Android Artifacts

Android artifacts are artifacts that WildFire associates with Android Package (APK) samples after analyzing the samples in an Android analysis environment. An APK file installs an app on an Android mobile phone or tablet.
Artifact Type
Search with this Artifact Type to Find...
APK App Icon
The file path for the app icon that displays in the Android device menu.
APK App Name
The name of the app that displays on the interface of an Android device.
APK Certificate
The hash value of the public key embedded in the digital certificate of the APK file.
APK Certificate File
The file path for the certificate(s) embedded in the APK file, information about the certificate owner and issuer such as name and location (if provided by the owner/issuer), and the MD5, SHA1, and SHA256 hashes used to sign the certificate. The owner or issuer may provide the following information:
  • CN—First name and last name
  • OU—Organizational unit
  • O—Organization name
  • L—City or locality
  • ST—State or province
  • C—Two-digit country code
APK Defined Activity
The class name of activities defined in the APK file. An
activity
is a component of the app that provides a screen users can interact with to perform a task.
APK Defined Intent Filter
An
intent filter
, found in an app’s manifest file, lists the type of intents that the components of the app can respond to. An
intent
is a request an app sends to other apps to perform an action. For example, the YouTube app needs to use a messaging app on your Android device to share videos.
APK Defined Receiver
Broadcast receivers for the APK file.
Broadcast receivers
allow the app to receive intents broadcast by itself, by the Android device, or by other apps on the device. An example of a broadcast that an app can receive is an indication that the device battery is low.
APK Defined Sensor
Sensors for motion, orientation, or environmental conditions that the app uses when it is running. For example, an app might need to receive sensor readings from the device’s GPS for to perform location-based tasks.
APK Defined Service
Services configured for the APK file.
Services
are operations that run in the background while the app is running, and do not provide a user interface screen. An example of a service is a notification service for an email app that alerts users when they have new messages.
APK Embedded Libraries
Third-party libraries that are included in the APK file. A third-party library, which app developers can reuse across multiple apps, contains files of code that accomplish a specific task. An example of an embedded library is Google’s mobile ads software development kit (SDK), AdMob.
APK Embedded URL
URLs that are part of an APK file. The Path column contains the path for the section of the app where the URL is located.
APK Internal File
The file format, file path, and SHA256 hash of files included in the APK file.
APK Package Name
The unique name that identifies an app on an Android device. The general format for a package name is domain.company.application (for example,
com.tamapps.learnjapanese
).
APK Repackaged
An indication of whether an APK file has been repackaged (True) or not (False). AutoFocus marks a repackaged APK file as suspicious because an attacker can repackage a benign file to contain malicious functionality.
APK Requested Permission
The permissions that the APK file requests from users to perform processes and to access data on their Android device. Examples include permissions to access the camera on the device or to change the audio settings of the device.
APK Sensitive API Call
API calls embedded in the APK file that access restricted services or resources.
APK Signer
Personal information that the app owner provided when he/she signed the app certificate:
  • CN—First name and last name
  • OU—Organizational unit
  • O—Organization name
  • L—City or locality
  • ST—State or province
  • C—Two-digit country code
APK Suspicious API Call
API calls embedded in the APK file that access restricted services or resources. Unlike APK Sensitive API Call, the APK Suspicious API Call lists all instances of an API call and the location of the files where the API call was found.
APK Suspicious Action
An action that the APK file performed when it was executed in the WildFire analysis environment that may be an indicator of compromise. The Value column contains a description of the action and supporting evidence. For example, if the suspicious action associated with an APK file sends SMS messages while running in the background, the value includes the text message content that the file sent. If the action is loading another APK, DEX, or JAR file, the value includes the path for the file that the APK file loaded.
APK Suspicious Behavior
A sequence of actions that the APK file exhibits, the target of the actions (if there is one), and the location of the files that exhibited the actions. For example, for the suspicious behavior “APK files sends an SMS to a fixed number,” the target is the phone number that received the SMS.
APK Suspicious File
Suspicious files found in the APK file and their file type. An example of a suspicious file is one that contains malicious native code or an executable file in .dex format.
APK Suspicious Pattern
A class of patterns observed in the APK file, a description what the pattern does, and the location of the files where the pattern occurred.
APK Suspicious String
Suspicious strings of code found in the APK file. For example, a suspicious string can indicate that an app contains shell commands that installs or uninstalls other apps, or the string can be a suspicious phone number. For each string, you can view the location of the file that contains the string.
APK Version
The version number of the app that is visible to users.

Related Documentation