11

Several sites offer APK downloads (1, 2, 3). Is there a way to determine if a given website/apk is safe to install?

Sparkler
  • 805
  • 4
  • 8
  • 19
  • Besides actually running it, no, not really. – Steve Aug 03 '15 at 15:19
  • 3
    Reverse-engineer it or run it in a sandbox. – r00t Aug 03 '15 at 15:51
  • 2
    How do you determine if an APK from the Play store is safe? – Neil Smithline Aug 03 '15 at 15:54
  • @NeilSmithline, Google does it for me. – Sparkler Aug 03 '15 at 16:00
  • 4
    So "trust" is basically you're answer. That's what you'll need to use with 3rd-party sites too. Sorry that there's not a better answer. – Neil Smithline Aug 03 '15 at 16:07
  • 1
    @NeilSmithline, there are two separate "trusts" in this case. (1) I trust that Google's scripts etc. do a better job than me in spotting security issues; (2) I do not trust apk files on alternative sites to be malware-free. – Sparkler Aug 03 '15 at 16:13
  • @steve including actually running it, no, not really. Just because it doesn't immediately burn down your house, the indoor flamethrower app might eventually prove to have been a poor choice. – ddyer Jul 03 '20 at 00:48

3 Answers3

10

Initial Analysis


I think the most thorough way to test 3rd party apps is to:

  1. Download the Android SDK/Tools
  2. Create a virtual Android Device with the Android version of your phone.
  3. Enable Android Debugging through USB on your device. (Can be turned off later)
  4. Check with ADB that your emulator is detected: adb devices
  5. Install the 3rd party app with ADB: `adb install

You can analyze what's going on in the device using different logs that are constantly running. These can be tough to capture, but you can capture the logcat of your device with adb logcat. You can learn how to use Logcat like a Pro.

The Android Virtual Device (AVD) uses your internet connection like a WiFi connection. At this point you can perform all kinds of analysis. My post on how to analyze malware could be helpful (as far as tools and techniques to use). Wireshark will be a helpful tool to analyze network traffic. See what the app with its networking connections.

Reverse Engineering


So now you'll be getting down and dirty into seeing what exactly the APK is doing. For this you'll need a few tools. Here is an online tool (I have not used it) that claims to decompile an Android APK back into its Java code. If you would like to understand the process and do it yourself I would look at this Stack Overflow answer.

An APK is just a .zip file. So the steps (with tools from that Stack Overflow answer)

  1. unzip example.apk

Now we have the following files and directories:

-rw-rw-r--  1       3708 Oct 14  2013 AndroidManifest.xml
-rw-rw-r--  1    2751916 Oct 14  2013 classes.dex
drwxrwxr-x  2       4096 Aug  3 12:12 META-INF
drwxrwxr-x 23       4096 Aug  3 12:12 res
-rw-rw-r--  1     363640 Oct 14  2013 resources.arsc

The classes.dex is what we want. It contains all the Java classes used for the application.

  1. ./d2j-dex2jar.sh ../example.apk

Now we have a ./example-dex2jar.jar JAR file that can be decompiled into Java code. Here is where JD-GUI and ApkTool can be useful. Now you can look at the exact code that is executed by the APK.

Keep in mind though that some portions (if not most) of the Java code will be obfuscated. This is common and you'll often see function symbols ripped out and replaced with a, b, etc. Not only functions, but packages, methods, variables. Seeing obfuscated Java like z = (a) b.d() would not be uncommon. But you can see strings, typical imports, and any JNI shared object functions they may use.


All that being said. Do you want to do that for every app you download? Probably not. It comes down to whether you trust the Store that you're using, and/or the software company that put out the app. I personally don't use any apps outside of the Google Play store. The Apps I do download I base on companies that developed them, user reviews (these can be faked), friend/forum recommendations, etc.

You have to give some sort of trust to the app you're downloading, or analyze each and every app you install. Either way you've got to use caution.

RoraΖ
  • 12,347
  • 4
  • 51
  • 83
8

To verify whether an APK is safe, you can upload it to e.g. Virustotal. It will use a bunch of virus scanners to detect whether anything is wrong with the APK.

Note that APKs are (at this moment of writing) the #1 file type being scanned by Virustotal.

SaeX
  • 181
  • 1
  • 3
1

You'll need to reverse engineer it to work out what it does and whether there's anything malicious to it.

In fairness even apps distributed by google play / app store have been found with malware on them, so even though malware is more likely distributed via external sources, it doesn't directly mean that "external source == malware".

Pedro
  • 3,931
  • 12
  • 25