FinSpy-Tools icon indicating copy to clipboard operation
FinSpy-Tools copied to clipboard
verified publisher icon devio

Docs how to scan an Android device

Open doobry-systemli opened this issue 6 years ago • 3 comments

Thanks a lot for your work on analysing FinSpy/FinFisher!

I wondered how to scan an Android device for those spyware apps. Probably you'll have to pull all apks from the device first and run FinSpy-Tools/Android/finspyCfgExtract.py as well as the yara rules against them afterwards, right?

I came up with a small shell script to automate this. Feel free to add it to your repo/readme in case you consider it useful:

#!/bin/sh

if [ ! -d "FinSpy-Tools" ]; then
    echo "Error: run 'git clone https://github.com/devio/FinSpy-Tools.git' first" >&2
    exit 1
fi

if ! adb root; then
    echo "Error: failed to become root on Android device" >&2
    exit 1
fi

apks="$(adb shell 'find / -name *.apk 2>&1|grep -v -e "No such file or directory"')"

mkdir -p apks 
for apk in $apks; do
    dir="$(dirname $apk)"
    mkdir -p "apks/$dir"
    adb pull "$apk" "apks/$dir/"
    python3 FinSpy-Tools/Android/finspyCfgExtract.py "$apk"
    yara FinSpy-Tools/Yara-rules/Android_FinSpy.yar "$apk"
done

doobry-systemli avatar Jan 10 '20 11:01 doobry-systemli

Hi doobry, i'll check this during the next days, thanks a lot!

devio avatar Jan 17 '20 18:01 devio

I tried that script and modified it a bit:

#!/bin/bash

rm -rf apks 2>/dev/null

for prog in adb yara; do
    command -v $prog >/dev/null 2>&1 || { echo >&2 "Error: $prog is required, but not installed."; exit 1; }
done

if [ ! -d "FinSpy-Tools" ]; then
    echo "Error: run 'git clone https://github.com/devio/FinSpy-Tools.git' first" >&2
    exit 1
fi

if ! [[ `adb shell ls /sbin/su 2> /dev/null` ]]; then
    echo "Error: no su binary found in /sbin/su on the connected Android device. This script requires root privileges to run."
    exit 1
fi

apks="$(adb shell 'su -c find / -name *.apk 2>/dev/null')"

mkdir -p apks
for apk in $apks; do
    dir="$(dirname $apk)"
    mkdir -p "apks/$dir"
    adb pull "$apk" "apks/$dir/"
    python3 FinSpy-Tools/Android/finspyCfgExtract.py ./apks"$apk"
    yara FinSpy-Tools/Yara-rules/Android_FinSpy.yar ./apks"$apk"
done

  1. Changed "#!/bin/sh" to "#!/bin/bash" to make sure the script is always interpreted by bash and not another shell. Alternatively the script could be checked for POSIX compatibility.

  2. Added checks for dependencies adb and yara to be installed.

  3. In real world Android phones you won't find a ROM which works with "adb root". That usually only works with the Android emulator without google apps. So I removed that check and instead check for "/sbin/su". But maybe root permissions aren't required at all to find and pull all apks. Should be tested for.

  4. Shortened the find call for the apks and made it a bit more reliable.

  5. Fixed the paths to the apks for the python script and yara

vollkorn1982 avatar Jan 20 '20 13:01 vollkorn1982