MobileHunter analysis using glorifiedgrep

Glorifiedgrep is simply a python library that leverages jadx and ripgrep to analyze decompiled code. It is written to be compatible with python 3.7, but will be changed in the future for over python version compatibility. It is still in development and the api might/will change in the future.

The GlorifiedAndroid class for glorifiedgrep offers over 200+ different methods for Android analysis, but only a very few are shown here. Refer to the full documentation for all the analysis.

Also keep in mind that glorifiedgrep is not a vulnerability detection module. What it aids in is to quickly pinpoint areas of interest what should be further looked into.

Analysis

To use glorifiedgrep, first, we need to instantiate the GlorifiedAndroid class.

Get the hash of the application.

We can obtain the hash of the application using:

Dangerous permissions

We can obtain a list of the dangerous permissions that are being used by the app using:

File types

Researchers have indicated that this apk is bundled with a few executables. Lets use glorifiedgrepto get all the different file types that are bundled with this app.

Using one simple method, we can see the various binaries that are include in the app along with the blacklisted apps file.

Executing shell commands

Instead of using JNI, the application directly executes some of the pre packed binaries in the shell. We can see instances of shell execution here using

Reading sensitive information

Researchers have also indicated that the application will read various sensitive user information including SMS, calendar entries and call logs. Usually, these information are obtained from content resolvers. glorifiedgrep offers a handy method to obtain URLs for various content resolves. Using a little list comprehension, let’s gather all the content resolvers this application touches on. We will also include only app code in our analysis.

Application queries for installed packages

The native PackageManager class and its method getInstalledPackages from the Android SDK can be used by an app to enumerate installed applications on a device. We can see that using:

Application makes POST requests

Researches have indicated that this application will post all the enumerated data. We can see the POST requests in

Hardcoded IP address

We know that the application will try to send the data to a local 192 IP address. We can see those in:

Environment variables

We can also see that the application tries to access External storage to save its data. We can do so by checking which environment variables it is trying to access.

Conclusion

As we can see, we can do a variety of Android application analysis using glorifiedgrep in a really quickly.

Related posts:

Love is to feel and if the exact emotion, passion, and energy of the story are induced within the reader then it’s the finest deed by an author. Romance Novel, stresses the power of feeling. It…

Given that we are in the Anthropocene, a time when human influence is percolating at a global level with the potential to extend further out into the cosmos (as physicist David Deutsch has intimated…

Kyle called me up a few weeks back. It was neither expected or a massive surprise. He rolled through one’s life like that. “Hey dude, I got this fucking out there plan and I’m gonna need you to help…