Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Analyzer] MobSF_Service #2496

Open
mlodic opened this issue Aug 29, 2024 · 3 comments
Open

[Analyzer] MobSF_Service #2496

mlodic opened this issue Aug 29, 2024 · 3 comments
Assignees
@spoiicy
Labels
new_analyzer

Comments

@mlodic
Copy link
Member

mlodic commented Aug 29, 2024
edited
Loading

Name

MobSF_Service

Link

https://github.com/MobSF/mobsfscan

Type of analyzer

file analysis for APK.

Why should we use it

We already have a MobSF analyzer for static analysis only of source code elements of an APK.
We want to add support for the Mob_SF APIs, for ones that have the engine available as a service and wants to launch a static or dynamic analysis programmatically at scale.

Optional: it could make sense to add a MOBSF framework as an optional docker container and let it to be used by IntelOwl

Possible implementation

API docs can be found in the GUI of the project once you install it. http://localhost:8000/api_docs
@spoiicy
Copy link

spoiicy commented Nov 11, 2024

Hi @mlodic can I take this up?

@spoiicy
Copy link

spoiicy commented Nov 14, 2024
edited
Loading

@mlodic After going through the MobSF documentation, I've concluded that implementing Static Analysis would be easy but I want to know what are your thoughts on Dynamic Analysis by MobSF, since it's not a fully automated dynamic analysis instead it's a semi-automatic one which will require manual intervention as well e.g the use of Frida scripts
Ref: https://mobsf.live/api_docs
Also in dynamic analysis, we'll have to hit "stop_analysis" endpoint to end the analysis and then we'll be able to generate the json report. How are we deciding when to stop.
Since there are too many variables at play, how do we implement mobsf in such a way that we get the maximum results without any manual intervention because the simple dynamic analysis results are not insightful at all.

Let me know what you think?

@mlodic
Copy link
Member Author

mlodic commented Nov 18, 2024

About the dynamic analysis, you can ignore the "manual" commands and just execute start and stop after a configurable parameter (I would say 2-3 minutes by default).

the simple dynamic analysis results are not insightful at all.

Why do you say that? Can you bring me some example of valid reports and their unuseleness?

Then I underline how IntelOwl has implemented similar mechanisms for other malware analysis services and that is pretty normal. IntelOwl's goal is to provide tools for scaling the analysis so it's perfectly fine if the results are not comprehensive. In real life, an analyst would pivot from interesting automated analysis and do their own analysis starting from the automated one

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@spoiicy spoiicy

Labels
new_analyzer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mlodic @spoiicy