Android Tools – Security List Network™

Changelog appmon v0.1:
+ ipa_installer; Bug fixes
+ Usage Guide: AppMon Android Tracer
+ All code bug fixes.

appmon v0.1

AppMon is an automated framework for monitoring and tampering system API calls of native apps on iOS, Mac OS X and Android apps (upcoming). You may call it the GreaseMonkey for native mobile apps.
AppMon is my vision is to make become the Mac OS X/iOS/Android equivalent of the this project apimonitor and GreaseMonkey. This should become a useful tool for the mobile penetration testers to validate the security issues report by a source code scanner and by inspecting the APIs in runtime and monitoring the app’s overall activity and focus on things that seem suspicious. You can also use pre-defined user-scripts to modify the app’s functionality/logic in the runtime e.g. spoofing the DeviceID, spoofing the GPS co-ordinates, faking In-App purchases, bypassing TouchID etc.

appmon

API’S Categories:
+ Disk I/O (R/W)
+ Network (HTTP GET, POST etc.)
+ Crypto (HMAC, Hash function, block ciphers, X.509 certs etc.)
+ XML/JSON
+ KeyChain
+ Database (e.g. SQLite)
+ WebView
+ UserDefaults (SharedPreferences equiv.) & more.

appintruder

latest change 24/5/2016: script:Logging Hooks

Usage:

sudo -H pip install argparse frida flask termcolor dataset
git clone https://github.com/dpnishant/appmon && cd appmon
python appmon.py

cd intruder
python intruder.py

Download: appmon.zip | appmon.tar.gz
Source: https://github.com/dpnishant

Changelog qark v1.2.19:
+ Added unit tests.
+ fixed config not found error and import issues affecting pip.
+ Works with pip, passes all tests, can still be run locally
+ packaging attempt 1
+ added readme for running testing.

qark v1.2.29

Quick Android Review Kit – This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs. The tool is also capable of creating “Proof-of-Concept” deployable APKs and/or ADB commands, capable of exploiting many of the vulnerabilities it finds. There is no need to root the test device, as this tool focuses on vulnerabilities that can be exploited under otherwise secure conditions.

Requirements
+ python 2.7.6
+ JRE 1.6+ (preferably 1.7+)
+ OSX or Ubuntu, debian & Kali Linux

menu helper

QARK is an easy to use tool capable of finding common security vulnerabilities in Android applications. Unlike commercial products, it is 100% free to use. QARK features educational information allowing security reviewers to locate precise, in-depth explanations of the vulnerabilities. QARK automates the use of multiple decompilers, leveraging their combined outputs, to produce superior results, when decompiling APKs. Finally, the major advantage QARK has over traditional tools, that just point you to possible vulnerabilities, is that it can produce ADB commands, or even fully functional APKs, that turn hypothetical vulnerabilities into working “POC” exploits.
Included in the types of security vulnerabilities this tool attempts to find are:
– Inadvertently exported components
– Improperly protected exported components
– Intents which are vulnerable to interception or eavesdropping
– Improper x.509 certificate validation
– Creation of world-readable or world-writeable files
– Activities which may leak data
– The use of Sticky Intents
– Insecurely created Pending Intents
– Sending of insecure Broadcast Intents
– Private keys embedded in the source
– Weak or improper cryptography use
– Potentially exploitable WebView configurations
– Exported Preference Activities
– Tapjacking
– Apps which enable backups
– Apps which are debuggable
– Apps supporting outdated API versions, with known vulnerabilities

Installation:

git clone https://github.com/linkedin/qark
cd qark
pip install -r requirements.txt
python setup.py install
Be sure Android SDK has been install on your system
cd qark
Python qarkMain.py

Update:
git pull 

Usage:
$ python qark.py --source 1 --pathtoapk /Users/foo/qark/sampleApps/goatdroid/goatdroid.apk --exploit 1 --install 1
or
$ python qark.py --source 2 -c /Users/foo/qark/sampleApps/goatdroid/goatdroid --manifest /Users/foo/qark/sampleApps/goatdroid/goatdroid/AndroidManifest.xml --exploit 1 --install 1

Source : https://github.com/linkedin | Our Post Before

Changelog TheFatRat v1.7 ( 5/11/2016 ) Codename Keris:
* add backdoor ( rar files )
* Add backdoor ( doc not macro attack)
* Add new features in optional 1 ( create backdoor with msfvenom )
* Fix any bug

TheFatRat v1.7

thefatrat v1.6

TheFatRat v1.5

What is FatRat ??
Easy tool for generate backdoor with msfvenom ( part of metasploit framework ) and program compiles a C program with a meterpreter reverse_tcp payload In it that can then be executed on a windows host Program to create a C program after it is compiled that will bypass most AV.
Automating metasploit functions:
+ Checks for metasploit service and starts if not present
+ Easily craft meterpreter reverse_tcp payloads for Windows, Linux, Android and Mac and another
+ Start multiple meterpreter reverse_tcp listners
+ Fast Search in searchsploit
+ Bypass AV
+ Drop into Msfconsole
+ Some other fun stuff

Dependencies:
+ Metasploit Framework
+ MinGW
This Tools/Software has been totally test in Kali Linux 2.0 & Rolling 2016.1

Download & Usage:

apt-get install mingw32 (install requirement)
git clone https://github.com/Screetsec/TheFatRat.git && cd TheFatRat
cd setup
bash setup.sh
chmod +x fatrat
./fatrat

Note From Us:
Before updating using git pull origin master
please remove old fatrat & powerfull.sh : rm -f fatrat | rm -f powerfull.sh
then typing on console:
git pull origin master

Source: https://github.com/Screetsec | Our Post Before

Background:
Android app, are restricted by the security model of Android, hence they have limited functionalities. Therefore, their detection approach is not possible to do anything more than signature checking. Moreover, certain ransomware families exploit high privileges (e.g., device admin API) to kill those processes that are typically associated to common AVs.
The second approach HelDroid, proposes a feature-based detection mechanism using advanced static-analyses techniques directly on the bytecode extracted from APK files.We envisioned HelDroid deployed on the app-store side to scan submitted application’s code and resources in order to discover whether they exhibit one or more characteristics that belong to a ransomware-distinguishing feature set.

heldroid detector

What it does in a nutshell is find clues in the disassembled Android bytecode that indicate the presence of code used to implement the typical features of ransomware. This includes:
* use of encryption routines without user intervention
* locking the screen and make the device “unusable”
* displaying threatening messages on the screen to ask for a ransom
* abuse of the Device Admin API for unattended locking or wiping

It does not deal with native code, mostly because native code is binary code, for which there are other great tools that we don’t want to re-invent. We focus on the routines that are tied to the abuse of the Android API for implementing ransomware. Remember, our approach is almost 100% static program analysis, that is, we don’t run the sample unless necessary. On the one hand this makes things simpler, on the other hand, we don’t deal with dynamically expressed ransomware behavior. There are several details behind this curtain, most of which are described in two academic papers and one conference presentation (Blackhat EU 2016, London).
in 2016:
* https://github.com/phretor/publications/raw/master/files/talks/maggi_greateatlonbheu_talk_2016.pdf
* https://github.com/phretor/publications/raw/master/files/papers/conference-papers/zheng_greateatlon_2016.pdf

heldroid filter

HelDroid requires:
+ Java 1.7+
+ Gradle 3.1+

Usage and Download:

$ git clone https://github.com/necst/heldroid
$ cd heldroid/
$ gradle build
$ gradle shadowJar
$ mkdir -p test/apks
$ curl http://detect.ransom.mobi/fetch-apk?family=slocker&hash=d721a38e55441e3273754fa642f2744567dc786df356e89fa0bfa3cfd63ad0ed > \
test/apks/d721a38e55441e3273754fa642f2744567dc786df356e89fa0bfa3cfd63ad0ed.apk
$ java -jar build/libs/heldroid-all.jar \
detector \
scan \
test/apks/2fcd8c40e3b59786a2661054bcc2ee4124a80aee737035f59995a943b29302fd.apk \
test/output.csv \
test/

java -jar build/libs/heldroid-all.jar detector
java -jar build/libs/heldroid-all.jar filter

Source: https://github.com/necst/heldroid

Changelog MobSF v0.9.3-Beta:
* Features or Enhancements
++ Added Docker File
++ Clipboard Monitor for Android Dynamic Analysis
++ Windows APPX Static Analysis Support
++ Added Support for Kali Linux
++ Code Quality and Lintering
++ Partial PEP8 Formating, Code Refactoring and Restructuring
++ Imporved Static Analyzer Regex
++ Disabling Syntax Highlighter Edit mode
++ More MIME Type additions
++ Update File Upload Size to 100 MB
++ MobSFfy script to support commandline args
++ New strings.py tool for string extraction in iOS Apps.
++ Updated iOS Static Analysis ruleset.
++ Django Upgrade to 1.10
++ MobSF VM 0.3 Released

* Bug Fixes
++ Fixed Code Analyis Regex Error
++ Fixed iOS Binary Analyis and File Analysus PDF Generation bug
++ API Fuzzer Bug Fixes
++ SQLite3 Bug Fix
++ Fixed Bug when no code signing cert is present
++ Fixed Bug in xhtml2pdf
++ Dynamic Analysis Bug Fixes
++ Unicode Bug Fixes
++ Fixed MobSFy upload error
++ Fixed Variable redefining bug

* Security Fixes
++ Fixed Local File Inclusion casued due to incorrect regex

mobsf webgui

Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS/Windows) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile Applications and supports both binaries (APK, IPA & APPX ) and zipped source code. MobSF can also perform Web API Security testing with it’s API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.

mobsf runserver

Download and build from source:

git clone https://github.com/ajinabraham/Mobile-Security-Framework-MobSF && cd Mobile-Security-Framework-MobSF
pip install -r requirements.txt
python manage.py runserver
Open browser http://127.0.0.0 8000

Upgrade:
git pull

Downloads : Source code(zip) | Source code(tar.gz)
Source: http://opensecurity.in/ | https://github.com/ajinabraham

Changelog backdoor-apk v0.1.7 (2016-11-30):
* Improvements
++ Automatic generation of Metasploit resource script to handle selected payload (credit to John Troony for the suggestion)
* Bug Fixes
++ Fixed persistence hook breakage caused by upstream changes in Metasploit.

backdoor apk v0.1.7

Backdoor-Apk v0.1.4

backdoor-apk is a shell script that simplifies the process of adding a backdoor to any Android APK file. Users of this shell script should have working knowledge of Linux, Bash, Metasploit, Apktool, the Android SDK, smali, etc. This shell script is provided as-is without warranty of any kind and is intended for educational purposes only.

backdoor apk v0.1.2

The recompiled APK will be found in the ‘original/dist’ directory. Install the APK on a compatible Android device, run it, and handle the meterpreter connection at the specified IP and port.
Usage:

git clone https://github.com/dana-at-cp/backdoor-apk && cd backdoor-apk
cd backdoor-apk
./backdoor-apk.sh [your apk file]

Update:
git pull origin master

Now you can upload it using MITM technique :-) (Just for education purpose right?yeah.. lets rock)

Source: https://github.com/dana-at-cp | Our Post Before

DroidSinia is a CLIENT-SEVER platform for do attacks in second layer. The dinamic mobile interface (client) can control a Raspberry (server) to send params and that the server execute this request for do attacks.
Requirement:
+ Python 2 – 3
+ Kivy python mobile module app.

droidsinia server

Source Code:
+ droidsinia server: Droidsinia let us run many powerfull aplications in a linux server using a android.
+ Client: dinamic mobile interface (client) can control a Raspberry (server). with function:
+-+ Arp Spoofing
+-+ netdiscover
+-+ Macflood
+-+ nmap: network mapping

client

Usage and download:

git clone https://github.com/Extaticode/DroidSinia && cd DroidSinia
pip install -r requirements.txt
python setup.py install
droidsinia.py -h

Client:
Be sure kivy module has been install
https://kivy.org/docs/installation/installation-linux.html

python main.py

Source: https://github.com/Extaticode

Changelog Mara Framework version: 0.2.2 beta 8/12/2016:
* Requirement at setup.sh update
* Feature Update:
+ Domain Analysis
+-+ Domain SSL scan via pyssltest and testssl
+-+ Website fingerprinting via whatweb
+ APK Reverse Engineering
+-+ Disassembling Dalvik bytecode to java bytecode via enjarify
+-+ Decompiling APK to Java source code via jadx
+ APK Analysis
+-+Analyze apk for potential malicious behaviour via androwarn
+-+ Identify compilers, packers and obfuscators via APKiD
+ Security Analysis
+-+ Source code static analysis based on OWASP Top Mobile Top 10 and the OWASP Mobile Apps Checklist.

Mara v0.2.2

MARA is a Mobile Application Reverse engineering and Analysis Framework. It is a tool that puts together commonly used mobile application reverse engineering and analysis tools, to assist in testing mobile applications against the OWASP mobile security threats. Its objective is to make this task easier and friendlier to mobile application developers and security professionals.

Features supported:
* APK Reverse Engineering
+ Disassembling Dalvik bytecode to smali bytecode via baksmali and apktool
+ Disassembling Dalvik bytecode to java bytecode via enjarify
+ Decompiling APK to Java source code via jadx

* APK Deobfuscation
+ APK deobfuscation via apk-deguard.com

* APK Analysis
+ Parsing smali files for analysis via smalisca
+ Dump apk assets,libraries and resources
+ Extracting certificate data via openssl
+ Extract strings and app permissions via aapt
+ Identify methods and classes via ClassyShark
+ Scan for apk vulnerabilities via androbugs
+ Analyze apk for potential malicious behaviour via androwarn
+ Identify compilers, packers and obfuscators via APKiD
+ Extract execution paths, IP addresses, URL, URI, emails via regex

* APK Manifest Analysis
+ Extract Intents
+ Extract exported activities
+ Extract receivers
+ Extract exported receivers
+ Extract Services
+ Extract exported services
+ Check if apk is debuggable
+ Check if apk allows sending of secret codes
+ Check if apk can receive binary SMS

* Domain Analysis
+ Domain SSL scan via pyssltest and testssl
+ Website fingerprinting via whatweb

* Security Analysis
+ Source code static analysis based on OWASP Top Mobile Top 10 and the OWASP Mobile Apps Checklist

Use and Download from source:

git clone --recursive https://github.com/xtiankisutsa/MARA_Framework && cd Mara_Framework
sudo ./setup.sh
sudo ./mara.sh

Update
sudo ./update.sh

Source: https://github.com/xtiankisutsa | Our Post Before

Hijacker is a Graphical User Interface for the wireless auditing tools airodump-ng, aireplay-ng and mdk3. It offers a simple and easy UI to use these tools without typing commands in a console and copy&pasting MAC addresses.
This application requires an android device with a wireless adapter that supports Monitor Mode. A few android devices do, but none of them natively. This means that you will need a custom firmware. Nexus 5 and any other device that uses the BCM4339 (and BCM4358 (although injection is not yet supported so no aireplay or mdk)) chipset will work with Nexmon. Also, devices that use BCM4330 can use bcmon. An alternative would be to use an external adapter that supports monitor mode in Android with an OTG cable.

The required tools are included in the app. To install them go to Settings and click “Install Tools”. This will install everything in the directory you select. If you have already installed them, you don’t have to do anything. You can also have them at any directory you want and set the directories in Settings, though this might cause the wireless tools not being found by the aircrack-ng suite. The Nexmon driver and management utility is also included.
Root is also necessary, as these tools need root to work. If you don’t grant root permissions to it, it hangs… for some reason… don’t know why…

Aircrack, Airodump, Aireplay, MDK3 and Reaver GUI Application for Android

Features:
* View a list of access points and stations (clients) around you (even hidden ones)
* View the activity of a network (by measuring beacons and data packets) and its clients
* Deauthenticate all the clients of a network
* Deauthenticate a specific client from the network it’s connected
* MDK3 Beacon Flooding with custom SSID list
* MDK3 Authentication DoS for a specific network or to everyone
* Try to get a WPA handshake or gather IVs to crack a WEP network
* Statistics about access points (only encryption for now)
* See the manufacturer of a device (AP or station) from a OUI database (pulled from IEEE)
* See the signal power of devices and filter the ones that are closer to you
* Leave the app running in the background, optionally with a notification
* Copy commands or MAC addresses to clipboard, so you can run them in a terminal if something goes wrong
* Include the tools
* Reaver WPS cracking (pixie-dust attack using NetHunter chroot and external adapter)
* .cap files cracking with custom wordlist
* Save captured packets in .cap file
* Create custom commands to be ran on an access point or a client with one click

Installation:
Make sure:
– you are on Android 5+
– you are rooted. SuperSU is required. If you are on CM, install SuperSU
– have installed busybox (opened and installed the tools)
– have a firmware to support Monitor Mode on your wireless interface

APK Download: Hijacker-release-v1-RC.1.apk(6.24 MB)
Source: https://github.com/chrisk44

Lobotomy is a command line based Android reverse engineering tool.
Feature:
+ Components: Enumerate AndroidManifest.xml components
+ Permission: Enumerate declared and used AndroidManifest.xml permissions
+ Strings: List and search for strings within the target application
+ AttackSurface: Enumerate the target Application’s attack surface through parsing the AndroidManifest.xml
+ Surgical: Find specific Android API usage throughout the application
+ Interact: Drop into an IPython session to analyze the target application in a more granular fashion
+ Decompile: Decompile the target application with Apktool
+ Debuggable: Convert the target application into being debuggable when installed on a device
+ Dextra: Wrapper around dextra for dumping odex and oat files
+ Socket: Find local and listening sockets on a target Android device

lobotomy

Dependencies:
+ Python 2.7.x
+ virtualenv

Usage and download from source:

git clone https://github.com/rotlogix/lobotomy && cd lobotomy

Install virtualenv :
sudo pip2 install virtualenv
virtualenv -p /usr/bin/python2.7 lobotomy
source lobotomy/bin/activate

pip install -r requirements
cd core/include/androguard
python setup.py install

python lobotomy.py

deactivate

Source: https://github.com/rotlogix

Adhrit is an open source Android APK ripping tool that does a basic recon on the provided APK file and extracts important imformation.

Pre-requisites :
+ Linux Machine
+ Java JDK
+ PYTHON 2.7.x

Adhrit

Uses :
– Extracts the apk contents.
– Does a strings on the dex and stores it in a file.
– Extracts the jar out of the dex.
– Checks for native libraries.
– Extracts java code from the APK.

Usage and Download fromm source:

git clone https://github.com/abhi-r3v0/Adhrit && cd Adhrit
1. Dowload or clone the package and extract the tool.
2. Place the application (Android apk) in the tool directory.
3. Open a terminal and cd into the directory.
4. Run "python adhrit.py -a your_app.apk"

Source: https://github.com/abhi-r3v0

Changelog Apktool v2.2.2-git:
* Added Android 7.1 Resources (Issue 1349)
* Update aapt to android-7.1.1_r4.
* Upgrade to gradle 3.3
* Fixed NPE with styles that had a parent that didn’t exist. (Issue 1370)
* Fixed issue with TYPE_DYNAMIC_ATTRIBUTE treating improperly which affected Nougat based applications. (Issue 1382) / Thanks xpirt
* Fixed issue with APKs that have invalid characters. (Issue 885), (Issue 1389)
* Fixed issue with versioning vector images during build. (Issue 1384)
* Fixed issue with APKs that have invalid characters in filename. (Issue 1369)
* Fixed build issue where space was in build path. (Issue 1394)
* Fixed issue with APKs that have 3 non positional attributes. (Issue 1360)
* Fixed issue with APKs that require non-standard pkgId. (Issue 1119), (Issue 989), (Issue 1278), (Issue 1377), (Issue 1091) / Thanks peter23
* Fixed issue with APKs that used reserved words do and if. (Issue 1404)

Apktool v2.2.2-git

Apktool v2.2.0

Apktool is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc.

It is NOT intended for piracy and other non-legal uses. It could be used for localizing, adding some features or support for custom platforms and other GOOD purposes. Just try to be fair with authors of an app, that you use and probably like.

Features:
+ Disassembling resources to nearly original form (including resources.arsc, classes.dex, 9.png. and XMLs)
+ Rebuilding decoded resources back to binary APK/JAR
+ Organizing and handling APKs that depend on framework resources
+ Smali Debugging (Removed in 2.1.0 in favor of IdeaSmali)
+ Helping with repetitive tasks

Requirements:
* JDK (7 or 8). No OpenJDK
* git

Usage & Download From git:

git clone git://github.com/iBotPeaches/Apktool.git && cd Apktool
./gradlew
./gradlew build fatJar
./gradlew build fatJar proguard
cd brut.apktool/apktool-cli/build/libs/
java -jar apktool-2.2.2-dd4a20-SNAPSHOT-small.jar

Source: https://github.com/iBotPeaches | Our Post Before

Changelog drozer v2.4.2:
+ [Bugfix] Updated PyOpenSSL to fix Issue #239
+ [Bugfix] Fixed setup.py to install Drozer without setting PYTHONPATH environment variable
+ [Documentation] Fixed documentation to resolve issue #240

Changelog drozer v2.4.0:
+ Fixed bug in sharedUID package search
+ Fixed bug in web delivery page
+ Fixed bug in busybox path
+ Updated busybox for PIE Support
+ Referenced aapt-osx in setup script
+ Added pyyaml support for latest apktool
+ Protobuf 2.6.1 jar update
+ Updated apktool arguments
+ Updated to Dx: android 19
+ Updated to apktool 2.0.3
+ Updated to protobuf 2.6.1
+ Fixed pyopenssl error
+ Support for Java 7 & 8

drozer

drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.

drozer provides tools to help you use, share and understand public Android exploits. It helps you to deploy a drozer Agent to a device through exploitation or social engineering. Using weasel (MWR’s advanced exploitation payload) drozer is able to maximise the permissions available to it by installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell to act as a Remote Access Tool (RAT).

drozer helps to provide confidence that Android apps and devices being developed by, or deployed across, your organisation do not pose an unacceptable level of risk. By allowing you to interact with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.

drozer provides tools to help you use and share public exploits for Android. For remote exploits, it can generate shellcode to help you to deploy the drozer Agent as a remote administrator tool, with maximum leverage on the device.

drozer console

* Faster Android Security Assessments
drozer helps to reduce the time taken for Android security assessments by automating the tedious and time-consuming.
+-+ Discover and interact with the attack surface exposed by Android apps.
+-+ Execute dynamic Java-code on a device, to avoid the need to compile and install small test scripts.

* Test against Real Android Devices
drozer runs both in Android emulators and on real devices. It does not require USB debugging or other development features to be enabled; so you can perform assessments on devices in their production state to get better results.

* Automate and Extend
drozer can be easily extended with additional modules to find, test and exploit other weaknesses; this, combined with scripting possibilities, helps you to automate regression testing for security issues.

* Test your Exposure to Public Exploits
drozer provides point-and-go implementations of many public Android exploits. You can use these to identify vulnerable devices in your organisation, and to understand the risk that these pose.

Use and download from git:

be sure your system has been install android SDK https://developer.android.com/

git clone https://github.com/mwrlabs/drozer/ && cd drozer
python setup.py build
python setup.py install

or
wget https://github.com/mwrlabs/drozer/releases/download/2.4.2/drozer-2.4.2-py2.7.egg
easy_install -Z drozer-2.4.2-py2.7.egg

Windows:
python easy_install -Z drozer-2.4.2-py2.7.egg (make sure your windows has been install easy_install)

Download: drozer-2.4.2-py2.7.egg | Our Post Before
Source: https://labs.mwrinfosecurity.com/tools/drozer/ | https://github.com/mwrlabs

Changelog From Hijackerv-1-RC to Hijacker v1-stable version 22/1/2017:
* Add the option to mark Access Points or Stations to distinguish them easily, move options restore commands in onResume() of Fragments, change fifo to LinkedList to avoid a bug that still happens, use marked devices for ‘smart’ selection in MDKFragment, ReaverFragment and CustomActionFragment, create separate popup for attacks on Access Points, clear ‘marked’ lists on reset
* Fix duplicate watchdog thread running, remove reset() call in shell.done(), handle simultaneous calls to getFreeShell(), improve CustomAction saving
* Bug fixes, code optimization, cleanup, use Snackbar instead of Toast in Dialogs, stop only airodump with ‘stop’ button, add notification for ‘wpa handshake captured’, add SuperSU check, add ‘install in system’ warning

hijacker v1-stable

Aircrack, Airodump, Aireplay, MDK3 and Reaver GUI Application for Android

APK Download: Hijacker-release-v1-stable.apk(6.25 MB)
Source: https://github.com/chrisk44 | Our Post Before

Changelog Mobile Security Framework MobSF v0.9.4 to v0.9.4.1 Beta:
+ Features or Enhancements
– Restructured iOS Code

+ Bug Fixes
– USE_HOME Bug Fix (Major)

Changelog v0.9.4 Beta :
+ Features or Enhancements
– Android Binary/ELF Analysis and Resource Analysis
– Android App Static Analysis: Tapjacking Detection
– Android App Static Analysis: Better Exported Component Analysis
– iOS App Static Analysis: Listing App Permissions
– iOS App Static Analysis: ATS Check
– Better and Faster PDF Generation
– Updated Dependencies
– Optimised DB Interactions
– Unit Tests for Static Analyzer, PDF Report Generation

Mobile Security Framework v0.9.4 Beta gui

+ Bug Fixes
– Windows App Static Analyzer Bug Fix
– Fixed all PDF Related Bugs
– Windows App Static Analyzer: BinScope Bug Fix
– iOS App Static Analysis: Plist Bug Fix

mobsf webgui

mobsf runserver

Download and build from source:

git clone https://github.com/ajinabraham/Mobile-Security-Framework-MobSF && cd Mobile-Security-Framework-MobSF
pip install -r requirements.txt
python manage.py runserver
Open browser http://127.0.0.0 8000

Upgrade:
git pull

Downloads : Source code(zip) | Source code(tar.gz) | Our Post Before
Source: http://opensecurity.in/ | https://github.com/ajinabraham

Simplify virtually executes an app to understand its behavior and then tries to optimize the code so that it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn’t matter what the specific type of obfuscation is used.

There are three parts to the project: smalivm, simplify, and the demo app.
1. smalivm: Virtual machine library which can execute Android apps. It executes a method and returns a graph which contains the register and class values at every instruction for every possible execution path. It works even if certain values are unknown such as a network response from a server. If it encounters an if and doesn’t know the values of the conditional, it assumes either branch could happen and executes both paths.
2. simplify: Analyzes the graphs from smalivm and applies optimizations such as constant propagation, dead code removal, unreflection, and specific peephole optimizations. The optimizations are fairly simple, but when applied together and in succession, it can decrypt strings, peel back layers of obfuscation, and greatly simplify code.
3. demoapp: Contains simple, heavily commented examples of how to use smalivm. It’s a good place to start if you want to use smalivm in your own projects.

simplify

Dependencies:
+ Java 8

Usage and install from source:

git clone --recursive https://github.com/CalebFenton/simplify.git
cd simplify
git submodule update --init --recursive
./gradlew fatjar
java -jar simplify/build/libs/simplify.jar -it 'org/cf' simplify/obfuscated-example

Source:https://github.com/CalebFenton

HIDAAF is a python framework that makes it easy to generate HID attack scripts for the Android platform with corresponding phone models. The HIDAAF output format is intended for the Bash Bunny (Provided by the great guys behind Hak5) Due to the custom Android images released with certain phones (Like the Samsung Galaxy series) HIDAAF is heavily dependent on your contributions to cover as many phone models as possible.!

HIDAAF Alpha

Dependencies:
– Python 2.7.x
– Metasploit Framework

Usage:

git clone https://github.com/SkiddieTech/HIDAAF && cd HIDAAF
python hidaaf.py

Source: https://github.com/SkiddieTech

CHANGELOG TheFatRat v1.9 from 1.8:
+ v1.9.4 – Fatrat will be full terminal mode , Powerstage tool added , Setup script rebuilded
+ v1.9.3 – Added update scriptCHANGELOG
+ v1.9.4 – Fatrat will be full terminal mode , Powerstage tool added , Setup script rebuilded
+ v1.9.3 – Added update script
+ v1.9.3 – Dex2Jar will be installed from now on from Fatrat setup manually on user system (reason: Kali repo still uses old version)
+ v1.9.3 – Updated Android build tools to V.26 RC1 & Android Platform V. 25-R03
+ v1.9.3 – Updated dana travis backdoor-apk to 0.2.2 into fatrat / added openssl in setup
+ v1.9.2 – Msfvenom Android rat will be signed with android certificate , so it can be installed properly
+ v1.9.2 – Implemented Default Lhost & Lport config to fatrat & powerfull shell creator
+ v1.9.2 – Fixed payload in pnwinds option2
+ v1.9.2 – Implemented Stop functions in pnwinds
+ v1.9.2 – New signing process in old method backdoor apk & option to create listener
+ v1.9.2 – Implemented possibility for user to save msfconsole listeners
+ v1.9.2 – Fixes in Microsploit
+ v1.9.2 – Implemented local ip , public ip & hostname display to powerfull.sh
+ v1.9.2 – Implemented local ip , public ip & hostname display before user set Lhost
+ v1.9.2 – Implemented log creation for microsploit & fixed bugs
+ v1.9.2 – Added effective way to detect user linux distribution
+ v1.9.2 – Setup.sh ( patched )
+ v1.9.2 – bug in microsploit ( patched )
+ v1.9.2 – delt some function and variable
+ v1.9.1 – v1.9.1 – Implemented Microsploit (Office Exploitation Tool)
+ v1.9b – Implemented Backdoor-apk from Dana James Traversie in this version .{ Less tools to install during setup.sh }
+ v1.9.0 – update script setup.sh
+ v1.9.0 – del some variable and function
+ v1.9.0 – fixed typo and bugs
+ v1.9.0 – Backdoor APKS have a new payload hiding method in rat apk to not be detected .
+ v1.9.0 – APK (5) rat rebuild totally changed .(adapted backdoor-apk script to fatrat to both work together)
+ v1.9.0 – Apktool will not be installed no more by setup.sh , the same thing applies to : dx , zipalign (apktool on debian repo is 2.2.1 , and that version have a bug that gives error on compiling the apks , so , apktool and android tools were updated
+ v1.9.3 – Dex2Jar will be installed from now on from Fatrat setup manually on user system (reason: Kali repo still uses old version)
+ v1.9.3 – Updated Android build tools to V.26 RC1 & Android Platform V. 25-R03
+ v1.9.3 – Updated dana travis backdoor-apk to 0.2.2 into fatrat / added openssl in setup
+ v1.9.2 – Msfvenom Android rat will be signed with android certificate , so it can be installed properly
+ v1.9.2 – Implemented Default Lhost & Lport config to fatrat & powerfull shell creator
+ v1.9.2 – Fixed payload in pnwinds option2

thefatrat v1.9.4

TheFatRat v1.8

TheFatRat v1.7

thefatrat v1.6

TheFatRat v1.5

Dependencies:
+ Metasploit Framework
+ MinGW
This Tools/Software has been totally test in Kali Linux 2.0 & Rolling 2016.1

Download & Usage:

apt-get install mingw32 (install requirement)
git clone https://github.com/Screetsec/TheFatRat.git && cd TheFatRat
cd setup
bash setup.sh
chmod +x fatrat
./fatrat

Note From Us:
Before updating using git pull origin master
please remove old fatrat & powerfull.sh : rm -f fatrat | rm -f powerfull.sh
then typing on console:
git pull origin master

Source: https://github.com/Screetsec | Our Post Before

BadIntent is the missing link between the Burp Suite and the core Android’s IPC/Messaging-system. BadIntent consists of two parts, an Xposed-based module running on Android and a Burp-plugin. Based on this interplay, it is possible to use the Burp’s common workflow and all involved tools and extensions, since the intercept and repeater functionality is provided. BadIntent hooks deeply into the Android system, performs various method redirections in Parcels and adds additional services to provide the described features. Most notably, BadIntent works system-wide experimental and is not restricted to individual user apps.

Installation:
The most handy approach is to install BadIntent Android from the Xposed Module Repository and BadIntent Burp from the Burp’s BApp Store. Both will be made available/submitted during the Arsenal presentation of BadIntent in Black Hat Las Vegas 2017.

Environment
+ BadIntent has been tested on Genymotion with Xposed v87 on Android Marshmallow (6.0) and Burp Suite 1.7.23 (Free and Pro).
+ There are known limitations in hooking all system apps and all interfaces. During the boot proccess the Android system will remain in a boot loop and you will not be able to uninstall BadIntent from your Android device. Therefore, it is strongly recommended to use the mentioned setup in case all system apps are hooked.

BadIntent Android

BadIntent ANDROID
– Package Filter
This regular expression filter determine which packages are qualified for interception. It is possible to override disabled “Hook System Apps” settings, when a specific system app package name has been specified.

– Interface Filter
Since (almost) every binder transaction contains an INTERFACE TOKEN in order to validate that the correct interface is used (AIDL implementation), it is possible to filter interfaces, which are interesting for analysis purposes.

– Capture Log
If enabled logs from all monitored apps are sent via the proxy.

– Hook System Apps
If enabled, all apps including user- and system-apps are monitored. Otherwise, only user-apps are hooked.

– Target IP
Specify the current IP of the device. On first launch the current WiFi-IP is set. Target IP is needed, because Burp (or any other proxy) needs to determine where the transaction details are going to.

– Use System Proxy
Determine if the system proxy or a dedicated HTTP proxy should be used.

– Proxy Host
self explanatory
– Proxy Port

Usage and install:

Be sure java, Maven and Burp Suite has been install on your system
git clone https://github.com/mateuszk87/BadIntent && cd BadIntent

cd BadIntentBurp
mvn clean package

For build android: cd BadIntentAndroid
./gradlew

Source: https://github.com/mateuszk87

APKiD gives you information about how an APK was made. It identifies many compilers, packers, obfuscators, and other weird stuff. It’s PEiD for Android.
APKiD can be used for:
+ Android Compiler Fingerprinting
Compiler fingerprinting is a technique for identifying the compiler used to create a binary. This is because there is some flexibility in file formats, and different compilers usually produce binaries with identical behaviors but with subtle differences in structure and organization. We developed a tool which can determine the compiler used to create Dalvik executables and Android binary XML files.

APKiD v1.0.0

+ Detecting Pirated and Malicious Android Apps
Why is this important? Any app which has had malware injected into it or has been cracked or pirated will have probably been disassembled and recompiled by dexlib. Also, there are very few reasons why a developer with access to the source code would use dexlib. Therefore, you know an app has been modified by dexlib, it’s probably interesting to you if you’re worried about malware or app piracy.

Usage and install:

git clone https://github.com/rednaga/yara-python && cd yara-python
python setup.py install

git clone https://github.com/rednaga/APKiD && cd APKiD
python setup.py install

Example:
apkid -j FILE sample.apk

Source: https://github.com/rednaga

Appmon v0.1 – Runtime Security Testing Framework for iOS, Mac OS X and Android Apps.

QARK v1.2.19 – Android Source Code Analyzer and Exploitation Tool.

TheFatRat v1.7 codename keris – Backdoor Creator For Remote Access.

HelDroid – Dissecting and Static Detection of Mobile Ransomware.

Mobile Security Framework – MobSF v0.9.3 Beta.

backdoor-apk v0.1.7 is a shell script that simplifies the process of adding a backdoor to any Android APK file.

Droidsinia – mobile security platform tool.

MARA v0.2.2 – is a Mobile Application Reverse engineering and Analysis Framework.

Hijacker – Android GUI Application for wifi auditing tools.

Lobotomy – Android reverse engineering tool.

Adhrit is an open source Android APK ripping tool.

Apktool v2.2.2 – A tool for reverse engineering Android apk files.

drozer v2.4.2 is a comprehensive security audit & attack framework for Android.

Hijacker v1-stable version – Android GUI Application for wifi auditing tools.

Mobile Security Framework – MobSF v0.9.4.1 Beta.

simplify – Generic Android Deobfuscator.

HIDAAF – Human Interface Device Android Attack Framework.

TheFatRat v1.9 – Backdoor Creator For Remote Access.

BadIntent – Interception, modify, repeat and attack Android’s Binder transactions.

APKiD – Android Applications Identifier for Packer, Protectors, Obfuscator and Oddities.