androguard cg - Create Call Graph from APK

androcg can create files that can be read using graph visualization software, for example gephi.

Synopsis

Usage: androguard cg [OPTIONS] APK

  Create a call graph and export it into a graph format.

  The default is to create a file called callgraph.gml in the current
  directory!

  classnames are found in the type "Lfoo/bar/bla;".

  Example:

      $ androguard cg examples/tests/hello-world.apk

Options:
  -o, --output TEXT           Filename of the output file, the extension is
                              used to decide which format to use  [default:
                              callgraph.gml]
  -s, --show                  instead of saving the graph, print it with
                              mathplotlib (you might not see anything!)
  -v, --verbose               Print more output
  --classname TEXT            Regex to filter by classname  [default: .*]
  --methodname TEXT           Regex to filter by methodname  [default: .*]
  --descriptor TEXT           Regex to filter by descriptor  [default: .*]
  --accessflag TEXT           Regex to filter by accessflags  [default: .*]
  --no-isolated / --isolated  Do not store methods which has no xrefs
  --help                      Show this message and exit.

Examples

The call graph is constructed from the Analysis object and then converted into a networkx MultiDiGraph. Currently supported formats are gml, gexf, gpickle, graphml, yaml and net.

The call graph contains methods as nodes and calls as edges. Each edge has the offset inside the method stored as an attribute and multiple calls between two methods result in multiple edges.

The methods to construct the callgraph from can be filtered. It is highly suggested to do that, as call graphs can get very large:

../_images/screenshot_182338.png

Of course, you can export the call graph with androguard and filter it later. If you filter with androguard, calls to this method will be stored, as well as calls from the method. For external methods only the first direction can be saved.

Note

External methods are not automatically API methods! It might be the case, that the method in question could not be found during disassembly time, hence it is stored as external.

Here is an example of an already filtered graph, visualized in gephi. Each node has an attribute to indicate if it is an internal (defined somewhere in the DEXs) or external (might be an API, but definetly not defined in the DEXs) method. In this case all green nodes are internal and all red ones are external. You can see the calls of some SMS Trojan to the API methods to write SMS.

../_images/screenshot_182951.png