Statically unpacking common android banker malware.
Statically unpacking common android banker malware. Ever wanted to get payload from packed malware without running android emulator ? Me neither.
pip install kavanoz
from cmdline
kavanoz /tmp/filepath
from python library
from kavanoz.core import Kavanoz
from kavanoz import utils
utils.set_log("DEBUG")
k = Kavanoz(apk_path="tests/test_apk/coper.apk")
for plugin_result in k.get_plugin_results():
if plugin_result["status"] == "success":
print("Unpacked")
print(plugin_result)
break
To add new plugins just create new file in loader folder. Extend Unpacker class from unpack_plugin.py file. Define start_decrypt function with your implementation.
def start_decrypt(self, apk_object: APK, dexes: "list[DEX]"):
Add following function to make early exit from plugin.
def lazy_check(self,apk_object:APK, dexes: "list[DEX]"):
If extraction is successful assign self.decrypted_payload_path with extracted file path. You can use helper functions from unpacker class:
dex.get_class(smali_annotation_of_class)
.self.apk_object.get_files()
application = self.apk_object.get_attribute_value("application", "name")
to get application class defined in manifest file.apkdetect.com for unique samples to work with.