APKiD gives you information about how an APK was made. It identifies many compilers, packers, obfuscators, and other weird stuff. It's PEiD for Android.
For more information on what this tool can be used for, check out:
Installing
The yara-python clone and compile steps here are temporarily necessary because we must point directly to our modified version of a Yara branch which includes our DEX Yara module. This step is nessecary until (if?) the original maintainers of Yara merge our module into the master branch. When this happens, we will undate the instructions here. After the yara-python fork is compiled, you can use
pip
to the most currently published APKiD
package.git clone https://github.com/rednaga/yara-python
cd yara-python
python setup.py install
pip install apkid
Usage
usage: apkid [-h] [-j] [-t TIMEOUT] [-o DIR] [FILE [FILE ...]]
APKiD - Android Application Identifier v1.0.0
positional arguments:
FILE apk, dex, or directory
optional arguments:
-h, --help show this help message and exit
-j, --json output results in JSON format
-t TIMEOUT, --timeout TIMEOUT
Yara scan timeout (in seconds)
-o DIR, --output-dir DIR
write individual JSON results to this directory
Submitting New Packers / Compilers / Obfuscators
If you come across an APK or DEX which APKiD does not recognize, please open a GitHub issue and tell us:
- what you think it is
- the file hash (either MD5, SHA1, SHA256)
You're also welcome to submit pull requests. Just be sure to include a file hash so we can check the rule.
Hacking
First you will need to install the specific version of yara-python the project depends on (more information about this in the Installing section):
git clone https://github.com/rednaga/yara-python
cd yara-python
python setup.py install
git clone https://github.com/rednaga/APKiD
cd APKiD
./prep-release.py
pip install -e .[dev]
--user
flag. This is likely needed if you are working on OSX:pip install -e .[dev] --user