# API Reference: Detecting Mobile Malware Behavior

## Android Dangerous Permissions

| Permission | Risk | Abuse Scenario |
|------------|------|---------------|
| SEND_SMS | HIGH | Premium rate SMS fraud |
| READ_SMS | HIGH | OTP/2FA theft |
| BIND_ACCESSIBILITY_SERVICE | CRITICAL | Screen scraping, keylogging |
| BIND_DEVICE_ADMIN | CRITICAL | Device lockout, ransomware |
| INSTALL_PACKAGES | CRITICAL | Dropper functionality |
| SYSTEM_ALERT_WINDOW | HIGH | Overlay phishing attacks |

## Android Analysis Tools

```bash
# Extract permissions from APK
aapt dump permissions app.apk

# Decompile APK
apktool d app.apk -o output_dir/

# Decompile to Java source
jadx app.apk -d java_output/

# Run MobSF scan
docker run -p 8000:8000 opensecurity/mobile-security-framework-mobsf
```

## Suspicious API Patterns

```python
# Dynamic code loading
r"DexClassLoader|PathClassLoader"
# Shell execution
r"Runtime\.exec|ProcessBuilder"
# Device fingerprinting
r"TelephonyManager\.getDeviceId"
```

## MobSF REST API

```python
import requests
# Upload APK
resp = requests.post("http://localhost:8000/api/v1/upload",
    files={"file": open("app.apk", "rb")},
    headers={"Authorization": API_KEY})

# Get scan results
resp = requests.post("http://localhost:8000/api/v1/scan",
    data={"hash": file_hash},
    headers={"Authorization": API_KEY})
```

## Android Broadcast Receivers (Persistence)

| Action | Malware Use |
|--------|-------------|
| BOOT_COMPLETED | Auto-start on reboot |
| SMS_RECEIVED | SMS interception |
| PHONE_STATE | Call monitoring |
| CONNECTIVITY_CHANGE | Network-triggered C2 |

## CLI Usage

```bash
python agent.py --apk suspicious.apk
python agent.py --source-dir jadx_output/
python agent.py --apk app.apk --source-dir decompiled/
```