🔍 A professional, end-to-end toolkit to automate APK extraction, static & dynamic analysis, and store forensic data in MySQL. Perfect for security researchers and devs who mean business.
- Features
- Architecture
- Prerequisites
- Installation
- Directory Layout
- Usage
- Database Schema
- Troubleshooting
- Contributing
- License & Contact
- Automated APK Extraction from rooted devices
- Static Analysis: Parse
AndroidManifest.xml, permissions, signatures - Dynamic Analysis:
- Logcat capture & parsing
- Syscall Tracing with
strace - Network Traffic via
tcpdump+tshark - System Metrics: CPU, memory, battery
- Event Detection: Flag suspicious syscalls, file access, network anomalies
- MySQL Integration: Predefined schema for comprehensive data storage
- FastAPI backend: Trigger scans and fetch results via REST APIs
+----------------+ +----------------+ +-------------+
| Rooted Device | --> | Controller | --> | MySQL DB |
| (Android ADB) | | (Python + ADB) | | (Schema) |
+----------------+ +----------------+ +-------------+
| |
v v
APK Puller Collectors (Logcat,
Strace, Tcpdump,
Metrics, FileOps)
- Controller orchestrates all modules
- Collectors run in parallel/sequence for each app
- Database stores raw & processed data for querying
- Rooted Android device or emulator
- ADB, strace, tcpdump binaries on device
- Python 3.8+ environment
- MySQL 5.7+
- Wireshark CLI (
tshark) for HTTP parsing
# Clone & enter directory
git clone https://github.com/yourorg/Android-Malware-Analysis.git
cd Malware-Analysis
# Setup Python environment
python3 -m venv .venv
source .venv/bin/activate # Windows: .venv\Scripts\activate
# Install Python dependencies
pip install -r requirements.txt
# Ensure device tools
adb devices # should list your device
adb root # switch to root
# Push binaries if missing
adb push tcpdump /data/local/tmp/ && adb shell chmod +x /data/local/tmp/tcpdump
adb push strace /data/local/tmp/ && adb shell chmod +x /data/local/tmp/straceproject_root/
├── app/
│ ├── main.py # FastAPI server entrypoint
│ ├── analyzer.py # Core orchestration
│ ├── db.py # MySQL helpers
│ ├── adb_handler.py
│ ├── controller.py
│ └── modules/
│ ├── apk_extractor.py # APK & metadata parser
│ ├── apk_scanner.py
│ ├── db_utils.py
│ ├── log_collector.py
│ ├── strace_collector.py
│ ├── tcpdump_collector.py
│ ├── system_metric.py
├── extracted_apks/ # Pulled APK files
├── pcaps/ # Traces, pcaps, system logs
├── requirements.txt
└── run_server.sh # Start FastAPI server
./run_server.sh
# → uvicorn app.main:app --reloadPOST http://127.0.0.1:8000/scan- Response:
{ "status": "Scan complete", "details": {...} }
SELECT * FROM apps;
SELECT * FROM events WHERE severity = 'High';
SELECT * FROM network_traffic WHERE response_code <> 200;- apps: APK metadata & permissions (JSON)
- logs: Logcat entries per app
- events: Syscall & file-access anomalies
- network_traffic: IPs, URLs, HTTP methods & codes
- system_metrics: CPU, memory, battery usage
- syscalls: Raw syscall traces
- files_accessed: File operations logs
(See mysql_schema.sql for full definitions)
- ADB unauthorized:
adb kill-server→ reconnect → authorize - Missing binaries: Push
tcpdump/stracevia ADB, setchmod +x - MySQL errors: Validate
.envcredentials, ensure DB & tables exist - tshark errors: Install Wireshark CLI (
sudo apt install tshark)
- Fork & branch:
git checkout -b feature/awesome - Commit: `git commit -m "feat: add new collector"
- PR: Open a pull request, reference issues
- Licensed under the MIT License
- Maintained by Ashwin
- Questions? Reach out: ashwin.vp.2005@gmail.com
Designed with ❤️ & ☕ for serious Android forensics.