Back to Details

analyzing-android-malware-with-apktool

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Analyzing Android Malware with Apktool

使用Apktool分析Android恶意软件

Overview

概述

Android malware distributed as APK files can be statically analyzed to extract permissions, activities, services, broadcast receivers, and suspicious API calls without executing the sample. This skill uses androguard for programmatic APK analysis, identifying dangerous permission combinations, obfuscated code patterns, dynamic code loading, reflection-based API calls, and network communication indicators.
以APK文件形式传播的Android恶意软件可通过静态分析提取权限、活动、服务、广播接收器以及可疑API调用,无需运行样本。本技能使用androguard进行程序化APK分析,识别危险权限组合、混淆代码模式、动态代码加载、基于反射的API调用以及网络通信指标。

When to Use

使用场景

  • When investigating security incidents that require analyzing android malware with apktool
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques
  • 当调查需要用apktool分析Android恶意软件的安全事件时
  • 当构建该领域的检测规则或威胁狩猎查询时
  • 当SOC分析师需要此类分析的结构化流程时
  • 当验证相关攻击技术的安全监控覆盖范围时

Prerequisites

前提条件

  • Python 3.9+ with 
    androguard
  • apktool (for resource decompilation)
  • jadx (for Java source recovery, optional)
  • Isolated analysis environment (VM or sandbox)
  • Sample APK files for analysis
  • 安装有
    androguard
    的Python 3.9+环境
  • apktool(用于资源反编译)
  • jadx(用于恢复Java源代码,可选)
  • 隔离分析环境(虚拟机或沙箱)
  • 待分析的APK样本文件

Steps

步骤

  1. Parse APK with androguard to extract manifest metadata
  2. Enumerate requested permissions and flag dangerous combinations
  3. List activities, services, receivers, and providers from manifest
  4. Scan for suspicious API calls (reflection, crypto, SMS, telephony)
  5. Detect dynamic code loading patterns (DexClassLoader, Runtime.exec)
  6. Extract hardcoded URLs, IPs, and C2 indicators from strings
  7. Generate risk assessment report with MITRE ATT&CK mobile mappings
  1. 使用androguard解析APK,提取清单元数据
  2. 枚举请求的权限并标记危险组合
  3. 列出清单中的活动、服务、接收器和提供者
  4. 扫描可疑API调用(反射、加密、短信、电话相关)
  5. 检测动态代码加载模式(DexClassLoader、Runtime.exec)
  6. 从字符串中提取硬编码的URL、IP地址和C2指标
  7. 生成包含MITRE ATT&CK移动映射的风险评估报告

Expected Output

预期输出

  • JSON report with permission analysis, component listing, suspicious API calls, network indicators, and risk score
  • Extracted strings and potential IOCs from the APK
  • 包含权限分析、组件列表、可疑API调用、网络指标和风险评分的JSON报告
  • 从APK中提取的字符串和潜在IOC(威胁指标)