#!/usr/bin/env python3 """Mobile malware behavior detection agent. Analyzes Android APK manifests and iOS app metadata for suspicious permissions, dangerous API usage, and known malware behavioral patterns. """ import argparse import json import re import subprocess import zipfile from pathlib import Path from datetime import datetime DANGEROUS_ANDROID_PERMISSIONS = { "android.permission.SEND_SMS": ("HIGH", "Can send SMS (premium rate fraud)"), "android.permission.READ_SMS": ("HIGH", "Reads SMS (OTP theft)"), "android.permission.RECEIVE_SMS": ("HIGH", "Intercepts SMS"), "android.permission.READ_CONTACTS": ("MEDIUM", "Reads contacts"), "android.permission.RECORD_AUDIO": ("HIGH", "Records audio"), "android.permission.CAMERA": ("MEDIUM", "Camera access"), "android.permission.READ_CALL_LOG": ("HIGH", "Reads call logs"), "android.permission.ACCESS_FINE_LOCATION": ("MEDIUM", "Fine GPS location"), "android.permission.WRITE_EXTERNAL_STORAGE": ("LOW", "Write to external storage"), "android.permission.INSTALL_PACKAGES": ("CRITICAL", "Can install other apps"), "android.permission.REQUEST_INSTALL_PACKAGES": ("HIGH", "Request app install"), "android.permission.SYSTEM_ALERT_WINDOW": ("HIGH", "Overlay attacks"), "android.permission.BIND_ACCESSIBILITY_SERVICE": ("CRITICAL", "Accessibility abuse"), "android.permission.BIND_DEVICE_ADMIN": ("CRITICAL", "Device admin control"), "android.permission.READ_PHONE_STATE": ("MEDIUM", "Reads device identifiers"), "android.permission.PROCESS_OUTGOING_CALLS": ("HIGH", "Intercepts outgoing calls"), } SUSPICIOUS_RECEIVERS = [ "BOOT_COMPLETED", "SMS_RECEIVED", "PHONE_STATE", "NEW_OUTGOING_CALL", "PACKAGE_ADDED", "CONNECTIVITY_CHANGE", ] MALWARE_API_PATTERNS = [ (r"DexClassLoader|PathClassLoader", "HIGH", "Dynamic code loading"), (r"Runtime\.exec|ProcessBuilder", "HIGH", "Command execution"), (r"TelephonyManager\.getDeviceId", "MEDIUM", "Device fingerprinting"), (r"Base64\.decode.*exec", "CRITICAL", "Encoded payload execution"), (r"loadLibrary|System\.load", "MEDIUM", "Native library loading"), (r"Cipher.*AES.*encrypt", "LOW", "Encryption (possible ransomware)"), (r"javax\.crypto", "LOW", "Cryptographic operations"), (r"HttpURLConnection|OkHttp", "LOW", "Network communication"), (r"getRuntime\(\)\.exec", "HIGH", "Shell command execution"), ] def analyze_apk_manifest(apk_path): findings = [] permissions = [] try: result = subprocess.run( ["aapt", "dump", "permissions", apk_path], capture_output=True, text=True, timeout=30) if result.returncode == 0: for line in result.stdout.split("\n"): perm_match = re.search(r"uses-permission.*'([^']+)'", line) if perm_match: perm = perm_match.group(1) permissions.append(perm) if perm in DANGEROUS_ANDROID_PERMISSIONS: sev, desc = DANGEROUS_ANDROID_PERMISSIONS[perm] findings.append({ "type": "dangerous_permission", "permission": perm, "severity": sev, "description": desc, }) except (FileNotFoundError, subprocess.TimeoutExpired): try: with zipfile.ZipFile(apk_path, 'r') as z: if "AndroidManifest.xml" in z.namelist(): findings.append({"note": "Binary manifest found, use aapt or apktool to decode"}) except zipfile.BadZipFile: findings.append({"error": "Invalid APK file"}) return {"permissions": permissions, "findings": findings} def scan_decompiled_source(source_dir): findings = [] source_path = Path(source_dir) for java_file in source_path.rglob("*.java"): try: content = java_file.read_text(encoding="utf-8", errors="replace") for pattern, severity, desc in MALWARE_API_PATTERNS: matches = re.findall(pattern, content) if matches: findings.append({ "type": "suspicious_api", "file": str(java_file), "pattern": desc, "match_count": len(matches), "severity": severity, }) except OSError: continue for smali_file in source_path.rglob("*.smali"): try: content = smali_file.read_text(encoding="utf-8", errors="replace") if "Landroid/app/admin/DeviceAdminReceiver" in content: findings.append({ "type": "device_admin", "file": str(smali_file), "severity": "CRITICAL", "description": "App registers as device administrator", }) except OSError: continue return findings def calculate_risk(findings): score = 0 for f in findings: sev = f.get("severity", "LOW") score += {"CRITICAL": 30, "HIGH": 15, "MEDIUM": 5, "LOW": 2}.get(sev, 0) risk = "CRITICAL" if score >= 80 else "HIGH" if score >= 40 else \ "MEDIUM" if score >= 15 else "LOW" return {"score": min(score, 100), "risk_level": risk} def main(): parser = argparse.ArgumentParser(description="Mobile Malware Behavior Detector") parser.add_argument("--apk", help="Path to APK file") parser.add_argument("--source-dir", help="Path to decompiled source directory") args = parser.parse_args() results = {"timestamp": datetime.utcnow().isoformat() + "Z", "findings": []} if args.apk: apk_results = analyze_apk_manifest(args.apk) results["permissions"] = apk_results["permissions"] results["findings"].extend(apk_results["findings"]) if args.source_dir: results["findings"].extend(scan_decompiled_source(args.source_dir)) results["risk"] = calculate_risk(results["findings"]) results["total_findings"] = len(results["findings"]) print(json.dumps(results, indent=2)) if __name__ == "__main__": main()