-python/
    Found link https://pypi.python.org/packages/3e/6c/ec2453fd811ea2f8c157d196b4dd76eb3c229362918fdb661358bd3e8645/yara-python-3.5.0.tar.gz#md5=3184efa3da16e3a8304185f2641c4ffe (from https://pypi.python.org/simple/yara-python/), version: 3.5.0
    Found link https://pypi.python.org/packages/8e/01/b7dce32aa35248e9c640250788cd959245c6f79e6f5d44185ad214efb115/yara-python-3.4.0.00.tar.gz#md5=b28916c20bd8e6a7c4f105e3b496f378 (from https://pypi.python.org/simple/yara-python/), version: 3.4.0.00
  Ignoring link https://pypi.python.org/packages/3e/6c/ec2453fd811ea2f8c157d196b4dd76eb3c229362918fdb661358bd3e8645/yara-python-3.5.0.tar.gz#md5=3184efa3da16e3a
8304185f2641c4ffe (from https://pypi.python.org/simple/yara-python/), version 3.5.0 doesn't match ==3.4.0.999
  Ignoring link https://pypi.python.org/packages/8e/01/b7dce32aa35248e9c640250788cd959245c6f79e6f5d44185ad214efb115/yara-python-3.4.0.00.tar.gz#md5=b28916c20bd8e6a7c4f105e3b496f378 (from https://pypi.python.org/simple/yara-python/), version 3.4.0.00 doesn't match ==3.4.0.999
  Could not find a version that satisfies the requirement yara-python==3.4.0.999 (from apkid) (from versions: 3.5.0, 3.4.0.00)
Cleaning up...
  Removing temporary dir /tmp/pip_build_root...
No distributions matching the version for yara-python==3.4.0.999 (from apkid)
Exception information:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/pip/basecommand.py", line 122, in main
    status = self.run(options, args)
  File "/usr/lib/python2.7/dist-packages/pip/commands/install.py", line 278, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/usr/lib/python2.7/dist-packages/pip/req.py", line 1178, in prepare_file
s
    url = finder.find_requirement(req_to_install, upgrade=self.upgrade)
  File "/usr/lib/python2.7/dist-packages/pip/index.py", line 322, in find_requirement
    raise DistributionNotFound('No distributions matching the version for %s' % req)
DistributionNotFound: No distributions matching the version for yara-python==3.4.0.999 (from apkid)

This is the version I compiled:

$ sudo python setup.py install
[..]
Copying yara_python.egg-info to /usr/local/lib/python2.7/dist-packages/yara_python-3.4.0.999-py2.7.egg-info

To summarize what I did exactly:

$ git clone https://github.com/rednaga/APKiD
$ cd APKiD/
$ git clone https://github.com/rednaga/yara-python
$ cd yara-python/
// fix dex.c //
$ sudo python setup.py install
$ cd ../
$ pip install apkid

Unknown packers: Nagain

So, i just happened to see this APK on Koodous some days ago. I havent got the time for inspecting this further, but the class name has something with vdog. Google a bit about vdog+app+protect, i got Arxan App-Protect. Looks like something unrelated tho.

(sha256) b1f0143c22a588aea89d3a9c0a53fa6d8cea07dd64dec1f82d905f5599acea94

Apkid should not crash when permission is denied

Example:

$ apkid .
[+] APKiD 1.0.0 :: from RedNaga :: rednaga.io
Traceback (most recent call last):
  File "/usr/local/bin/apkid", line 11, in <module>
    load_entry_point('apkid==1.0.0', 'console_scripts', 'apkid')()
  File "/usr/local/lib/python2.7/dist-packages/apkid-1.0.0-py2.7.egg/apkid/__init__.py", line 60, in main
    apkid.scan(input, args.timeout, args.json)
  File "/usr/local/lib/python2.7/dist-packages/apkid-1.0.0-py2.7.egg/apkid/apkid.py", line 176, in scan
    for file_type, file_path in collect_files(input):
  File "/usr/local/lib/python2.7/dist-packages/apkid-1.0.0-py2.7.egg/apkid/apkid.py", line 76, in collect_files
    file_type = get_file_type(filepath)
  File "/usr/local/lib/python2.7/dist-packages/apkid-1.0.0-py2.7.egg/apkid/apkid.py", line 54, in get_file_type
    with open(file_path, 'rb') as f:
IOError: [Errno 13] Permission denied: './pureVPN/openvpncfg/login.conf'

Should have a standard app to do benchmarks against

When speaking in the slack channel - the idea came up to catalogue all the protectors we currently detect and have a sample for each. This might be best to do in the wiki on this repo.

If we create a small application which hits all the features we want to test against - then run it through all the protectors we can, this should allow easy sharing (which shouldn't violate any TOS/warez/DRM/etc) and differentiation between protectors.

invalid field name "data_offset" when running prep-release.py

Traceback (most recent call last):
File "prep-release.py", line 25, in
rules = yara.compile(filepaths=yara_files)
yara.SyntaxError: apkid/rules/dex/obfuscators.yar(64): invalid field name "data_offset"

Add AppGuard

Found this while reversing an app. Sample havent uploaded yet in Koodous, but package name is com.asobimo.avabel_gp_b3 (in Playstore). Would be nice for another sample, but i havent got anything similiar. I'll make a PR as soon as possible.
website: http://appguard.nprotect.com/en/index.html

Installation error - yara is not matching

I have followed the given step for installation but I am getting the below error while running "pip install aphid" I used mac.

" No matching distribution found for yara-python==3.5.0.999 (from aphid) "

Please help me on this......

Support for Pangxie

Hi,

This sample Pangxie_com.joytap.PetDash.apk is packed with Pangxie, but APKiD does not 'see' it:
sha256: ea70a5b3f7996e9bfea2d5d99693195fdb9ce86385b7116fd08be84032d43d2c

$ apkid Pangxie_com.joytap.PetDash.apk 
[!] APKiD 0.9.3 :: from RedNaga :: rednaga.io
[*] Pangxie_com.joytap.PetDash.apk!classes.dex
 |-> compiler : Android SDK (dx)

Apkid crashes with IOError while scan_apk

Example:

2017-11-27 18:35:54 ERROR    error extracting ./gdb-dumps/merged-樗蒈Ի.bin: [Errno 22] Invalid argument
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/apkid-1.0.0-py2.7.egg/apkid/apkid.py", line 135, in scan_apk
    zf.extractall(td, members=target_members)
  File "/usr/lib/python2.7/zipfile.py", line 1040, in extractall
    self.extract(zipinfo, path, pwd)
  File "/usr/lib/python2.7/zipfile.py", line 1028, in extract
    return self._extract_member(member, path, pwd)
  File "/usr/lib/python2.7/zipfile.py", line 1082, in _extract_member
    with self.open(member, pwd=pwd) as source, \
  File "/usr/lib/python2.7/zipfile.py", line 963, in open
    zef_file.seek(zinfo.header_offset, 0)
IOError: [Errno 22] Invalid argument

Add rule for OLLVM v3.5.0 seen in PROMON Shield

Seen in libshield.so binary the following string: (radare2 output)

[0x0001aa40]> izzq~+obfuscator
0x35 82 81 Obfuscator- clang version 3.5.0 (tags/RELEASE_350/final) (based on LLVM 3.5.0svn)

Fix: Add another case with extra whitespace
https://github.com/rednaga/APKiD/blob/master/apkid/rules/elf/obfuscators.yara#L125

APKid not getting installed on Windows10

I have downloaded latest 0.9.5 Beta version from GIThub. I am planning to enable APKiD feature.
I have this installed on my laptop:
1)Python 2.7.11
2)VCForPython27

STEPS TO REPRODUCE THE ISSUE

git clone https://github.com/rednaga/APKiD
cd APKiD
git clone https://github.com/rednaga/yara-python
cd yara-python
python setup.py install

CONSOLE OUTPUT

C:\Users*\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe /c /nologo /Ox /MD /W3 /GS- /DNDEBUG -D_CRT_SECURE_NO_WARNINGS=1 -DHASH_MODULE=1 -Iyara/libyara/include -Iyara/libyara/ -I. -Iyara/windows/include -IC:\Python27\include -IC:\Python27\PC /Tcyara\libyara\lexer.c /Fobuild\temp.win32-2.7\Release\yara\libyara\lexer.obj
lexer.c
lexer.l(794) : warning C4090: 'function' : different 'const' qualifiers
lexer.l(846) : error C2143: syntax error : missing ';' before 'type'
lexer.l(853) : error C2065: 'buf' : undeclared identifier
lexer.l(853) : warning C4022: 'ReadFile' : pointer mismatch for actual parameter 2
lexer.l(853) : error C2065: 'buf' : undeclared identifier
lexer.l(867) : error C2065: 'buf' : undeclared identifier
lexer.l(867) : warning C4047: 'function' : 'char ' differs in levels of indirection from 'int'
lexer.l(867) : warning C4024: 'yara_yy_scan_bytes' : different types for formal and actual parameter 1
error: command 'C:\Users\*\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe' failed with exit status 2

CONTENTS OF LOG FILES

Maybe a typo?

rule jiangu : packer

$main_lib = "libjiagu.so"

jiangu -> jiagu

developed by Qihoo 360 http://jiagu.360.cn/

Add SafetyNet attestation detector rule

Hi,

would it be nice to detect the use of Google SafetyNet to show "stealthy" behaviour?
Although, it might not be useful for malware detection, it should be interesting.

Cheers

Not matching resutls

I have tried APKiO on several samples mentioned in sample output in https://rednaga.io/2016/07/30/apkid_and_android_compiler_fingerprinting/ but I actually get quite a few different results regarding compilers. for example for test-data/samples/unicom_sdk/bb11a710258077213ce4281e78a1c19a940c02dc3ddaa5f1d8046380173e0da7!classes.dex you have mentioned Android SDK (dexmerge), dexlib 1.x in article but running it on my machine I get dx (possible dexmerge). For test-data/samples/apkprotect/9ac20091b8e82c8ff2882422450e30c03043136ca009affe59e51edabf753337 there is dexlib 1.x but I got dexlib 2.x

Invalid ZIP file breaks apkid execution when analyzing directories

Looking into some OLLVM samples @CalebFenton provided me to analyse, I found this ZIP file that breaks the execution when going through all the files within a directory

ollvm-generic-samples] > apkid ecc1322809c20dd59ae2ea5e499dcdebe05bee0d37084941ebf463dcd10a177c 
[+] APKiD 1.0.0 :: from RedNaga :: rednaga.io
2017-11-23 20:48:13 ERROR    error extracting ecc1322809c20dd59ae2ea5e499dcdebe05bee0d37084941ebf463dcd10a177c: unpack requires a string argument of length 4
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/apkid-1.0.0-py2.7.egg/apkid/apkid.py", line 132, in scan_apk
    zf = zipfile.ZipFile(apk_path, 'r')
  File "/usr/lib/python2.7/zipfile.py", line 770, in __init__
    self._RealGetContents()
  File "/usr/lib/python2.7/zipfile.py", line 857, in _RealGetContents
    x._decodeExtra()
  File "/usr/lib/python2.7/zipfile.py", line 388, in _decodeExtra
    tp, ln = unpack('<HH', extra[:4])
error: unpack requires a string argument of length 4

Add Kony "packer/protector"

There is an SDK/IDE which "packs/protects" javascript based applications.

http://www.kony.com

Should assert files are accessible prior to opening them

[30%]diff@rocksteady:[arxan] $ apkid .
[+] APKiD 1.0.0 :: from RedNaga :: rednaga.io
Traceback (most recent call last):
  File "/Users/diff/Library/Python/2.7/bin/apkid", line 9, in <module>
    load_entry_point('apkid==1.0.0', 'console_scripts', 'apkid')()
  File "/Users/diff/repo/APKiD/apkid/__init__.py", line 60, in main
    apkid.scan(input, args.timeout, args.json)
  File "/Users/diff/repo/APKiD/apkid/apkid.py", line 176, in scan
    for file_type, file_path in collect_files(input):
  File "/Users/diff/repo/APKiD/apkid/apkid.py", line 76, in collect_files
    file_type = get_file_type(filepath)
  File "/Users/diff/repo/APKiD/apkid/apkid.py", line 54, in get_file_type
    with open(file_path, 'rb') as f:
IOError: [Errno 13] Permission denied: './01cd1c7b1054518a1f5fdf1345767604d074a26135a3f9cc719788e32ee74d5d'

The file was not RW - my mistake, however, we should present a better error.

New packer (possibly new version of APKGuard??)

Sample:

https://koodous.com/apks/673b3ab2e06f830e7ece1e3106a6a8c5f4bacd31393998fa73f6096b89f2df47

If anyone has some time to spend on, go ahead.

Backup: 673b3ab2e06f830e7ece1e3106a6a8c5f4bacd31393998fa73f6096b89f2df47.zip

Apkid crashes when CRC-32 is not valid for classes.dex

The example merged-牄ҡ約.bin is either an ODEX file or a memory dump from GDB. However, the error could be try-catch-ed.

2017-11-27 18:35:54 ERROR    error extracting ./gdb-dumps/merged-牄ҡ約.bin: Bad CRC-32 for file 'classes.dex'
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/apkid-1.0.0-py2.7.egg/apkid/apkid.py", line 135, in scan_apk
    zf.extractall(td, members=target_members)
  File "/usr/lib/python2.7/zipfile.py", line 1040, in extractall
    self.extract(zipinfo, path, pwd)
  File "/usr/lib/python2.7/zipfile.py", line 1028, in extract
    return self._extract_member(member, path, pwd)
  File "/usr/lib/python2.7/zipfile.py", line 1084, in _extract_member
    shutil.copyfileobj(source, target)
  File "/usr/lib/python2.7/shutil.py", line 49, in copyfileobj
    buf = fsrc.read(length)
  File "/usr/lib/python2.7/zipfile.py", line 632, in read
    data = self.read1(n - len(buf))
  File "/usr/lib/python2.7/zipfile.py", line 692, in read1
    self._update_crc(data, eof=eof)
  File "/usr/lib/python2.7/zipfile.py", line 647, in _update_crc
    raise BadZipfile("Bad CRC-32 for file %r" % self.name)
BadZipfile: Bad CRC-32 for file 'classes.dex'

Apkid fails to analyse apk

I can't analyse apk with the apkid command. By the way, I am using Windows 10 with and yara-python 3.6.3 from virustotal, because i couldn't install yara-python 3.5.0 from rednaga.

This is the output from the powershell terminal:
[+] APKiD 1.0.0 :: from RedNaga :: rednaga.io
Traceback (most recent call last):
File "C:\Python27\Scripts\apkid-script.py", line 11, in <module>
load_entry_point('apkid==1.0.0', 'console_scripts', 'apkid')()
File "C:\Python27\lib\site-packages\apkid-1.0.0-py2.7.egg\apkid\__init__.py", line 60, in main
apkid.scan(input, args.timeout, args.json)
File "C:\Python27\lib\site-packages\apkid-1.0.0-py2.7.egg\apkid\apkid.py", line 174, in scan
rules = get_rules()
File "C:\Python27\lib\site-packages\apkid-1.0.0-py2.7.egg\apkid\apkid.py", line 83, in get_rules
return yara.load(rules_path)
yara.Error: could not open file "C:\Python27\lib\site-packages\apkid-1.0.0-py2.7.egg\apkid\rules/rules.yarc"

Also, I have looked at folder and the is no such file.

Add ProGuard rule

Hi,

It would be interesting to write a rule for detecting the default obfuscator "ProGuard".

Cheers

AttributeError when running apk sample

Greetings,

I get the below output after running apkid sample.apk

[+] APKiD 1.0.0 :: from RedNaga :: rednaga.io
Traceback (most recent call last):
  File "/usr/local/bin/apkid", line 11, in <module>
    load_entry_point('apkid==1.0.0', 'console_scripts', 'apkid')()
  File "/home/testDownloads/APKiD/apkid/__init__.py", line 60, in main
    apkid.scan(input, args.timeout, args.json)
  File "/home/test/Downloads/APKiD/apkid/apkid.py", line 174, in scan
    rules = get_rules()
  File "/home/test/Downloads/APKiD/apkid/apkid.py", line 83, in get_rules
    return yara.load(rules_path)
AttributeError: 'module' object has no attribute 'load'

Everything seems to have installed correctly as well, thoughts?

Thank you in advanced.

Fix AppGuard detection

Currently the rule is gated on finding /assets/appguard/ AND classes.sox, however this does not seem to be consistent across the board;

[96%]diff@rocksteady:[appguard] $ unzip -l GrowStone_net.supercat.stone_V1114.apk | grep -i appguard
   123040  07-28-2017 13:50   assets/appguard/sign.mf
      256  07-28-2017 13:50   assets/appguard/sign.crt
   125142  01-01-1980 09:00   assets/appguard/armeabi/libstub.sox
      384  01-01-1980 09:00   assets/appguard/update.dat
   503142  01-01-1980 09:00   assets/appguard/armeabi/libengine.sox
[96%]diff@rocksteady:[appguard] $
[96%]diff@rocksteady:[appguard] $
[96%]diff@rocksteady:[appguard] $ shasum GrowStone_net.supercat.stone_V1114.apk 
e656173648e345f72d34210b0c0d0e4a7ebdd974  GrowStone_net.supercat.stone_V1114.apk
[96%]diff@rocksteady:[appguard] $ apkid GrowStone_net.supercat.stone_V1114.apk 
[+] APKiD 1.0.0 :: from RedNaga :: rednaga.io
[*] GrowStone_net.supercat.stone_V1114.apk!classes.dex
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, device ID check, network operator name check, possible Build.SERIAL check, possible vm check, ro.kernel.qemu check, ro.product.device check, subscriber ID check
 |-> compiler : dexlib 2.x
[*] GrowStone_net.supercat.stone_V1114.apk!classes2.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check
 |-> compiler : dexlib 2.x

Missing libyara.so

Followed the instruction and successfully installed yara-python and APKiD

Somehow It won't run, the exception is due to a missing libyara.so.

What needs to be compiled to solve it?

Here is what I got:


 yara -v
yara 3.5.0

 apkid -h
Failed to import '/System/Library/Frameworks/Python.framework/Versions/2.7/lib/libyara.so'
PATH = /usr/local/openssl/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;/System/Library/Frameworks/Python.framework/Versions/2.7/lib
Traceback (most recent call last):
  File "/usr/local/bin/apkid", line 7, in <module>
    from apkid import main
  File "/Library/Python/2.7/site-packages/apkid/__init__.py", line 38, in <module>
    import apkid
  File "/Library/Python/2.7/site-packages/apkid/apkid.py", line 34, in <module>
    import yara
  File "/Library/Python/2.7/site-packages/yara/__init__.py", line 7, in <module>
    from yara.rules import compile
  File "/Library/Python/2.7/site-packages/yara/rules.py", line 17, in <module>
    from yara.libyara_wrapper import *
  File "/Library/Python/2.7/site-packages/yara/libyara_wrapper.py", line 315, in <module>
    libyaradll = cdll.LoadLibrary(library)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ctypes/__init__.py", line 443, in LoadLibrary
    return self._dlltype(name)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ctypes/__init__.py", line 365, in __init__
    self._handle = _dlopen(self._name, mode)
OSError: dlopen(/System/Library/Frameworks/Python.framework/Versions/2.7/lib/libyara.so, 6): image not found

Add example for qdbh & jpj packer

Sample at Koodous:

$ apkid 0531aaa5146ebbaa9c1b194f6ce12b28aef1c67b0c6d5ef6d224c43dc96c9402 
[+] APKiD 1.0.0 :: from RedNaga :: rednaga.io
[*] 0531aaa5146ebbaa9c1b194f6ce12b28aef1c67b0c6d5ef6d224c43dc96c9402
 |-> packer : 'qdbh' (?)
[*] 0531aaa5146ebbaa9c1b194f6ce12b28aef1c67b0c6d5ef6d224c43dc96c9402!classes.dex
 |-> compiler : dexlib 2.x
[*] 0531aaa5146ebbaa9c1b194f6ce12b28aef1c67b0c6d5ef6d224c43dc96c9402!lib/armeabi/libfhgyj.so
 |-> packer : 'jpj' packer (?)

Try to provide more information about the sample. Ask @strazzere

Add labgency protection tools

Someone emailed me a sample asking for personal IT helpdesk support... So I figured I'd add it as an enhancement issue here if I can get around to it.

Unknown if packer at all, seems to include some protection tools though and inside the class path labgency;

-rw-r--r--  1 diff  staff    46492 Dec 31  1979 liblgyvr40.so

rigby:baksmali diff$ find com/labgency/
com/labgency/
com/labgency//drm
com/labgency//drm/Constraints.smali
com/labgency//drm/MSDrmWrapper.smali
com/labgency//hss
com/labgency//hss/a
com/labgency//hss/a/a.smali
com/labgency//hss/a.smali
com/labgency//hss/aa.smali
com/labgency//hss/ab.smali
com/labgency//hss/ac.smali
com/labgency//hss/ad.smali
com/labgency//hss/ae.smali
com/labgency//hss/b
com/labgency//hss/b/a.smali
com/labgency//hss/b/b.smali
com/labgency//hss/b/c.smali
com/labgency//hss/b.smali
com/labgency//hss/c
com/labgency//hss/c/a.smali
com/labgency//hss/c/b.smali
com/labgency//hss/c/c.smali
com/labgency//hss/c.smali
com/labgency//hss/d.smali
com/labgency//hss/data
com/labgency//hss/data/a$a.smali
com/labgency//hss/data/a.smali
com/labgency//hss/data/b.smali
com/labgency//hss/data/c.smali
com/labgency//hss/data/d.smali
com/labgency//hss/data/FingerKey.smali
com/labgency//hss/data/HSSError.smali
com/labgency//hss/data/HSSUpdate.smali
com/labgency//hss/data/Lib.smali
com/labgency//hss/downloads
com/labgency//hss/downloads/HSSDownloadError.smali
com/labgency//hss/downloads/HSSDownloadState.smali
com/labgency//hss/downloads/HSSDownloadStatus.smali
com/labgency//hss/e.smali
com/labgency//hss/exceptions
com/labgency//hss/exceptions/DeviceIdUnavailableException.smali
com/labgency//hss/f.smali
com/labgency//hss/g.smali
com/labgency//hss/h.smali
com/labgency//hss/HSSAgent.smali
com/labgency//hss/HSSApplication.smali
com/labgency//hss/HSSAuthentManager$1.smali
com/labgency//hss/HSSAuthentManager.smali
com/labgency//hss/HSSClockManager$1.smali
com/labgency//hss/HSSClockManager$2.smali
com/labgency//hss/HSSClockManager$3.smali
com/labgency//hss/HSSClockManager$ClockState.smali
com/labgency//hss/HSSClockManager.smali
com/labgency//hss/HSSDownload.smali
com/labgency//hss/HSSDownloadManager$1.smali
com/labgency//hss/HSSDownloadManager$10.smali
com/labgency//hss/HSSDownloadManager$11.smali
com/labgency//hss/HSSDownloadManager$2.smali
com/labgency//hss/HSSDownloadManager$3.smali
com/labgency//hss/HSSDownloadManager$4.smali
com/labgency//hss/HSSDownloadManager$5$1.smali
com/labgency//hss/HSSDownloadManager$5.smali
com/labgency//hss/HSSDownloadManager$6$1.smali
com/labgency//hss/HSSDownloadManager$6.smali
com/labgency//hss/HSSDownloadManager$7.smali
com/labgency//hss/HSSDownloadManager$8.smali
com/labgency//hss/HSSDownloadManager$9$1$1.smali
com/labgency//hss/HSSDownloadManager$9$1.smali
com/labgency//hss/HSSDownloadManager$9.smali
com/labgency//hss/HSSDownloadManager$a$1.smali
com/labgency//hss/HSSDownloadManager$a$2.smali
com/labgency//hss/HSSDownloadManager$a$3.smali
com/labgency//hss/HSSDownloadManager$a.smali
com/labgency//hss/HSSDownloadManager$b$1.smali
com/labgency//hss/HSSDownloadManager$b$2.smali
com/labgency//hss/HSSDownloadManager$b.smali
com/labgency//hss/HSSDownloadManager$c.smali
com/labgency//hss/HSSDownloadManager$d.smali
com/labgency//hss/HSSDownloadManager.smali
com/labgency//hss/HSSDownloadPlaylist.smali
com/labgency//hss/HSSDownloadRequest$RequestType.smali
com/labgency//hss/HSSDownloadRequest.smali
com/labgency//hss/HSSDownloadRights.smali
com/labgency//hss/HSSDownloadSegment.smali
com/labgency//hss/HSSLibraryManager.smali
com/labgency//hss/HSSParams.smali
com/labgency//hss/HSSPlayer$1$1.smali
com/labgency//hss/HSSPlayer$1.smali
com/labgency//hss/HSSPlayer$10.smali
com/labgency//hss/HSSPlayer$11.smali
com/labgency//hss/HSSPlayer$12.smali
com/labgency//hss/HSSPlayer$13.smali
com/labgency//hss/HSSPlayer$2.smali
com/labgency//hss/HSSPlayer$3.smali
com/labgency//hss/HSSPlayer$4.smali
com/labgency//hss/HSSPlayer$5.smali
com/labgency//hss/HSSPlayer$6.smali
com/labgency//hss/HSSPlayer$7.smali
com/labgency//hss/HSSPlayer$8.smali
com/labgency//hss/HSSPlayer$9.smali
com/labgency//hss/HSSPlayer$a.smali
com/labgency//hss/HSSPlayer$b.smali
com/labgency//hss/HSSPlayer$c$1.smali
com/labgency//hss/HSSPlayer$c$2.smali
com/labgency//hss/HSSPlayer$c.smali
com/labgency//hss/HSSPlayer$HSSPlayerType.smali
com/labgency//hss/HSSPlayer.smali
com/labgency//hss/i.smali
com/labgency//hss/j.smali
com/labgency//hss/k$1.smali
com/labgency//hss/k.smali
com/labgency//hss/l$1.smali
com/labgency//hss/l$2.smali
com/labgency//hss/l.smali
com/labgency//hss/LgyDRMHandler.smali
com/labgency//hss/m$a.smali
com/labgency//hss/m$b.smali
com/labgency//hss/m$c.smali
com/labgency//hss/m$d.smali
com/labgency//hss/m$e.smali
com/labgency//hss/m$f.smali
com/labgency//hss/m$g.smali
com/labgency//hss/m$h.smali
com/labgency//hss/m.smali
com/labgency//hss/n.smali
com/labgency//hss/o.smali
com/labgency//hss/p.smali
com/labgency//hss/q.smali
com/labgency//hss/r.smali
com/labgency//hss/receivers
com/labgency//hss/receivers/ConnectionChangeReceiver$a.smali
com/labgency//hss/receivers/ConnectionChangeReceiver.smali
com/labgency//hss/receivers/SDCardReceiver.smali
com/labgency//hss/receivers/WifiStateReceiver.smali
com/labgency//hss/s.smali
com/labgency//hss/t.smali
com/labgency//hss/u.smali
com/labgency//hss/utils
com/labgency//hss/utils/a.smali
com/labgency//hss/utils/b$a.smali
com/labgency//hss/utils/b.smali
com/labgency//hss/utils/c.smali
com/labgency//hss/utils/HDMIPlugReceiver$a.smali
com/labgency//hss/utils/HDMIPlugReceiver.smali
com/labgency//hss/utils/WidevineCencHeaderOuterClass$1.smali
com/labgency//hss/utils/WidevineCencHeaderOuterClass$a.smali
com/labgency//hss/utils/WidevineCencHeaderOuterClass$WidevineCencHeader$a.smali
com/labgency//hss/utils/WidevineCencHeaderOuterClass$WidevineCencHeader$Algorithm$1.smali
com/labgency//hss/utils/WidevineCencHeaderOuterClass$WidevineCencHeader$Algorithm.smali
com/labgency//hss/utils/WidevineCencHeaderOuterClass$WidevineCencHeader.smali
com/labgency//hss/utils/WidevineCencHeaderOuterClass.smali
com/labgency//hss/v$1.smali
com/labgency//hss/v$2.smali
com/labgency//hss/v$3.smali
com/labgency//hss/v.smali
com/labgency//hss/views
com/labgency//hss/views/a$a.smali
com/labgency//hss/views/a$b.smali
com/labgency//hss/views/a$c.smali
com/labgency//hss/views/a.smali
com/labgency//hss/views/HSSPlayerView$1.smali
com/labgency//hss/views/HSSPlayerView$10.smali
com/labgency//hss/views/HSSPlayerView$2.smali
com/labgency//hss/views/HSSPlayerView$3.smali
com/labgency//hss/views/HSSPlayerView$4.smali
com/labgency//hss/views/HSSPlayerView$5.smali
com/labgency//hss/views/HSSPlayerView$6.smali
com/labgency//hss/views/HSSPlayerView$7.smali
com/labgency//hss/views/HSSPlayerView$8.smali
com/labgency//hss/views/HSSPlayerView$9.smali
com/labgency//hss/views/HSSPlayerView$a$1.smali
com/labgency//hss/views/HSSPlayerView$a$10.smali
com/labgency//hss/views/HSSPlayerView$a$2.smali
com/labgency//hss/views/HSSPlayerView$a$3.smali
com/labgency//hss/views/HSSPlayerView$a$4.smali
com/labgency//hss/views/HSSPlayerView$a$5.smali
com/labgency//hss/views/HSSPlayerView$a$6.smali
com/labgency//hss/views/HSSPlayerView$a$7.smali
com/labgency//hss/views/HSSPlayerView$a$8.smali
com/labgency//hss/views/HSSPlayerView$a$9.smali
com/labgency//hss/views/HSSPlayerView$a.smali
com/labgency//hss/views/HSSPlayerView$b.smali
com/labgency//hss/views/HSSPlayerView$c.smali
com/labgency//hss/views/HSSPlayerView$PlayerViewParcelable$1.smali
com/labgency//hss/views/HSSPlayerView$PlayerViewParcelable.smali
com/labgency//hss/views/HSSPlayerView$State.smali
com/labgency//hss/views/HSSPlayerView.smali
com/labgency//hss/w.smali
com/labgency//hss/x.smali
com/labgency//hss/y.smali
com/labgency//hss/z.smali
com/labgency//player
com/labgency//player/CheckinManager$1.smali
com/labgency//player/CheckinManager$2.smali
com/labgency//player/CheckinManager$3.smali
com/labgency//player/CheckinManager$LgyProduct.smali
com/labgency//player/CheckinManager$ProductCheckin.smali
com/labgency//player/CheckinManager.smali
com/labgency//player/CpuInfo.smali
com/labgency//player/DecoderWrapper.smali
com/labgency//player/HardwareCodec.smali
com/labgency//player/LgyPlayer$1.smali
com/labgency//player/LgyPlayer$2.smali
com/labgency//player/LgyPlayer$AdaptiveStreamingListener.smali
com/labgency//player/LgyPlayer$ChoreographerCallback.smali
com/labgency//player/LgyPlayer$ExtraInfoListener.smali
com/labgency//player/LgyPlayer$OnSEIMetadataListener.smali
com/labgency//player/LgyPlayer$OnSubtitleEventListener.smali
com/labgency//player/LgyPlayer$SetSurfaceSizeRunnable.smali
com/labgency//player/LgyPlayer.smali
com/labgency//player/LgyQualityLevel.smali
com/labgency//player/LgySubtitle.smali
com/labgency//player/LgyTrack$TrackType.smali
com/labgency//player/LgyTrack.smali
com/labgency//player/SPS$AspectRatio.smali
com/labgency//player/SPS$HRDParameters.smali
com/labgency//player/SPS$ScalingList.smali
com/labgency//player/SPS$ScalingMatrix.smali
com/labgency//player/SPS$VUIParameters$BitstreamRestriction.smali
com/labgency//player/SPS$VUIParameters.smali
com/labgency//player/SPS.smali
com/labgency//splayer
com/labgency//splayer/DRMCredentialsHandler.smali
com/labgency//splayer/LgySDRMPlayer.smali
com/labgency//splayer/SPlayerModuleInitHandler.smali
com/labgency//splayer/SPlayerPlayreadyHandler.smali
com/labgency//splayer/SPlayerVerimatrixHandler.smali
com/labgency//tools
com/labgency//tools/data
com/labgency//tools/data/utils
com/labgency//tools/data/utils/a.smali
com/labgency//tools/data/utils/PrefFile.smali
com/labgency//tools/key
com/labgency//tools/key/LgyKeyTool.smali
com/labgency//tools/requests
com/labgency//tools/requests/a
com/labgency//tools/requests/a/a.smali
com/labgency//tools/requests/a/b.smali
com/labgency//tools/requests/a/c.smali
com/labgency//tools/requests/a/d.smali
com/labgency//tools/requests/a$1.smali
com/labgency//tools/requests/a.smali
com/labgency//tools/requests/b
com/labgency//tools/requests/b/a$a.smali
com/labgency//tools/requests/b/a.smali
com/labgency//tools/requests/b.smali
com/labgency//tools/requests/c$1.smali
com/labgency//tools/requests/c$2.smali
com/labgency//tools/requests/c$3.smali
com/labgency//tools/requests/c$4.smali
com/labgency//tools/requests/c.smali
com/labgency//tools/requests/d.smali
com/labgency//tools/requests/exceptions
com/labgency//tools/requests/exceptions/FileIOException.smali
com/labgency//tools/requests/exceptions/NotEnoughSpaceException.smali
com/labgency//tools/requests/handlers
com/labgency//tools/requests/handlers/a.smali
com/labgency//tools/requests/handlers/b.smali
com/labgency//tools/requests/handlers/c.smali
com/labgency//tools/requests/handlers/d.smali
com/labgency//tools/requests/handlers/e.smali
com/labgency//tools/requests/handlers/f.smali
com/labgency//tools/requests/handlers/g.smali
com/labgency//tools/requests/handlers/RequestErrors.smali
com/labgency//tools/requests/handlers/RequestFilePolicies.smali
com/labgency//tools/security
com/labgency//tools/security/CryptedFile.smali
com/labgency//tools/security/CryptoManager.smali
com/labgency//tools/security/utils
com/labgency//tools/security/utils/a.smali
com/labgency//tools/security/utils/CUtils.smali
com/labgency//tools/security/utils/Generator.smali

Broken on Python 3.6.1

When running apkid <apk> in Python 3.6.1, I get the error: "AttributeError: module 'apkid' has no attribute 'scan'.

Everything seems to work fine when testing in Python 2.7.10.

Create rule for "Armariris", an ollvm-based obfuscator with string obfuscation

Although I wrote some rules (#47) for non-official forks of OLLVM and also for official one. Apparently there are more forks out there.

Info: https://github.com/GoSSIP-SJTU/Armariris

Already implemented rules in APKiD:

[22:14 xxxxx ollvm] > apkid . |grep Obfuscator
 |-> obfuscator : Obfuscator-LLVM version 6.0 (string encryption)
 |-> obfuscator : Obfuscator-LLVM version 3.4
 |-> obfuscator : Obfuscator-LLVM version 6.0 (string encryption)
 |-> obfuscator : Obfuscator-LLVM version 3.4
 |-> obfuscator : Obfuscator-LLVM version 6.0 (string encryption)
 |-> obfuscator : Obfuscator-LLVM version 6.0 (string encryption)
 |-> obfuscator : Obfuscator-LLVM version 3.6.1
 |-> obfuscator : Obfuscator-LLVM version 3.6.1
 |-> obfuscator : Obfuscator-LLVM version 3.6.1
 |-> obfuscator : Obfuscator-LLVM version 3.6.1
 |-> obfuscator : Obfuscator-LLVM version 3.6.1
 |-> obfuscator : Obfuscator-LLVM version 3.6.1
 |-> obfuscator : Obfuscator-LLVM version 3.6.1
 |-> obfuscator : Obfuscator-LLVM version 3.6.1
 |-> obfuscator : Obfuscator-LLVM version 3.6.1
 |-> obfuscator : Obfuscator-LLVM version 3.6.1
 |-> obfuscator : Obfuscator-LLVM version 3.6.1
 |-> obfuscator : Obfuscator-LLVM version 3.6.1
 |-> obfuscator : Obfuscator-LLVM version 3.4
 |-> obfuscator : Obfuscator-LLVM version 6.0 (string encryption)
 |-> obfuscator : Obfuscator-LLVM version 6.0 (string encryption)
 |-> obfuscator : Obfuscator-LLVM version 3.6.1
 |-> obfuscator : Obfuscator-LLVM version 6.0 (string encryption)
 |-> obfuscator : Obfuscator-LLVM version 6.0 (string encryption)
 |-> obfuscator : Obfuscator-LLVM version 6.0 (string encryption)
 |-> obfuscator : Obfuscator-LLVM version 4.x
 |-> obfuscator : Obfuscator-LLVM version 6.0 (string encryption)
 |-> obfuscator : Obfuscator-LLVM version 6.0 (string encryption)
 |-> obfuscator : Obfuscator-LLVM version 3.4
 |-> obfuscator : Obfuscator-LLVM version 3.4

Possible missing compiler parameter --std=c99

Hey , when i've tried to install apkid i got next error message:

yara/libyara/modules/dex.c: In function ‘load_proto_ids’:
yara/libyara/modules/dex.c:429:3: error: ‘for’ loop initial declarations are only allowed in C99 mode
   for (int i = 0, p = 0; p < proto_ids_size; i += 1, p += sizeof(PROTO_ID_ITEM)) {
   ^
yara/libyara/modules/dex.c:429:3: note: use option -std=c99 or -std=gnu99 to compile your code
yara/libyara/modules/dex.c: In function ‘load_method_ids’:
yara/libyara/modules/dex.c:486:3: error: ‘for’ loop initial declarations are only allowed in C99 mode
   for (int i = 0, p = 0; p < method_ids_size; i += 1, p += sizeof(METHOD_ID_ITEM)) {
   ^
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

yara.SyntaxError: apkid/rules/dex/abnormal.yara(107): invalid field name "invalid_dex"

Dear author.When I run ./prep-release.py, I got a problem like this in the picture behind.I would appreciate it if you help me to solve this issue.

Should not fail on bad zips (or should fail more gracefully?)

[*] /Users/diff/reverse/targets/android//weird-anti-emulator/contents/assets/alipay_msp-3.5.2-1000261.apk!classes.dex
 |-> anti_vm : device ID check, subscriber ID check
 |-> compiler : dx
2017-10-29 16:53:01 ERROR    error extracting /Users/diff/reverse/targets/android//weird-anti-emulator/MeeLive.apk: File is not a zip file
Traceback (most recent call last):
  File "/Users/diff/repo/APKiD/apkid/apkid.py", line 132, in scan_apk
    zf = zipfile.ZipFile(apk_path, 'r')
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/zipfile.py", line 770, in __init__
    self._RealGetContents()
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/zipfile.py", line 811, in _RealGetContents
    raise BadZipfile, "File is not a zip file"
BadZipfile: File is not a zip file

Function likely just needs to catch this exception and put out a better error than a crash...

Sha256 : eec876203f84247814adf3e325896f6cb8709b0aebb354afbcc075f2f979f7d6

Add rule for random Chinese protector

JesusFreke/smali#562 (comment)

Cannot install APKiD

I cannot perform the install of yara-python, and then I am unable to get apkid too.

Errors for yara-python:

$ python setup.py install
...
yara/libyara/modules/dex.c: In function ‘load_string_ids’:
yara/libyara/modules/dex.c:335:3: error: ‘for’ loop initial declarations are only allowed in C99 or C11 mode
   for (int i = 0, p = 0; p < string_ids_size; i += 1, p += sizeof(STRING_ID_ITEM)) {
   ^
yara/libyara/modules/dex.c:335:3: note: use option -std=c99, -std=gnu99, -std=c11 or -std=gnu11 to compile your code
yara/libyara/modules/dex.c: In function ‘load_type_ids’:
yara/libyara/modules/dex.c:371:3: error: ‘for’ loop initial declarations are only allowed in C99 or C11 mode
   for (int i = 0, p = 0; p < type_ids_size; i += 1, p += sizeof(TYPE_ID_ITEM)) {

So, I tried to install yara-python without compilation using pip install yara-python. That succeeded.
Unfortunately, I cannot install apkid because yara-python is not the expected version it seems.

$ pip install apkid
Downloading/unpacking apkid
  Downloading apkid-0.9.3-py2.py3-none-any.whl
Downloading/unpacking yara-python==3.4.0.999 (from apkid)
  Could not find a version that satisfies the requirement yara-python==3.4.0.999 (from apkid) (from versions: 3.4.0.00)
Cleaning up...
No distributions matching the version for yara-python==3.4.0.999 (from apkid)
Storing debug log for failure in /tmp/tmpiZ98cv

My system:

Linux Mint 17.3 Rosa
yara-python 3.4.0.0

Additionally, I think it would be clearer in the install notes to modify:

git clone https://github.com/rednaga/yara-python
cd yara-python
python setup.py install
pip install apkid

by this - to avoid confusion... :

git clone https://github.com/rednaga/APKiD
cd APKiD
git clone https://github.com/rednaga/yara-python
cd yara-python
python setup.py install
pip install apkid

Improve DexGuard packer rule

Hi,

some obfuscated APKs are not detected as DexGuard-ed. Could we improve the way of detecting it?

To be honest, I'm very new on Yara rules and so on, but you may know if it'd work the same detection like in [1] by using non-ASCII characters for this packer?

Best,

[1].- 400467d

Add Arxan rules for native and dalvik obfuscation

I've found what appears to be ITW samples of Arxan being used. Would be nice to fingerprint these, however it might be difficult as well since there doesn't seem to be any (straight forward) watermarking or branding.

Add obfuscator-llvm rules

https://github.com/obfuscator-llvm/obfuscator

Malicious sample core dumps APKiD

This (malicious) sample crashes my instance of APKiD:
sha256: 21e291d1404646ca1fa2ce765e83bf527b9ce701f1bbae6c45b79f821fecfd1e

apkid 1224AB84.vpk
[!] APKiD 0.9.3 :: from RedNaga :: rednaga.io
[*] 1224AB84.vpk!classes.dex.bak
 |-> compiler : dexlib 1.x
Segmentation fault (core dumped)

Let me know if you need the core dump and/or the sample.

Illegal class name is potentially misfiring

I believe this rule is potentially triggering incorrectly. A Google provided dex file contains the following class names and triggers;

sha256 : 055877e3a49d449736e4c898e0c93159d4bf315d3f457489dbb921568da44365

lkk
lkl
lkm
lkn
lkp
lkq
lkr
lks
lkt
lku
lkv
lkw
lkx
lky
lkz
lla
llb
llc
llg
lli
llj
llk
llm
lln
llo
llp
llq
llr
lls
llt
llu
llv
llw
llx
lly
llz
lma
lmb
lmc
lmd
lme
lmf
lmg
lmh
lmi
lmj
lmk
lmn
lmo
lmp
lmq
lmr
lms
lmt
lmu
lmv
lmw
lmx
lmy
lmz
lna
lnc
lne
lnf
lng
lnh
lnj
lnk
lnl
lnm
lnn
lno
lnp
lnq
lnr
lns
lnt
lnu
lnv
lnw
lnx
lny
lnz
loa
lob
loc
lod
loe
lof
log
loh
loi
loj
lok
lol
lom
lon
loo
lop
loq
lor
los
lot
lou
lov
low
lox
loy
loz
lp
lpa
lpb
lpc
lpe
lpf
lph
lpi
lpj
lpk
lpl
lpn
lpo
lpp
lpq
lpr
lps
lpt
lpu
lpv
lpw
lpy
lpz
lqa
lqc
lqe
lqf
lqg
lqn
lqo
lqp
lre
lrl
lrm
lrn
lro
lrr
lrs
lrt
lrw
lsb
lsc
lsd
lse
lsf
lsg
lsh
lsi
lsj
lsk
lsl
lsm
lsn
lso
lsp
lsq
lsr
lst
lsu
lsv
lte
ltf
ltg
lth
lti
ltj
ltl
lto
ltp
lts
ltu
ltx
ltz
lua
lub
luc
lue
luf
lui
luj
lwd
lwe
lwf
lwg
lwh
lwi
lwk
lwl
lwm
lxh
lxi
lxj
lxn
lxq
lxv
lxw
lxx
lxy
lxz
lya
lyb
lyf
lyg
lyh
lyi
lyj
lym
lyn
lyo
lyp
lyq
lyr
lys
lyt
lyu
lyv
lyw
lyx
lyy
lyz
lza
lzb
lzc
lzd
lze
lzf
lzg
lzh
lzi
lzj
lzk
lzl
lzm
lzn
lzo
lzp
lzq
lzr
lzs
lzt
lzu
lzv
lzw
lzx
lzy
lzz
m
ma
maa
mab
mac
mad
mae
maf
mag
mah
mai
maj
mak
mal
mam
man
mao
mas
mat
mau
mav
maw
max
may
maz
mb
mba
mbb
mbc
mbd
mbe
mbf
mbi
mbj
mbo
mbp
mbr
mbt
mbu
mbx
mbz
mcb
mce
mcl
mcp
mda
mdd
mdf
mdg
mdh
mdk
mdm
mdo
mdq
mdu
mdv
mdz
men
mep
meq
mer
mes
met
meu
mev
mew
mex
mey
mez
mfa
mfb
mfc
mfd
mfe
mff
mfg
mfh
mfi
mfj
mfk
mfl
mfm
mfn
mfo
mfp
mfq
mfr
mfs
mft
mfu
mfv
mfw
mfx
mfy
mfz
mga
mgb
mgc
mgd
mge
mgf
mgg
mgn
mgo
mgp
mgq
mgs
mgt
mgu
mgv
mgw
mgx
mgy
mgz
mha
mhm
mhn
mho
mhw
mim
miv
miw
mix
miy
miz
mja
mjb
mjc
mjd
mje
mjf
mjg
mjh
mji
mjj
mjk
mjl
mjm
mjn
mjo
mjp
mjq
mjr
mjs
mjt
mju
mjv
mjw
mjx
mjy
mjz
mkc
mkd
mke
mkg
mkh
mki
mkj
mkk
mkl
mkm
mkn
mkp
mkq
mkr
mkt
mku
mkv
mkz
mlb
mlc
mld
mle
mlf
mlg
mlh
mli
mlj
mlp
mly
mlz
mm
mma
mmb
mmc
mmd
mme
mmf
mmg
mmh
mmi
mmj
mmk
mml
mmm
mmn
mmo
mmp
mmq
mmr
mms
mmt
mmu
mmv
mmw
mmx
mmy
mmz
mn
mna
mnb
mnc
mnd
mne
mnf
mng
mnh
mni
mnn
mno
mnr
mns
mnt
mnu
mnv
mnw
mnx
mny
mnz
moa
mob
moc
mod
moe
mof
mog
moh
moi
moj
mok
mol
mom
mon
moo
mop
moq
mor
mos
mot
mou
mov
mow
mox
moy
moz
mp
mpa
mpb
mpc
mpd
mpe
mpf
mpg
mph
mpi
mpj
mpk
mpl
mpm
mpn
mpo
mpp
mpq
mpr
mps
mpt
mpu
mpv
mpw
mpx
mpy
mpz
mq
mqa
mqb
mqc
mqd
mqe
mqf
mqg
mqh
mqi
mqj
mqk
mql
mqm
mqn
mqo
mqp
mqq
mqr
mqs
mqt
mqu
mqv
mqw
mqx
mqy
mqz
mr
mra
mrb
mrc
mrd
mre
mrf
mrg
mrh
mri
mrj
mrk
mrl
mrm
mrn
mro
mrp
mrq
mrr
mrs
mrt
mru
mrv
mrw
mry
mrz
ms
msa
msb
msc
msd
mse
msf
msg
msh
msi
msj
msk
msl
msm
msn
mso
msp
msq
msr
mss
mst
msu
msv
msw
msx
msy
msz
mta
mtb
mtc
mtd
mte
mtf
mtg
mth
mti
mtj
mtk
mtl
mtm
mtn
mto
mtp
mtq
mtr
mts
mtt
mtu
mtv
mtw
mtx
mty
mtz
mua
mub
muc
mud
mue
muf
mug
muh
mui
muj
muk
mul
mum
mun
muo
mup
muq
mur
mus
mut
muu
muv
muw
mux
muy
muz
mv
mva
mvb
mvc
mvd
mve
mvf
mvg
mvh
mvi
mvj
mvk
mvl
mvm
mvn
mvo
mvp
mvq
mvr
mvs
mvt
mvu
mvv
mvw
mvx
mvy
mvz
mw
mwa
mwb
mwc
mwd
mwe
mwf
mwg
mwh
mwi
mwj
mwk
mwl
mwm
mwn
mwo
mwp
mwq
mwr
mws
mwt
mwu
mwv
mww
mwx
mwy
mwz
mx
mxa
mxb
mxc
mxd
mxe
mxf
mxg
mxh
mxi
mxj
mxk
mxl
mxm
mxn
mxo
mxp
mxq
mxr
mxs
mxt
mxu
mxv
mxw
mxx
mxy
mxz
my
mya
myb
myc
myd
mye
myf
myg
myh
myi
myj
myk
myl
mym
myn
myo
myp
myq
myr
mys
myt
myu
myv
myw
myx
myy
myz
mza
mzb
mzc
mzd
mze
mzf
mzg
mzh
mzi
mzj
mzk
mzl
mzm
mzn
mzo
mzp
mzq
mzr
mzs
mzt
mzu
mzv
mzw
mzx
mzy
mzz
n
na
naa
nab
nac
nad
nae
naf
nag
nah
nai
naj
nak
nal
nam
nan
nao
nap
naq
nar
nas
nat
nau
nav
naw
nax
nay
naz
nba
nbb
nbc
nbd
nbe
nbf
nbg
nbh
nbi
nbj
nbk
nbl
nbm
nbn
nbo
nbp
nbq
nbr
nbs
nbt
nbu
nbv
nbw
nbx
nby
nbz
nca
ncb
ncc
ncd
nce
ncf
ncg
nch
nci
ncj
nck
ncl
ncm
ncn
nco
ncp
ncq
ncr
ncs
nct
ncu
ncv
ncw
ncx
ncy
ncz
nda
ndb
ndc
ndd
nde
ndf
ndg
ndh
ndi
ndj
ndk
ndl
ndm
ndn
ndo
ndp
ndq
ndr
nds
ndt
ndu
ndv
ndw
ndx
ndy
ndz
nea
neb
nec
ned
nee
nef
neg
neh
nei
nej
nek
nel
nem
nen
neo
nep
neq
ner
nes
net
neu
nev
new
nex
ney
nez
nf
nfa
nfb
nfc
nfd
nfe
nff
nfg
nfh
nfi
nfj
nfk
nfl
nfm
nfn
nfo
nfp
nfq
nfr
nfs
nft
nfu
nfv
nfw
nfx
nfy
nfz
ng
nga
ngb
ngc
ngd
nge
ngf
ngg
ngh
ngi
ngj
ngk
ngl
ngm
ngn
ngo
ngp
ngq
ngr
ngs
ngt
ngu
ngv
ngw
ngx
ngy
ngz
nh
nha
nhb
nhc
nhd
nhe
nhf
nhg
nhh
nhi
nhj
nhk
nhl
nhm
nhn
nho
nhp
nhq
nhr
nhs
nhu
nhv
nhw
nhx
nhy
nhz
ni
nia
nib
nic
nid
nie
nif
nig
nih
nii
nij
nik
nil
nim
nin
nio
nip
niq
nir
nis
nit
niu
niv
niw
nix
niy
niz
nja
njb
njc
njd
nje
njf
njg
njh
nji
njj
njk
njl
njm
njn
njo
njp
njq
njr
njs
njt
nju
njv
njw
njx
njy
njz
nka
nkb
nkc
nkd
nke
nkf
nkg
nkh
nki
nkj
nkk
nkl
nkm
nkn
nko
nkp
nkq
nkr
nks
nkt
nkw
nkx
nky
nkz
nlb
nlc
nld
nle
nlf
nlg
nlh
nli
nlj
nll
nlm
nln
nlo
nlp
nlq
nls
nlv
nlx
nly
nlz
nm
nmb
nmc
nmd
nme
nmf
nmg
nmh
nmi
nmj
nmk
nml
nmm
nmn
nmo
nmp
nmq
nmr
nms
nmw
nmx
nmy
nmz
nn
nna
nnb
nnc
nnd
nne
nnf
nng
nni
nnk
nnl
nnm
nnn
nno
nnp
nnq
nnr
nns
nnt
nnu
nnv
nnw
nnx
nny
nnz
no
noa
nob
non
nop
noq
nor
nos
nou
now
nox
noy
noz
npa
npb
npc
npd
npe
npf
npg
nph
npi
npj
npk
npl
npm
npn
npo
npp
npq
npr
nps
npt
npu
npv
npw
npx
npy
npz
nqa
nqb
nqc
nqd
nqe
nqf
nqg
nqh
nqi
nqj
nqk
nql
nqm
nqn
nqo
nqp
nqq
nqr
nqs
nqt
nqu
nqv
nqw
nqx
nqy
nqz
nra
nrb
nrc
nrd
nre
nrf
nrg
nrh
nri
nrj
nrk
nrl
nrm
nrn
nro
nrp
nrq
nrr
nrs
nrt
nru
nrv
nrw
nrx
nry
nrz
nsa
nsb
nsc
nsd
nse
nsf
nsg
nsh
nsi
nsj
nsk
nsl
nsm
nso
nsp
nsq
nsr
nss
nst
nsu
nsv
nsw
nsx
nsy
nsz
nta
ntb
ntc
ntd
nte
ntf
ntg
nth
nti
ntj
ntk
ntl
ntm
ntn
nto
ntp
ntq
ntr
nts
ntt
ntu
ntv
ntw
nty
ntz
nua
nub
nuc
nud
nue
nuf
nug
nuh
nui
nuj
nuk
nul
num
nun
nuo
nup
nuq
nur
nus
nut
nuu
nuv
nuw
nux
nuy
nuz
nva
nvb
nvc
nvd
nve
nvf
nvg
nvh
nvi
nvj
nvl
nvm
nvn
nvo
nvp
nvq
nvr
nvs
nvt
nvu
nvv
nvw
nvx
nvy
nvz
nwa
nwb
nwc
nwd
nwe
nwf
nwg
nwh
nwi
nwj
nwk
nwl
nwm
nwn
nwo
nwp
nwq
nwr
nws
nwt
nwu
nwv
nww
nwx
nwy
nxa
nxc
nxd
nxe
nxf
nxg
nxh
nxi
nxj
nxk
nxn
nxp
nxx
nxy
nxz
nya
nyb
nyc
nyd
nye
nyf
nyh
nyi
nyl
nym
nyn
nyo
nyp
nyq
nyr
nys
nyt
nyu
nyv
nyw
nyx
nyy
nyz
nza
nzb
nzc
nzd
nze
nzf
nzg
nzh
nzi
nzj
nzk
nzl
nzm
nzp
nzq
nzs
nzt
nzu
nzv
nzw
nzx
nzy
nzz
o
oaa
oab
oac
oae
oaf
oag
oah
oai
oaj
oak
oal
oam
oao
oaq
oar
oat
oau
oaw
oax
oay
oaz
oba
obb
obc
obd
obe
obf
obg
obh
obi
obj
obk
obm
obn
obo
obp
obq
obr
obs
obt
obu
obv
obw
obx
oby
obz
oca
ocb
occ
ocg
och
oci
ocj
ock
ocl
ocm
ocn
oco
ocp
ocq
ocr
ocs
oct
ocv
ocw
ocx
ocy
ocz
od
oda
odb
odc
odd
ode
odg
odi
odl
odm
odn
odo
odp
odq
odr
ody
odz
oe
oea
oec
oed
oee
oef
oeg
oek
oel
oem
oeo
oer
oes
oeu
oev
oew
oex
oey
oez
of
ofa
ofb
ofc
ofd
ofe
off
ofg
ofh
ofi
ofj
ofk
ofl
ofm
ofn
ofo
ofp
ofq
ofr
ofs
oft
ofu
ofv
ofw
ofx
ofy
ofz
oga
ogb
ogc
ogd
oge
ogf
ogg
ogh
ogi
ogj
ogk
ogl
ogm
ogn
ogo
ogp
ogq
ogr
ogs
ogt
ogu
ogv
ogw
ogx
ogy
ogz
oha
ohb
ohc
ohd
ohe
ohf
ohg
ohh
ohi
ohj
ohk
ohl
ohm
ohn
oho
ohp
ohq
ohr
ohs
oht
ohu
ohv
ohw
ohx
ohy
ohz
oi
oia
oib
oic
oid
oie
oif
oig
oih
oii
oij
oik
oil
oim
oin
oio
oip
oiq
oir
ois
oit
oiu
oiv
oiw
oix
oiy
oiz
oja
ojb
ojc
ojd
oje
ojf
ojg
ojh
oji
ojj
ojk
ojn
ojq
ojr
ojs
oju
ojv
ojw
ojx
ok
okd
oke
okf
okg
okh
oki
okj
okl
okm
okn
oko
okp
okq
okr
oks
okt
oku
okv
okw
okx
oky
okz
ola
olb
olc
old
ole
olf
olg
olh
oli
olj
olk
oll
olm
oln
olo
olp
olr
ols
olt
olu
olv
olw
olx
oma
omb
ome
omf
omg
omh
omk
oml
omm
omn
omo
omp
omq
omr
oms
omy
omz
ona
onb
onc
ond
onf
ong
onh
oni
onj
onk
onl
onm
onn
ono
onp
onq
onr
ons
ont
onu
onv
onw
onx
ony
onz
ooa
oob
ooc
ood
ooe
oof
oog
ooh
ooi
ooj
ook
ool
oom
oon
ooo
oop
ooq
oor
oos
oot
oou
oov
oow
oox
ooy
ooz
opa
opb
opc
opd
ope
opf
opg
oph
opi
opj
opk
opl
opm
opn
opo
opp
opq
opr
ops
opt
opv
opw
opx
opy
opz
oqa
oqb
oqc
oqd
oqe
oqf
oqg
oqh
oqi
oqj
oqk
oql
oqm
oqn
oqo
oqp
oqq
oqr
oqs
oqt
oqu
oqv
oqw
oqx
oqy
oqz
ora
orb
orc
ord
ore
orf
org
org/chromium
org/chromium/base
org/chromium/base/AnimationFrameTimeHistogram
org/chromium/base/BuildInfo
org/chromium/base/CommandLine
org/chromium/base/ContentUriUtils
org/chromium/base/FieldTrialList
org/chromium/base/JNIUtils
org/chromium/base/library_loader
org/chromium/base/library_loader/LegacyLinker
org/chromium/base/library_loader/Linker$LibInfo
org/chromium/base/library_loader/Linker
org/chromium/base/library_loader/ModernLinker
org/chromium/base/LocaleUtils
org/chromium/base/MemoryPressureListener
org/chromium/base/PathUtils
org/chromium/base/SystemMessageHandler
org/chromium/base/SysUtils
org/chromium/net
org/chromium/net/AndroidNetworkLibrary
org/chromium/net/BidirectionalStream$Builder
org/chromium/net/BidirectionalStream$Callback
org/chromium/net/BidirectionalStream$PingCallback
org/chromium/net/BidirectionalStream
org/chromium/net/CertificateMimeType
org/chromium/net/CertVerifyStatusAndroid
org/chromium/net/ChromiumUrlRequest$ResponseHeadersMap
org/chromium/net/ChromiumUrlRequestError
org/chromium/net/ChromiumUrlRequestPriority
org/chromium/net/ConnectionSubtype
org/chromium/net/ConnectionType
org/chromium/net/CronetEngine$Builder$Pkp
org/chromium/net/CronetException
org/chromium/net/CronetUrlRequest$HeadersList
org/chromium/net/HttpCacheType
org/chromium/net/HttpNegotiateConstants
org/chromium/net/NetError
org/chromium/net/NetId
org/chromium/net/NetworkChangeNotifier$ConnectionTypeObserver
org/chromium/net/NetworkQualityObservationSource
org/chromium/net/NetworkQualityRttListener
org/chromium/net/NetworkQualityThroughputListener
org/chromium/net/PrivateKeyType
org/chromium/net/ProxyChangeListener$Delegate
org/chromium/net/RegistrationPolicyAlwaysRegister
org/chromium/net/RegistrationPolicyApplicationStatus
org/chromium/net/RequestPriority
org/chromium/net/TrafficStatsError
org/chromium/net/UploadDataProviders
org/chromium/net/UrlRequest$Status
org/chromium/net/UrlRequest$StatusListener
org/chromium/net/UrlRequestError
org/chromium/net/UrlResponseInfo$HeaderBlock
org/webrtc
org/webrtc/AudioSource
org/webrtc/AudioTrack
org/webrtc/CallSessionFileRotatingLogSink
org/webrtc/Camera2Enumerator
org/webrtc/CameraEnumerationAndroid$1
org/webrtc/CameraEnumerationAndroid$2
org/webrtc/CameraEnumerationAndroid$CaptureFormat
org/webrtc/CameraEnumerationAndroid$ClosestComparator
org/webrtc/CameraEnumerationAndroid$Enumerator
org/webrtc/CameraEnumerationAndroid
org/webrtc/CameraEnumerator
org/webrtc/DataChannel$Buffer
org/webrtc/DataChannel$Init
org/webrtc/DataChannel$Observer
org/webrtc/DataChannel$State
org/webrtc/DataChannel
org/webrtc/EglBase$Context
org/webrtc/EglBase
org/webrtc/EglBase10$Context
org/webrtc/EglBase10
org/webrtc/EglBase14$Context
org/webrtc/EglBase14
org/webrtc/GlRectDrawer$Shader
org/webrtc/GlRectDrawer
org/webrtc/GlShader
org/webrtc/GlTextureFrameBuffer
org/webrtc/GlUtil
org/webrtc/IceCandidate
org/webrtc/Logging$1
org/webrtc/Logging$Severity
org/webrtc/Logging$TraceLevel
org/webrtc/MediaCodecVideoDecoder$1
org/webrtc/MediaCodecVideoDecoder$DecodedOutputBuffer
org/webrtc/MediaCodecVideoDecoder$DecodedTextureBuffer
org/webrtc/MediaCodecVideoDecoder$DecoderProperties
org/webrtc/MediaCodecVideoDecoder$MediaCodecVideoDecoderErrorCallback
org/webrtc/MediaCodecVideoDecoder$TextureListener
org/webrtc/MediaCodecVideoDecoder$TimeStamps
org/webrtc/MediaCodecVideoDecoder$VideoCodecType
org/webrtc/MediaCodecVideoDecoder
org/webrtc/MediaCodecVideoEncoder$1
org/webrtc/MediaCodecVideoEncoder$EncoderProperties
org/webrtc/MediaCodecVideoEncoder$MediaCodecVideoEncoderErrorCallback
org/webrtc/MediaCodecVideoEncoder$OutputBufferInfo
org/webrtc/MediaCodecVideoEncoder$VideoCodecType
org/webrtc/MediaCodecVideoEncoder
org/webrtc/MediaConstraints$KeyValuePair
org/webrtc/MediaConstraints
org/webrtc/MediaSource$State
org/webrtc/MediaSource
org/webrtc/MediaStream
org/webrtc/MediaStreamTrack$State
org/webrtc/MediaStreamTrack
org/webrtc/NetworkMonitor$1
org/webrtc/NetworkMonitor$NetworkObserver
org/webrtc/NetworkMonitor
org/webrtc/PeerConnection$BundlePolicy
org/webrtc/PeerConnection$ContinualGatheringPolicy
org/webrtc/PeerConnection$IceConnectionState
org/webrtc/PeerConnection$IceGatheringState
org/webrtc/PeerConnection$IceServer
org/webrtc/PeerConnection$IceTransportsType
org/webrtc/PeerConnection$KeyType
org/webrtc/PeerConnection$Observer
org/webrtc/PeerConnection$RTCConfiguration
org/webrtc/PeerConnection$RtcpMuxPolicy
org/webrtc/PeerConnection$SignalingState
org/webrtc/PeerConnection$TcpCandidatePolicy
org/webrtc/PeerConnection
org/webrtc/PeerConnectionFactory$Options
org/webrtc/RendererCommon$1
org/webrtc/RendererCommon$GlDrawer
org/webrtc/RendererCommon$RendererEvents
org/webrtc/RendererCommon$ScalingType
org/webrtc/RendererCommon$YuvUploader
org/webrtc/RendererCommon
org/webrtc/RtpReceiver
org/webrtc/RtpSender
org/webrtc/SdpObserver
org/webrtc/SessionDescription$Type
org/webrtc/SessionDescription
org/webrtc/StatsObserver
org/webrtc/StatsReport$Value
org/webrtc/StatsReport
org/webrtc/SurfaceTextureHelper$1
org/webrtc/SurfaceTextureHelper$2
org/webrtc/SurfaceTextureHelper$3
org/webrtc/SurfaceTextureHelper$4
org/webrtc/SurfaceTextureHelper$OnTextureFrameAvailableListener
org/webrtc/SurfaceTextureHelper$YuvConverter
org/webrtc/SurfaceTextureHelper
org/webrtc/SurfaceViewRenderer$1
org/webrtc/SurfaceViewRenderer$2
org/webrtc/SurfaceViewRenderer$3
org/webrtc/SurfaceViewRenderer$4
org/webrtc/SurfaceViewRenderer$5
org/webrtc/SurfaceViewRenderer$6
org/webrtc/SurfaceViewRenderer
org/webrtc/ThreadUtils$1
org/webrtc/ThreadUtils$1Result
org/webrtc/ThreadUtils$2
org/webrtc/ThreadUtils$3
org/webrtc/ThreadUtils$4
org/webrtc/ThreadUtils$BlockingOperation
org/webrtc/ThreadUtils$ThreadChecker
org/webrtc/ThreadUtils
org/webrtc/VideoCapturer
org/webrtc/VideoCapturerAndroid$1
org/webrtc/VideoCapturerAndroid$2
org/webrtc/VideoCapturerAndroid$3
org/webrtc/VideoCapturerAndroid$4
org/webrtc/VideoCapturerAndroid$5
org/webrtc/VideoCapturerAndroid$6
org/webrtc/VideoCapturerAndroid$7
org/webrtc/VideoCapturerAndroid$8
org/webrtc/VideoCapturerAndroid$9
org/webrtc/VideoCapturerAndroid$CameraEventsHandler
org/webrtc/VideoCapturerAndroid$CameraStatistics
org/webrtc/VideoCapturerAndroid$CameraSwitchHandler
org/webrtc/VideoCapturerAndroid$CapturerObserver
org/webrtc/VideoCapturerAndroid$NativeObserver
org/webrtc/VideoCapturerAndroid
org/webrtc/videoengine
org/webrtc/videoengine/ViEAndroidGLES20$1
org/webrtc/videoengine/ViEAndroidGLES20$ConfigChooser
org/webrtc/videoengine/ViEAndroidGLES20$ContextFactory
org/webrtc/videoengine/ViEAndroidGLES20
org/webrtc/videoengine/ViERenderer
org/webrtc/videoengine/ViESurfaceRenderer
org/webrtc/VideoRenderer$Callbacks
org/webrtc/VideoRenderer$I420Frame
org/webrtc/VideoRenderer
org/webrtc/VideoRendererGui$1
org/webrtc/VideoRendererGui$YuvImageRenderer$RendererType
org/webrtc/VideoRendererGui$YuvImageRenderer
org/webrtc/VideoRendererGui
org/webrtc/VideoSource
org/webrtc/VideoTrack
org/webrtc/voiceengine
org/webrtc/voiceengine/BuildInfo
org/webrtc/voiceengine/WebRtcAudioRecord$AudioRecordThread
org/webrtc/voiceengine/WebRtcAudioRecord
org/webrtc/voiceengine/WebRtcAudioTrack$AudioTrackThread
org/webrtc/voiceengine/WebRtcAudioTrack
org
orh
ori
orj
ork
orl
orm
orn
oro
orp
orq
orr
ors
ort
oru
orv
orx
ory
orz
osa
osb
osc
osd
ose
osf
osg
osh
osi
osj
osk
osl
osm
osn
oso
osp
osq
osr
oss
osu
osv
osw
osx
otg
otl
otn
oto
oua
oub
ouc
oud
oue
ouf
oug
ouh
ouj
oum
oun
ouo
oup
ouw
oux
ouy
ouz
ova
ovb
ovc
ovd
ove
ovf
ovg
ovh
ovi
ovj
ovk
ovl
ovm
ovn
ovo
ovp
ovq
ovr
ovs
ovt
ovu
ovv
ovw
ovx
ovy
ovz
owa
owb
owc
owd
owe
owf
owg
owh
owi
owj
owk
owl
owm
own
owo
owp
owq
owr
ows
owt
owu
owv
oww
owx
owy
owz
ox
oxa
oxb
oxc
oxd
oxe
oxf
oxg
oxh
oxi
oxj
oxk
oxl
oxm
oxn
oxo
oxp
oxq
oxr
oxs
oxt
oxu
oxv
oxw
oxx
oxy
oxz
oya
oyb
oyc
oyd
oye
oyf
oyg
oyh
oyi
oyj
oyk
oyl
oym
oyn
oyo
oyp
oyq
oyr
oys
oyt
oyu
oyv
p
pa
pb
pc
pd
pv
pw
py
pz
q
qa
qb
qc
qd
qe
qf
qg
qh
qi
qj
qk
ql
qm
qn
qw
qx
qy
qz
ra
rb
rc
rd
re
rf
rg
rh
ri
rw
ry
s
sa
sd
se
sf
sg
sh
si
sj
sk
sl
sn
so
sp
sq
sr
ss
sy
sz
t
ta
tb
tl
to
tp
tq
tr
ts
tt
tu
tv
tw
tx
ty
tz
u
ua
ub
uc
ud
ue
uf
ug
uh
ui
v
va
ve
vi
vk
vm
vn
vo
vp
vq
vr
vt
vz
w
wb
wc
wd
wh
wk
wn
wo
wt
wu
wy
wz
x
xa
xb
xc
xe
xf
xj
xm
xn
xo
xp
xr
xs
xt
xu
xy
y
ya
yb
yc
yq
yr
ys
yt
yu
yv
yw
yx
yz
z
zb
zc
zd
ze
zf
zg
zh
zi
zj
zk
zl
zm
zn
zp
zt

openssl linking issue

While running a setup script I encountered this error indicating that I may be missing md5.h file in openssl:
yara/libyara/modules/hash.c:30:10: fatal error: 'openssl/md5.h' file not found
#include <openssl/md5.h>
^
1 error generated.
error: command 'cc' failed with exit status 1

I went ahead and found the file in question in /usr/local/Cellar/openssl/1.0.2l/include/openssl/md5.h

Then I tried to unlink/relink openssl with: brew unlink openssl && brew link openssl --force
After which I get the following warning refusing to link openssl:

"Warning: Refusing to link: openssl
Linking keg-only openssl means you may end up linking against the insecure,
deprecated system OpenSSL while using the headers from Homebrew's openssl.
Instead, pass the full include/library paths to your compiler e.g.:
-I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib"

Any clues on getting this to work? My hunch is that I am missing something with linking openssl for compiler to be able to see it?

Add private malware packer for identificaiton

There may be some overlap with other signatures, need to verify these samples are 100% independent;

3f98e8d89e42ecafadb529e96c8305707c4a42d9ca97500b91b8da2fc93e07c3
b7a0d51599ff8955f0f77bd946c92433d5241e14fa84e6cbe49e0ad98898ad94
d64e1e2d0847becd4a4cd9c5804e42093719c77c15b2560c2c8bc993e90dda3b
963ee42c96a25f4a5413d8c4c455575e473516aa58c55b575e86a4fbae4aa3aa
bd6d7d8e519a3ba240d8a18d1b22c0e7bc7cc75130a661a7ff9791e58a870be4
99628aa4e1d36c4eef6993c44d3b5f2f5a0da3a4ddc9d2ef8f3c800381540b4d
fccec72e6a0814f8be1f3b130eead09cce1bb20b7151245bdbd59cb946bca582

[+] APKiD 1.0.0 :: from RedNaga :: rednaga.io
[*] 3f98e8d89e42ecafadb529e96c8305707c4a42d9ca97500b91b8da2fc93e07c3!classes.dex
 |-> compiler : dexlib 2.x
[*] 963ee42c96a25f4a5413d8c4c455575e473516aa58c55b575e86a4fbae4aa3aa!classes.dex
 |-> compiler : dexlib 2.x
[*] 99628aa4e1d36c4eef6993c44d3b5f2f5a0da3a4ddc9d2ef8f3c800381540b4d!classes.dex
 |-> compiler : dexlib 2.x
[*] b7a0d51599ff8955f0f77bd946c92433d5241e14fa84e6cbe49e0ad98898ad94!classes.dex
 |-> compiler : dx
[*] bd6d7d8e519a3ba240d8a18d1b22c0e7bc7cc75130a661a7ff9791e58a870be4!classes.dex
 |-> compiler : dexlib 2.x
[*] d64e1e2d0847becd4a4cd9c5804e42093719c77c15b2560c2c8bc993e90dda3b!classes.dex
 |-> compiler : dx (possible dexmerge)
 |-> manipulator : dexmerge
[*] fccec72e6a0814f8be1f3b130eead09cce1bb20b7151245bdbd59cb946bca582!classes.dex
 |-> compiler : dexlib 2.x

The following hashing may not be the same? However, person who pointed me at these hashes believes they all may be... Need to double check.
b7a0d51599ff8955f0f77bd946c92433d5241e14fa84e6cbe49e0ad98898ad94
d64e1e2d0847becd4a4cd9c5804e42093719c77c15b2560c2c8bc993e90dda3b

Add "proguard elder dictionary" rules

Found this skimming some repos, might be interesting to flag;

https://github.com/apkhook/proguard-elder-dictionary

Install issue

For your information, I had several issues (again the same ones) upgrading APKiD. It's no big issue, because I fixed them and installed correctly, but just saying in case you can fix for a smoother install.

In yara-python, I had to perform several fixes about those non C declarations. In yara/libyara/modules/pe.c and yara/libyara/rules.c:

for (int j = 0; j < pe->data_size % 4; j++)

For some reason, I had yara_python-3.4.0.999-py2.7.egg-info and yara_python-3.5.0.999-py2.7.egg-info in /usr/local/lib/python2.7/dist-packages. Consequently, the install of APKiD failed with the message below (which is stupid because 3.5.0.999).

 Could not find a version that satisfies the requirement yara-python==3.5.0.999 (from apkid) (from versions: 3.4.0.0, 3.5.0)
No matching distribution found for yara-python==3.5.0.999 (from apkid)

Removing 3.4.0.999 fixed the issue in my case.

Cheers.

Reverse engineering Promon SHIELD at 34C3 conference

Hey,

I was watching this talk when I thought that maybe APKiD did not include this protector. Many German banking apps are using it according to the author of the 34c3 talk.

Talk: https://media.ccc.de/v/34c3-8805-die_fabelhafte_welt_des_mobilebankings
(audio can be played in English if downloaded)
Sample from the talk: https://www.apkdownload.in/apk/app/com.starfinanz.yomo/

Info: https://promon.co/
Video: https://www.youtube.com/watch?v=EoWLTEnddDI

Cheers

Issue

Traceback (most recent call last):
File "/usr/local/bin/apkid", line 9, in
load_entry_point('apkid==0.9.3', 'console_scripts', 'apkid')()
File "/APKiD/apkid/init.py", line 52, in main
aid = apkid.APKiD(args.files, args.timeout, args.json)
File "/APKiD/apkid/apkid.py", line 42, in init
self.rules = yara.load(rules_path)
yara.Error: could not open file "/APKiD/apkid/rules/rules.yarc"

Add APKGuard obfuscator APK rule

Last day I saw a new protector on the market. It may be interesting to register an account at its website and protect a sample app to find a way to detect it.

http://apkguard.io/

AppSolid

Made by Medusah author, AppSolid somewhat have same behaviour with Medusah. Like how it loads encrypted dex. Lately, in some latest version they added string obfuscator. This is the structure of apk (snipped)

lib
└── armeabi-v7a
    ├── lib1c6895cddfbfe7b5b7984726fa93806d1.so (loader)
    ├── ...
    ├── libf63855cbd2a6b3dd91be48eee86498421.so (unity loader)
    └── ...

assets
├── bin
├── common
├── high_resolution.png (encrypted dex)
└── Shader

Dexcalls path somewhat doesnt really change, .../.0395f312/.88c166a1/.63d49db7/.cfc9fa24/.406dd60f/android_support.jar.
What make this unique is loader lib name isnt static, i mean filename are changed in every apk.

Some reference:
[1] https://appsolid.co/
[2] https://medium.com/@seworks/introducing-appsolid-for-unity-33c711f16f02#.ov3quusls

Samples:
[1] 5c1f14c1674c6f3ff72d9a017b083023d6c59635bec83718afec2d23372f84f4
[2] 2870eb73c4e54d436e465fd478de610ebdca45485ac3abcf5c0396e878ebb344

apkid crash

this sample crashes apkid:
900b5a460be3e150420598beb41ea0a15d23a05e57f0f9383600844fac49cd85

[!] APKiD 0.9.4 :: from RedNaga :: rednaga.io
fish: 'apkid …' terminated by signal SIGSEGV (Address boundary error)

New version of AppSolid

TODO.- Add rule

[xxxxx] > apkid libmappsolid.so 
[+] APKiD 1.0.0 :: from RedNaga :: rednaga.io
[*] libmappsolid.so
 |-> obfuscator : Obfuscator-LLVM version 3.6.1

libmappsolid.zip

No matching distribution found for yara-python==3.5.0.999 (from aphid)

Please make a installation video of apkid it will be useful for everyone

As mentioned I installed yara-python from rednaga fork. https://github.com/rednaga/yara-python
and I installed apkid using pip install apkid

but still i am getting the same error like :

""
#:yara-python spidi$ pip install apkid
Collecting apkid
Using cached apkid-1.0.0-py2.py3-none-any.whl
Collecting argparse (from apkid)
Using cached argparse-1.4.0-py2.py3-none-any.whl
Collecting yara-python==3.5.0.999 (from apkid)

Could not find a version that satisfies the requirement yara-python==3.5.0.999 (from apkid) (from versions: 3.4.0.0, 3.5.0, 3.6.0, 3.6.1, 3.6.2, 3.6.3)

No matching distribution found for yara-python==3.5.0.999 (from aphid)###
""

Add "criticalblue"/"approov" protection schema rules

Looks really simple, barely any anti checks -- also seems to want to use apktool for injecting into the devs package - so this might be good to add so it doesn't raise FPs with tamper flags (which is ironic since it is for anti-tampering?).

jni//arm64-v8a
jni//arm64-v8a/libapproov.so
jni//armeabi-v7a
jni//armeabi-v7a/libapproov.so
jni//x86
jni//x86/libapproov.so
jni//x86_64
jni//x86_64/libapproov.so

Those the potential injected files - will compile and example and get this stuff done later. Just needed to add this issue as a todo/marker.

Demo is currently located at https://approov.io/downloads/approov-demo.zip

rednaga / apkid Goto Github PK

apkid's Introduction

APKiD

Installing

Docker

Usage

Submitting New Packers / Compilers / Obfuscators

License

Hacking

For Package Maintainers

apkid's People

Contributors

Stargazers

Watchers

Forkers

apkid's Issues

STEPS TO REPRODUCE THE ISSUE

CONSOLE OUTPUT

CONTENTS OF LOG FILES

Sample:

Could not find a version that satisfies the requirement yara-python==3.5.0.999 (from apkid) (from versions: 3.4.0.0, 3.5.0, 3.6.0, 3.6.1, 3.6.2, 3.6.3)

Recommend Projects

Recommend Topics

Recommend Org