Androguard tutorial
 
You can either do a fresh install of Androguard or use it out of the box via Android Reverse Engineering (ARE) distro available here. For a fresh install in a Linux system download Androguard from Mercurial source code management system, begin with installing Mercurial and then running:
hg clone https://androguard.googlecode.com/hg/ androguard

You really have to follow the instructions mentioned here if its a fresh install on a Linux system. Once everything is done execute androlyze from androguard as:
./androlyze -s

Now we need to specify the apk that we will work with and the decompiler that needs to be used:
a,d,dx = AnalyzeAPK("path_to_apk", decompiler="dad")

Now you can start firing away commands to gather useful data about the apk. There is a huge list of commands and functionalities that can be applied to Androguard but I will list a few that I normally use. I will keep adding information to this list as and when I find something new, so keep checking !

APK specific elements can be accessed by the apk class, we referred it via a in the command above so that is how we will call it. Detailed information about the different options that can be used is available in the APK specific documentation but I will list some of the commands that I use frequently:
  • a.get_activities() : Shows activities
  • a.get_services() : Shows services
  • a.get_receivers() : Shows receivers
  • a.get_permissions(): Shows permissions requested by the apk
  • a.get_details_permisions(): Shows permissions and highlights which permission might be dangerous
DVM specific components can be accessed by d in the command like similar to APK related stuff.Detailed information about the different options that can be used is available in the DVM specific documentation.
  • d.get_classes_names(): Show classes
  • d.get_strings() : Shows readable strings

The general approach towards Static Android Malware Analysis involves decompiling the apk via Dex2Jar and vieweing the decompiled code. But sometimes the code is not decompiled completely, as a result we see an Error in the middle of the code. To view such code I use the following command from Androguard:
  • print d.classname.get_source()
 
Home