APK Search

APKSearch is a search engine that stores malicious artifacts from Android applications. It allows its users to search for any kind of meta-data concerning malware characteristics which are indexed in our database.

ApkSearch's aim is to support users in their work, it allows a more in-depth analysis of the most crucial needs of malicious Android applications. For instance, query ApkSearch to retrieve artefacts associated with specific application characteristics or behaviors (e.g. permissions, methods, packages, constants, ...).

We use HTTP requests to talk to APKSearch, For that purpose, basic notions are required including HTTP requests, HTTP verbs (GET, POST,..) and HTTP headers. Furthermore, we use the cUrl command line syntax.

APKSearch is only available to who has been given an Acces key. See the Access page for further information.

The URL for the request: "https://androzoo.uni.lu/apksearch/apkfiles" where /apkfiles is our shared indices.

Authentication:

In order to send requests to APKSearch, you should authenticate yourself with your encoded API key. Follow the step below to encode properly your API key.

The API key is encoded in base64. Generate your API key by providing your email and Access key. Do not forget the colon ":" in between.

  echo -n <email:Access key> | base64
  echo -n example@uni.lu:<sha256> | base64

The API key was successfully generated and can be used for authentication. We use Basic Auth, therefore the generated key, ${APIKey}, should be sent using the "Authorization:Basic <sha256>" header.

A simple example to build a request:

With Curl:
Additionally, the "Content-Type:" header should also be provided.

curl -X GET -H "Content-Type:application/json" -H "Authorization:Basic ${APIKey}" \ 
 "https://androzoo.uni.lu/apksearch/apkfiles/_search?pretty" -d @query.json

The above snippet, when executed in a console takes a JSON file as input as data to be sent. The HTTP response is in JSON format, we use "?pretty" in the URL only for readability. More information about how to construct a query can be found at the official Documentation page of Elasticsearch.

The complet mapping of the shared indice apkfiles can be downloaded, here.

Use case: Get the complete mapping of the indice apkfiles

The mapping allow us to understand how the indice apkfiles is structured in view to build queries for each kind of needs.

With Curl:

curl -X GET -H "Authorization:Basic ${APIKey}" \ 
 "https://androzoo.uni.lu/apksearch/apkfiles/_mapping?pretty"

Use case: A search request searching for malware named "adwo"

This use case allows use to retrieve the first 10 documents including the sha256 for each APK, which correspond to malware family "adwo". More help about this kinds of query can be found here

  Content of the query.json file.
  {
    "from" : 0, "size" : 10,
    "_source": false,
    "query": { "match": { "labels.family.proposed":"adwo"}}
  }

With Curl:

curl -X GET -H "Content-Type:application/json" -H "Authorization:Basic ${APIKey}" \
 "https://androzoo.uni.lu/apksearch/apkfiles/_search?pretty" -d @query.json

Use case: Get a doc with sha256 from previous query using the doc API.

Each document has id that correspond to an APK. This id is a sha256 and can be use to retrieve a particular document. For further information about querying document can be found at Elasticsearch dedicated page, see here

With Curl:

curl -X GET -H "Authorization:Basic ${APIKey}" \
 "https://androzoo.uni.lu/apksearch/apkfiles/doc/00bd7ada6e270fa463db94da24debf43c953b535aed576072756d85a6bc86c72?pretty"

Use case: Check if a doc exits. If you're not interrested in the content. Then use HEAD header.

Check if a document still exists or if a given sha256 correspond to a document.

With Curl:

curl --head -H "Authorization:Basic ${APIKey}" \
 "https://androzoo.uni.lu/apksearch/apkfiles/doc/00bd7ada6e270fa463db94da24debf43c953b535aed576072756d85a6bc86c72"

Use case: Get multiple documents using sha256.

We can also retrieve multiple documents at once, given specific corresponding sha256. More information here

  Content of the query.json file.
  {
      "docs" : [
        {
          "_type" : "doc",
          "_id" : "0064e25fa9f872488fb754b23c03bba3a5a4dd0d30e89dbb123aa2fa45a08748"
        },
        {
          "_type" : "doc",
          "_id" : "007603e1ff7c07e00ee62b0a375d2af119a98cc54a53fb4034a57f9230cd65b7"
        }	
      ] 
  }

With Curl:

curl -X GET -H "Content-Type:application/json" -H "Authorization:Basic ${APIKey}" \ 
  "https://androzoo.uni.lu/apksearch/apkfiles/_mget?pretty" -d @query.json

Use case: Sum the size of each stored Android apllication.

For more details about aggregations queries click here

With Curl:

curl -X POST -H "Content-Type:application/json" -H "Authorization:Basic ${APIKey}" \
  "https://androzoo.uni.lu/apksearch/apkfiles/_search" -d '
  {
    "size": 0,
    "aggs" : {
      "myagg" : { "sum" : { "field" : "source.dex.header.file_size" } }
    }
  }'

Use case: Display all unique malware names

Useful to be aware of all diferent malwares wich are grouped in APKSearch.

  Content of the query.json file.
  {
    "size": 0,
    "aggs" : {
      "myagg" : { "terms" : { "field" : "labels.family.proposed"} }
    }
  }

With Curl:

curl -X POST -H "Content-Type:application/json" -H "Authorization:Basic ${APIKey}" \
 "https://androzoo.uni.lu/apksearch/apkfiles/_mget?pretty" -d @query.json

Use case: Count number of docs in apkfiles

With Curl:

curl -X GET -H "Authorization:Basic ${APIKey}" \
 "https://androzoo.uni.lu/apksearch/apkfiles/_count"

Use case: Find every android application which has the permission to read the phone state.

Some Android permissions are often misused by malware in order to get user's data. "Read phone state" can be one of them. This query retrieve all documents which has this particular permission. More information about nested and advanced queries see here

  Content of the query.json file.
  {   "size":1,
      "query": {
        "nested" : {
          "path" : "source.manifest",
            "query" : {
              "bool" : {
                "must" : [
                  {"match" : {"source.manifest.tag" : "uses-permission"}},
                  {"match_phrase" : {"source.manifest.attrs.name.keyword" : "android.permission.read_phone_state"}}
                 ]
               }
             }
        }
      }
  }

With Curl:

curl -X GET -H "Content-Type:application/json" -H "Authorization:Basic ${APIKey}" \
 "https://androzoo.uni.lu/apksearch/apkfiles/_search?pretty" -d @query.json

References