[Thursday, 29 November 2012 10:23]
FileScan is a Python script for static analysis of Android applications.
I have developed it as part of the work for my Master's thesis (here you can read the summary), in collaboration with Telecom Italia researchers and with my collegue Tao Su, who worked on the dynamic analysis.
FileScan is able to check every file inside an apk, using magic number analysis to identify:
- textual files (checked for URLs, phone numbers, shell commands)
- compressed archives (recursively analysed)
- dex code and ELF files (checked against the hash codes of known malware)
It is able to quickly identify potentially dangerous files, defeating trivial obfuscation techniques (e.g., using false extensions, hiding files in archives).
Finally, it can combine all the data collected, defining a final "risk score" through a fuzzy system.
During the tests, it achieved a detection rate of 57.1% on the Genome malware dataset (1361 apks), and identified as completely safe 99.1% of the applications from a goodware dataset (3558 apks, both from the market and unofficial repositories).
Visit the project page