Sandroid 1.0.8

An Android sandbox for automated Forensic, Malware, and Security Analysis.

Android Sandbox for Automated Forensic, Malware, and Security Analysis

Sandroid Framework

Sandroid provides a powerful Android sandbox framework that enables automated analysis of Android applications. It combines both static and dynamic techniques to help security researchers, forensic analysts, and malware analysts better understand how apps behave in a controlled environment.

By using this framework, you can:

• Extract forensic artifacts generated by Android apps and identify which app created them.
• Analyze malware behavior through automated dynamic analysis.
• Uncover security vulnerabilities and misconfigurations in Android applications.
• Gain deeper insights into app behavior without manual reverse engineering.

The framework is designed to simplify the process of forensic investigations, mobile threat detection, and security testing by providing a streamlined, automated environment for analysis. Whether you're investigating malicious apps, assessing security flaws, or collecting digital evidence, this solution helps you quickly identify and understand what happens inside Android applications.

Quick Start

# Install from PyPI
pip install sandroid

# Initialize configuration
sandroid-config init

# Run analysis
sandroid --network --screenshot 10 --report

See SETUP.md for all installation possibilities.

Legacy Usage

usage: sandroid [-h] [-f FILENAME] [-ll LOGLEVEL] [-n NUMBER] [--avoid_strong_noise_filter] [--network] [-d] [--no-processes] [--sockets] [--screenshot INTERVAL] [--trigdroid PACKAGE NAME]
                [--trigdroid_ccf {I,D}] [--hash] [--apk] [--degrade_network] [--whitelist FILE]

Find forensic artefacts for any action on an AVD

options:
  -h, --help            show this help message and exit
  -f FILENAME, --file FILENAME
                        Save output to the specified file, default is sandroid.json
  -ll LOGLEVEL, --loglevel LOGLEVEL
                        Set the log level. The logging file sandroid.log will always contain an expanded DEBUG level log.
  -n NUMBER, --number_of_runs NUMBER
                        Run action n times (Minimum and default is 2)
  --avoid_strong_noise_filter
                        Don't use a "Dry Run". This will catch more noise and disable intra file noise detection.
  --network             Capture traffic and show connections. Connections are not necessarily in chronological order. Each connection will only show up once, even if it was made multiple times. For better
                        results,  it is recommended to use at least -n 3  and to leave the strong noise filter on
  -d, --show_deleted    Perform additional full filesystem checks to reveal deleted files
  --no-processes        Do not monitor active processes during the action
  --sockets             Monitor listening sockets during the action
  --screenshot INTERVAL
                        Take a screenshot each INTERVAL seconds
  --trigdroid PACKAGE NAME
                        Use the TrigDroid(tm) tool to execute malware triggers in package PACKAGE NAME
  --trigdroid_ccf {I,D}
                        Use the TrigDroid(tm) CCF utility to create a Trigdroid config file. I for interactive mode, D to create the default config file
  --hash                Create before/after md5 hashes of all changed and new files and save them to hashes.json
  --apk                 List all APKs from the emulator and their hashes in the output file
  --degrade_network     Lower the emulators network speed and network latency to simulate and 'UMTS/3G' connection. For more fine grained control, use the emulator console
  --whitelist FILE      Entries in the whitelist will be excluded from any outputs. Separate paths by commas, wildcards are supported

The basics

Sandroid is a framework for extracting forensic artefacts from Android Virtual Devices (AVD). It provides an ever-growing list of features, including static analysis of APKs, detailed dynamic analysis using dynamic instrumentation, automated execution of malware triggers, automated extraction of file system changes for arbitrary actions, and more.

If you start Sandroid with python3 sandroid or just ./sandroid you will see the interactive menu. You should start an AVD first, Sandroid will automatically attach to it.

=== Interactive Menu ===
Frida Server: [Not running]
Spotlight Application: [n/a]

    * print [e]mulator information (name, version, network, etc.)
    * [s]napshot
    * [g]o back to last snapshot
    * [r]ecord and replay
    * run [t]rigdroid malware triggers
    * [i]nstall APK (local or remote via apksfull.com)
    * run [f]rida server (install, if required)
    * set [c]urrent app in focus to spotlight app
    * [a]nalyze spotlight app with dexray-insight
    * [d]ump memory of spotlight app (using fridump)
    * [q]uit

From here, you can interact with the AVD in real time and let the framework perform helpful actions such as saving or restoring snapshots and automatically installing APKs. When you are ready, select one of the analysis options, such as ASAM for static analysis, or record and replay for dynamic analysis. Depending on the log level selected, logs and results will be printed. Detailed logs are always available in sandroid.log, regardless of the selected log level. By default, results are saved to sandroid.json and compiled into a PDF file.

Setup

You'll need:

• Python 3.10 or newer
• sqldiff
• trigdroid
• Android Studio
• Android SDK & ADB (Comes with Studio)
• A running emulator

Step by step instruction:

$ sudo apt install python3 sqlite3-tools
$ python3 -m venv env
$ source env/bin/activate
$ pip install sandroid

• Download Android Studio from https://developer.android.com/studio, then create an emulator like this:
• Open Android Studio
• Click "more options"
• from there, open "Virtual device manager"
• Click "Create device"
• Choose a phone. If you choose a phone with play services, you will probably need to jailbreak it before you can use the tool. (If you're looking to work with your own or third party apps, a better way is to use the integrated "install APK" function later).
• Choose an API
• Click Finish
• Start the emulator (little play button in the virtual device manager)
• run ./sandroid to start the tool

Dependencies

• sqldiff: https://manpages.debian.org/unstable/sqlite3/sqldiff.1.en.html

Ground Truth APK

The framework also includes a custom Android app for testing and calibration. This app is designed to create specific forensic artefacts with pinpoint accuracy at the user's command, while being as minimal as possible to avoid unintended artefacts. To use it, simply install it on the emulator using Sandroid's built-in APK installer and open the app.

Supported Artefacts

In the current version, the ground truth app supports nine different artefacts

• Creating a new file
• Adding an entry to a Database
• Deleting an entry from a Database
• Updating an entry in a Database
• Sending a specific number of bytes to a specific URL
• Starting a specific process
• Adding an entry to a XML file
• Deleting an entry from a XML file
• Updating an entry in a XML file Simply press the corresponding button to generate the Artefact

Some considerations

• Values added to the XML file and the Database will be the current unix time on the emulator. It can deviate from the actual time but will be automatically be highlighted in the output.
• The first time the application is launched after installation, the XML file and database will be initialised, and Android will create a profile for the application, so it is recommended that you open the application first, and only then start any analysis.
• The XML and database files are called GroundTruth.xml and GroundTruth.db respectively and are stored in the applications directory.

Documentation

• SETUP.md - Complete setup guide for new installation method
• MIGRATION.md - Guide for upgrading from legacy installation
• CHANGELOG.md - Detailed release notes and version history

Installation Options

Option 1: Modern PyPI Installation (Recommended)

pip install sandroid
sandroid-config init
sandroid --help

Option 2: Legacy Installation (Still Supported)

git clone <repository>
./install-requirements.sh
./sandroid

Configuration Management

The modern installation includes a powerful configuration system:

# Initialize configuration
sandroid-config init

# View configuration
sandroid-config show

# Modify settings
sandroid-config set analysis.monitor_network true
sandroid-config set emulator.device_name "Pixel_8_Pro_API_34"

# Validate configuration
sandroid-config validate

Configuration files are automatically discovered in standard locations:

• ~/.config/sandroid/sandroid.yaml (user config)
• ./sandroid.yaml (project-specific config)
• Environment variables with SANDROID_ prefix

Supported formats: YAML, TOML, JSON (YAML preferred)

Version Information

• Current Version: 1.0.0
• Backward Compatibility: Full compatibility with legacy installations
• Python Requirements: Python 3.10+
• Migration: See MIGRATION.md for upgrade instructions