1. The introduction of
Some apKs run and collect your phone number. Apps that collect phone numbers are likely to leak your phone number.
So, how do you use a piece of Python code to detect APK collecting phone numbers like this?
Principle 2.
From reference 1, we can know that your APP will collect the phone number of the host as long as the following two conditions are met when you write the APP.
- Add the following permissions in manifest
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
Copy the code- Passed in Java
TelephonyManagerCall thegetLine1Number()This API
TelephonyManager tMgr = (TelephonyManager)mAppContext.getSystemService(Context.TELEPHONY_SERVICE);
String mPhoneNumber = tMgr.getLine1Number();
Copy the codeSo, to give you an APK, we only need to reverse the APK and find the above two conditions, indicating that there is such behavior in APK.
3. The implementation
- Reverse APK with Androguard
import os,sys,time,datetime,traceback
from androguard.core.bytecodes import apk
from androguard.core.bytecodes import dvm
from androguard.core.analysis import analysis
class StaticAnalysis(object) :
def __init__(self, apkfile) :
self.apkfile = apkfile
self.a = None#apk obj
self.d = None#dex obj
self.x = None#analysis result obj
def get_androguard_obj(self) :
try:
self.a = apk.APK(self.apkfile, False."r".None.2)# get apk obj
self.d = dvm.DalvikVMFormat(self.a.get_dex())# get dex obj
self.x = analysis.Analysis(self.d)# get analysis result obj
except Exception as e:
msg = traceback.format_exc()
print(msg)
Copy the codeImport the required Androguar libraries, and then get the three objects of APK: APK, dex, and Analysis Result.
For details, see 2 in Reference.
- Find if the name is used in APK
getLine1NumberThe method of
The method of smali writing for Landroid/telephony/TelephonyManager; ->getLine1Number()Ljava/lang/String;
As you can see from the SMALI code
(1) the method belongs to the class for the Landroid/telephony/TelephonyManager (2) this method no input parameters (3) the method return value of type String
So, we need to traverse the methods in each class in APK and match if the name of the method is given above. The specific code is as follows
sa = StaticAnalysis('app-debug.apk')
sa.get_androguard_obj()
class_list = sa.d.get_classes()# get all classes
print('class num:{0}'.format(len(class_list)))
for class_item in class_list:
class_name = class_item.name
methods = class_item.get_methods()# get all methods
for m in methods:
raw_code_list = [x for x in m.code.code.get_instructions()]
for line in raw_code_list:# loop all method
if 'getLine1Number' in line.get_output():# match method name
print(line.get_output())# get method head of smali code
print('class-name={0}'.format(class_name))
print('method-name={0} {1}'.format(m.name,m.get_descriptor()))
Copy the code- Find if it is used in APK
android.permission.READ_PHONE_STATEpermissions
Get the list of all permissions from the APK object, and then match them in sequence. The code is as follows:
sa = StaticAnalysis('app-debug.apk')
sa.get_androguard_obj()# get 3 objects
permission_list = sa.a.get_permissions() # get all permission list
for p in permission_list:
if 'android.permission.READ_PHONE_STATE' in p:# match
print(p)
Copy the code4. To summarize
In this paper, Androguard is used to detect APIS and permissions, so as to detect whether APK has the behavior of “collecting phone numbers”, and give the core code of zero. See Reference 3 for the complete code. This method can be used for batch detection of many APKs.
reference
-
- Stackoverflow.com/questions/2…
-
- Blog.csdn.net/ybdesire/ar…
-
- Github.com/ybdesire/ap…
The author this article published since the earliest: blog.csdn.net/ybdesire/ar…