creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
a15f57ad34490e70cd93800a263bbf9769bcff10
Anthropic-Cybersecurity-Skills/skills/detecting-mobile-malware-behavior/scripts/agent.py
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

152 lines
6.1 KiB
Python
Raw Blame History

#!/usr/bin/env python3
"""Mobile malware behavior detection agent.
Analyzes Android APK manifests and iOS app metadata for suspicious permissions,
dangerous API usage, and known malware behavioral patterns.
"""
import argparse
import json
import re
import subprocess
import sys
import zipfile
from pathlib import Path
from datetime import datetime
DANGEROUS_ANDROID_PERMISSIONS = {
"android.permission.SEND_SMS": ("HIGH", "Can send SMS (premium rate fraud)"),
"android.permission.READ_SMS": ("HIGH", "Reads SMS (OTP theft)"),
"android.permission.RECEIVE_SMS": ("HIGH", "Intercepts SMS"),
"android.permission.READ_CONTACTS": ("MEDIUM", "Reads contacts"),
"android.permission.RECORD_AUDIO": ("HIGH", "Records audio"),
"android.permission.CAMERA": ("MEDIUM", "Camera access"),
"android.permission.READ_CALL_LOG": ("HIGH", "Reads call logs"),
"android.permission.ACCESS_FINE_LOCATION": ("MEDIUM", "Fine GPS location"),
"android.permission.WRITE_EXTERNAL_STORAGE": ("LOW", "Write to external storage"),
"android.permission.INSTALL_PACKAGES": ("CRITICAL", "Can install other apps"),
"android.permission.REQUEST_INSTALL_PACKAGES": ("HIGH", "Request app install"),
"android.permission.SYSTEM_ALERT_WINDOW": ("HIGH", "Overlay attacks"),
"android.permission.BIND_ACCESSIBILITY_SERVICE": ("CRITICAL", "Accessibility abuse"),
"android.permission.BIND_DEVICE_ADMIN": ("CRITICAL", "Device admin control"),
"android.permission.READ_PHONE_STATE": ("MEDIUM", "Reads device identifiers"),
"android.permission.PROCESS_OUTGOING_CALLS": ("HIGH", "Intercepts outgoing calls"),
}
SUSPICIOUS_RECEIVERS = [
"BOOT_COMPLETED", "SMS_RECEIVED", "PHONE_STATE",
"NEW_OUTGOING_CALL", "PACKAGE_ADDED", "CONNECTIVITY_CHANGE",
]
MALWARE_API_PATTERNS = [
(r"DexClassLoader|PathClassLoader", "HIGH", "Dynamic code loading"),
(r"Runtime\.exec|ProcessBuilder", "HIGH", "Command execution"),
(r"TelephonyManager\.getDeviceId", "MEDIUM", "Device fingerprinting"),
(r"Base64\.decode.*exec", "CRITICAL", "Encoded payload execution"),
(r"loadLibrary|System\.load", "MEDIUM", "Native library loading"),
(r"Cipher.*AES.*encrypt", "LOW", "Encryption (possible ransomware)"),
(r"javax\.crypto", "LOW", "Cryptographic operations"),
(r"HttpURLConnection|OkHttp", "LOW", "Network communication"),
(r"getRuntime\(\)\.exec", "HIGH", "Shell command execution"),
]
def analyze_apk_manifest(apk_path):
findings = []
permissions = []
try:
result = subprocess.run(
["aapt", "dump", "permissions", apk_path],
capture_output=True, text=True, timeout=30)
if result.returncode == 0:
for line in result.stdout.split("\n"):
perm_match = re.search(r"uses-permission.*'([^']+)'", line)
if perm_match:
perm = perm_match.group(1)
permissions.append(perm)
if perm in DANGEROUS_ANDROID_PERMISSIONS:
sev, desc = DANGEROUS_ANDROID_PERMISSIONS[perm]
findings.append({
"type": "dangerous_permission",
"permission": perm,
"severity": sev,
"description": desc,
})
except (FileNotFoundError, subprocess.TimeoutExpired):
try:
with zipfile.ZipFile(apk_path, 'r') as z:
if "AndroidManifest.xml" in z.namelist():
findings.append({"note": "Binary manifest found, use aapt or apktool to decode"})
except zipfile.BadZipFile:
findings.append({"error": "Invalid APK file"})
return {"permissions": permissions, "findings": findings}
def scan_decompiled_source(source_dir):
findings = []
source_path = Path(source_dir)
for java_file in source_path.rglob("*.java"):
try:
content = java_file.read_text(encoding="utf-8", errors="replace")
for pattern, severity, desc in MALWARE_API_PATTERNS:
matches = re.findall(pattern, content)
if matches:
findings.append({
"type": "suspicious_api",
"file": str(java_file),
"pattern": desc,
"match_count": len(matches),
"severity": severity,
})
except OSError:
continue
for smali_file in source_path.rglob("*.smali"):
try:
content = smali_file.read_text(encoding="utf-8", errors="replace")
if "Landroid/app/admin/DeviceAdminReceiver" in content:
findings.append({
"type": "device_admin",
"file": str(smali_file),
"severity": "CRITICAL",
"description": "App registers as device administrator",
})
except OSError:
continue
return findings
def calculate_risk(findings):
score = 0
for f in findings:
sev = f.get("severity", "LOW")
score += {"CRITICAL": 30, "HIGH": 15, "MEDIUM": 5, "LOW": 2}.get(sev, 0)
risk = "CRITICAL" if score >= 80 else "HIGH" if score >= 40 else \
"MEDIUM" if score >= 15 else "LOW"
return {"score": min(score, 100), "risk_level": risk}
def main():
parser = argparse.ArgumentParser(description="Mobile Malware Behavior Detector")
parser.add_argument("--apk", help="Path to APK file")
parser.add_argument("--source-dir", help="Path to decompiled source directory")
args = parser.parse_args()
results = {"timestamp": datetime.utcnow().isoformat() + "Z", "findings": []}
if args.apk:
apk_results = analyze_apk_manifest(args.apk)
results["permissions"] = apk_results["permissions"]
results["findings"].extend(apk_results["findings"])
if args.source_dir:
results["findings"].extend(scan_decompiled_source(args.source_dir))
results["risk"] = calculate_risk(results["findings"])
results["total_findings"] = len(results["findings"])
print(json.dumps(results, indent=2))
if __name__ == "__main__":
main()
Reference in New Issue View Git Blame Copy Permalink