Home

Awesome

🫙 kavanoz 🫙

Statically unpacking common android banker malware. Ever wanted to get payload from packed malware without running android emulator ? Me neither.

:eyes: Installation

pip install kavanoz

To install from source, clone the repository and do an editable install with -e. Which means if you edit or add new plugins to the project it will be used without reinstalling.

git clone https://github.com/eybisi/kavanoz.git
cd kavanoz
pip install -e .

:zap: Usage

from cmdline

kavanoz /tmp/filepath

You can use -vvv parameter to print verbose logs. (useful for debugging plugins)

as python library

from kavanoz.core import Kavanoz
from kavanoz import utils

utils.set_log("DEBUG")
k = Kavanoz(apk_path="tests/test_apk/coper.apk")
for plugin_result in k.get_plugin_results():
    if plugin_result["status"] == "success":
        print("Unpacked")
        print(plugin_result)
        break

:snake: Scripts:

:gear: Development

Make sure to install kavanoz as editable (with -e). To add new plugins just create new file in loader folder. Extend Unpacker class from unpack_plugin.py file. Define start_decrypt function with your implementation.

def start_decrypt(self, apk_object: APK, dexes: "list[DEX]"):

Add following function to make early exit from plugin.

def lazy_check(self,apk_object:APK, dexes: "list[DEX]"):

If extraction is successful assign self.decrypted_payload_path with extracted file path. You can use helper functions from unpacker class:

:book: Tips

Thanks:

apkdetect.com for unique samples to work with.