/AMDH

Android Mobile Device Hardening

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

AMDH

Android Mobile Device Hardening written with python3.

Android version, PObY-A (Privacy Owned by You - Android), with malware and settings scans is available on the Play Store and the source code can be found HERE

Motivations

AMDH was created to help automate scanning installed applications on Android devices, detect some known malware and also to protect privacy.

Features

  • Check and harden system's settings based on some CIS (Center of Internet Security) benchmark checks for Android devices and Android master's branch settings documentation (Global settings and Secure settings)
  • List current users processes and kill selected ones
  • Analyze current installed applications on the device:
    • list dangerous permissions
      and revokes them
    • compare with permissions used by malware
    • generate report in JSON format
  • List applications:
    • uninstall/disable App
    • revoke admins receivers
  • Dumps APKs of installed applications
  • Check if the system has pending updates
  • Extract packed APKs if exists
  • Static analysis for malware detection. Current detected malware:
    • ActionSpy
    • WolfRat
    • Anubis
  • Snapshot the current phone state to a JSON file:
    • Applications:
      • APK
      • first install time
      • last update time
      • current permissions
      • is the app device admin
    • SMS: current SMS messages
    • Contacts: current list of contacts
    • Backup applications that has backup enabled
  • Snapshots comparison with the current phone state
    • Applications
    • Settings
  • Restore Snapshot
    • Applications
    • Contacts
  • Manage multiple device at once (snapshot comparison and restore are not supported yet)
    • For each device a new thread is created
  • HTML report

Requirement

  • Python3
  • Android Debug Bridge (ADB) installed
  • androguard
  • pwntools

Installation

$ git clone https://github.com/SecTheTech/AMDH.git; cd AMDH
$ python3 -m venv amdh
$ source amdh/bin/activate
(amdh) $ pip install -r requirement.txt

Usage

Note: For Windows you have to specify the ADB path or edit the variable "adb_windows_path" in "config/main.py".

Warning: when using -l argument with enabled application '-t e', system apps will be listed. Uninstalling system Apps can break your Android system. The use of 'disable' instead of 'uninstall' is recommended for system Apps.

$ python amdh.py -h
usage: amdh.py [-h] [-d DEVICES] [-sS] [-sA] [-H] [-a ADB_PATH] [-t {e,d,3,s}] [-D APKS_DUMP_FOLDER] 
          [-rar] [-R] [-l] [-P] [-S SNAPSHOT_DIR] [-cS SNAPSHOT_REPORT] [-rS SNAPSHOT_TO_RESTORE] [-o OUTPUT_DIR]

Android Mobile Device Hardening

optional arguments:
  -h, --help            show this help message and exit
  -d DEVICES, --devices DEVICES
                        list of devices separated by comma or "ALL" for all connected devices
  -sS                   Scan the system settings
  -sA                   Scan the installed applications
  -H                    Harden system settings /!\ Developer Options and ADB will be disabled /!\ 
  -a ADB_PATH, --adb-path ADB_PATH
                        Path to ADB binary
  -t {e,d,3,s}          Type of applications:
                                e: enabled Apps
                                d: disabled Apps
                                3: Third party Apps
                                s: System Apps
  -D APKS_DUMP_FOLDER, --dump-apks APKS_DUMP_FOLDER
                        Dump APKs from device to APKS_DUMP_FOLDER directory
  -rar                  Remove admin receivers: Remove all admin receivers if the app is not a system App
                        Scan application option "-sA" is required
  -R                    For each app revoke all dangerous permissions
                        Scan application option "-sA" is required
  -l                    List numbered applications to disable, uninstall or analyze
  -P                    List current users processes
  -S SNAPSHOT_DIR, --snapshot SNAPSHOT_DIR
                        Snapshot the current state of the phone to a json file and backup applications into SNAPSHOT_DIR
  -cS SNAPSHOT_REPORT, --cmp-snapshot SNAPSHOT_REPORT
                        Compare SNAPSHOT_REPORT with the current phone state
  -rS SNAPSHOT_TO_RESTORE, --restore-snapshot SNAPSHOT_TO_RESTORE
                        Restore SNAPSHOT_TO_RESTORE
  -o OUTPUT_DIR, --output-dir OUTPUT_DIR
                        Output directory for reports and logs. Default: out

Documentation & Help

Tests & CIS version

  • Tested on Android 7.1.1, 8, 9 and 10
  • CIS version: 1.3.0

Malware detection

Compare the granted permissions with the permissions described in the file malware_perms.json. The file contains three nodes:

  • malware_only: permissions used by malware only
  • all: permissions used by malware and legitimate apps
  • combinations: permissions combinations used mostly by malware

malware only permissions

malware only permissions are those used only by malware. The malware analyzed are the ones from the repositories:

The command "aapt" was used to dump the permissions. The second part was to dump permissions of legitimate Apps (around 400 Apps). malware only permissions are the permissions that are used by malware and never appear in legitimate applications analyzed.

All permissions

All permissions are used by both malware and legitimate applications. The values are percentage of how much malware used these permissions comparing to legitimate Apps.

Static Analysis

  • Find, dump and list dangerous permissions of packed APKs using androguard
  • Dump libraries and scan for known malware native functions using pwntools

Snapshot

Snapshot can help to monitor the system state and backup the phone data:

  • applications and their permissions
  • system settings
  • Contacts
  • SMS

Known Issues

  • The command "pm revoke" return exit success code but does not revoke permissions for some malware.
  • Backup SMS may fail on some devices as the ADB shell does not have permission to access SMS database. In case is encountered, please create an issue.

Examples

Scan

  • Scan applications
(amdh)$ python amdh.py -d SERIAL1,SERIAL2,SERIAL3 -sA -o reports

Two files are generated for each device in the folder "reports":

  • SERIAL.log
  • SERIAL_report_apps.json: JSON file that contains for each app its granted permissions, and those that are considered as dangerous. Each entry is as follows:
{
    "com.package.name": {
        "malware": true,
        "permissions": {
            "all_permissions": [
                "com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE",
                "com.google.android.c2dm.permission.RECEIVE",
                "com.google.android.providers.gsf.permission.READ_GSERVICES",
                "android.permission.WRITE_SYNC_SETTINGS",
                "android.permission.RECEIVE_BOOT_COMPLETED",
                "android.permission.AUTHENTICATE_ACCOUNTS"
            ],
            "dangerous_perms": {
                "android.permission.ACCESS_FINE_LOCATION": "This app can get your location based on GPS or network location sources such as cell towers and Wi-Fi networks. These location services must be turned on and available on your phone for the app to be able to use them. This may increase battery consumption.",
                "android.permission.READ_EXTERNAL_STORAGE": "Allows the app to read the contents of your SD card.",
                "android.permission.ACCESS_COARSE_LOCATION": "This app can get your location based on network sources such as cell towers and Wi-Fi networks. These location services must be turned on and available on your phone for the app to be able to use them.",
                "android.permission.CAMERA": "This app can take pictures and record videos using the camera at any time.",
                "android.permission.WRITE_EXTERNAL_STORAGE": "Allows the app to write to the SD card."
            },
            "is_device_admin": false,
        }
    }
}
  • Scan settings
(amdh)$ python amdh.py -sS

A report is generated with the name "SERIAL_report_settings.json" in the folder "out" (default output folder).

Harden

  • applications hardening
(amdh)$ python amdh.py -sA -R -rar

Same report as scan Apps with addition of these two keys:

   "is_device_admin_revoked": true,
   "revoked_dangerous_pemissions": "succeeded"

The key is_device_admin_revoked will not be in the result if the app is not device admin

  • settings hardening
(amdh)$ python amdh.py -sS -H -o reports

A report and log file are generated in "reports" directory.

Static Analysis and multiple Apps uninstall/disable (interactive)

(amdh)$ python amdh.py -l

List current running user processes

(amdh)$ python amdh.py -P -d SERIAL1,SERIAL2 

Snapshot

(amdh)$ python amdh.py -S out
[-] INFO: Start ...
Unlock device SERIAL and press ENTER key to continue
[-] INFO: Finished

The folder "out" will contains a subfolder "SERIAL_DATE-TIME". Where DATE-TIME is in the format "YYYY-MM-DD-hh:mm:ss".

Snapshot Comparison

(amdh)$ python amdh.py -cS out/report.json
[-] INFO: Start ...

[-] INFO: Installed Apps after snapshot was taken
{}
[-] INFO: Apps exists in snapshot
{
    "com.package.name1": {
        "firstInstallTime": "2020-07-06 18:53:07",
        "lastUpdateTime": "2020-07-06 18:53:07",
        "grantedPermissions": [
            "com.google.android.c2dm.permission.RECEIVE",
            "android.permission.USE_CREDENTIALS",
            "android.permission.MODIFY_AUDIO_SETTINGS",
            "com.google.android.providers.gsf.permission.READ_GSERVICES",
            "android.permission.MANAGE_ACCOUNTS",
            "android.permission.NFC"
        ],
        "deviceAdmin": false,
        "apk": "com.package.name1.apk"
    },
    "com.package.name2": {
        "firstInstallTime": "2020-07-10 23:57:53",
        "lastUpdateTime": "2020-07-10 23:57:53",
        "grantedPermissions": [
            "android.permission.DOWNLOAD_WITHOUT_NOTIFICATION",
            "com.google.android.c2dm.permission.RECEIVE",
            "android.permission.USE_CREDENTIALS",
            "android.permission.MODIFY_AUDIO_SETTINGS",
            "org.thoughtcrime.securesms.ACCESS_SECRETS",
            "android.permission.ACCESS_NOTIFICATION_POLICY",
            "android.permission.CHANGE_NETWORK_STATE",
            "android.permission.FOREGROUND_SERVICE",
            "android.permission.WRITE_SYNC_SETTINGS"
        ],
        "deviceAdmin": false,
        "backup": "com.package.name2.ab",
        "apk": "com.package.name2.apk"
    }
}
[-] INFO: Uninstalled after snapshot was taken
{
    "com.package.name3": {
        "firstInstallTime": "2020-07-18 07:56:44",
        "lastUpdateTime": "2020-07-18 07:56:44",
        "grantedPermissions": [
            "android.permission.INTERNET",
            "android.permission.ACCESS_NETWORK_STATE"
        ],
        "deviceAdmin": false,
        "backup": "com.package.name3.ab",
        "apk": "com.package.name3.apk"
    }
}
[-] INFO: Changed settings after snapshot was taken
{
    "global": [
        "stay_on_while_plugged_in"
    ],
    "secure": [],
    "system": []
}

Snapshot Restore : Apps

(amdh)$ python amdh.py -d SERIAL -rS out/report.json
[-] INFO: Start ...
Unlock device SERIAL and press ENTER key to continue
[-] INFO: Starting restore
[-] INFO: Restore finished
[-] INFO: Restore report
{
    "apps": {
        {
            "com.package.name1": {
                "install": "success",
                "backup": "restored"
            },
            "com.package.name2": {
                "install": "success",
                "backup": "NOT FOUND"
            },
            "com.package.name3": {
                "install": "success",
                "backup": "restored"
            }
        }
    }
}

Building the binary

(amdh) $ pip install pyinstaller 
(amdh) $ pyinstaller --clean amdh.spec

Output binary: dist/amdh.

Participation and Ideas

Thank you for the interesting of this project! If you have any ideas on how to improve this tool, please create new issue or send a pull request.