medusa: automates processes and techniques practised


Medusa is an extensible framework for Android applications which automates processes and techniques practised during the dynamic analysis of a malware investigation.

Some of the framework’s features are the following:

  • Tracing and instrumentation of API calls used by common malware categories
  • Tracing and instrumentation of Java and Native functions
  • Unpacking (effective for most of the weel known packers, including Qihoo, Secshell e.t.c.)
  • Patching (e.g. autoset the debuggable flag)
  • Triggering of various system events in order to initiate a malicious behaviour
  • Triggering of application’s components (Activities, Services e.t.c.)

Medusa’s functionality is based on the following scripts:


    Is used to dynamically add or remove tracing of API calls during application’s runtime. The tracing ‘comes’ in a form of modules, where each one of them ‘specializes’ in an abstract aspect. As an example, to trace the cryptographic procedures of the application (e.g. fetch AES keys or the plaintext that will be encrypted), simply inject the AES module and observer the output.

    Indicatively some of the functionalities which are implemented so far, include the following:

    • SSL pinning bypass
    • UI restriction bypass (e.g. Flag secure, button enable)
    • Class enumeration
    • Hook native functions
    • Monitoring of:
      • Encryption process (keys, IVs, data to be encrypted)
      • Intents
      • Http communications
      • Websockets
      • Webview events
      • File operations
      • Database interactions
      • Bluetooth operations
      • Clipboard
    • Monitoring of API calls used by malware applications, such as:
      • Spyware
      • Click Fraud
      • Toll Fraud
      • Sms Fraud



    Given a manifest or and apk file, the specific script is able to perform the following functionalities:

    • Display the application’s components and technical characteristics, including:
      • Activities
      • Services
      • Receivers
      • Permissions
      • Intent Filters
      • Content providers
    • Trace application functions
    • Trigger an activity, service or an intent
    • Automate actions performed during dynamic analysis:
      • Change device proxy settings
      • Capture screenshots of the device
      • Install/Uninstall/kill an application
    • Patch (set the debug flag to true) / Sign / Install


git clone
cd medusa
pip install -r requirements.txt


Related Articles

Trả lời

Email của bạn sẽ không được hiển thị công khai. Các trường bắt buộc được đánh dấu *

Back to top button