Docs how to scan an Android device

[doobry-systemli]

Thanks a lot for your work on analysing FinSpy/FinFisher!

I wondered how to scan an Android device for those spyware apps. Probably you'll have to pull all apks from the device first and run FinSpy-Tools/Android/finspyCfgExtract.py as well as the yara rules against them afterwards, right?

I came up with a small shell script to automate this. Feel free to add it to your repo/readme in case you consider it useful:

#!/bin/sh

if [ ! -d "FinSpy-Tools" ]; then
    echo "Error: run 'git clone https://github.com/devio/FinSpy-Tools.git' first" >&2
    exit 1
fi

if ! adb root; then
    echo "Error: failed to become root on Android device" >&2
    exit 1
fi

apks="$(adb shell 'find / -name *.apk 2>&1|grep -v -e "No such file or directory"')"

mkdir -p apks 
for apk in $apks; do
    dir="$(dirname $apk)"
    mkdir -p "apks/$dir"
    adb pull "$apk" "apks/$dir/"
    python3 FinSpy-Tools/Android/finspyCfgExtract.py "$apk"
    yara FinSpy-Tools/Yara-rules/Android_FinSpy.yar "$apk"
done

[devio]

Hi doobry,
i'll check this during the next days, thanks a lot!

[vollkorn1982]

I tried that script and modified it a bit:

#!/bin/bash

rm -rf apks 2>/dev/null

for prog in adb yara; do
    command -v $prog >/dev/null 2>&1 || { echo >&2 "Error: $prog is required, but not installed."; exit 1; }
done

if [ ! -d "FinSpy-Tools" ]; then
    echo "Error: run 'git clone https://github.com/devio/FinSpy-Tools.git' first" >&2
    exit 1
fi

if ! [[ `adb shell ls /sbin/su 2> /dev/null` ]]; then
    echo "Error: no su binary found in /sbin/su on the connected Android device. This script requires root privileges to run."
    exit 1
fi

apks="$(adb shell 'su -c find / -name *.apk 2>/dev/null')"

mkdir -p apks
for apk in $apks; do
    dir="$(dirname $apk)"
    mkdir -p "apks/$dir"
    adb pull "$apk" "apks/$dir/"
    python3 FinSpy-Tools/Android/finspyCfgExtract.py ./apks"$apk"
    yara FinSpy-Tools/Yara-rules/Android_FinSpy.yar ./apks"$apk"
done

1. Changed "#!/bin/sh" to "#!/bin/bash" to make sure the script is always interpreted by bash and not another shell. Alternatively the script could be checked for POSIX compatibility.

2. Added checks for dependencies adb and yara to be installed.

3. In real world Android phones you won't find a ROM which works with "adb root". That usually only works with the Android emulator without google apps. So I removed that check and instead check for "/sbin/su". But maybe root permissions aren't required at all to find and pull all apks. Should be tested for.

4. Shortened the find call for the apks and made it a bit more reliable.

5. Fixed the paths to the apks for the python script and yara

[dipleins]

Есть маленький вопрос.
Так как новенький пользователь в гите есть такой опрос.
Как пользоваться всем этим?