Skip to content

Introduction

+Ch0pin edited this page Feb 22, 2023 · 1 revision

Logo Credits: https://www.linkedin.com/in/rafael-c-ferreira

MEDUSA is an Extensible and Modularised framework that automates processes and techniques practiced during the dynamic analysis of Android Applications. It consists of multiple modules that can be combined into a single script and run during a Frida session.

It can be used to:

  • Intercept common API calls by using ready made modules
  • Automate the creation of complex Frida scripts
  • Inspect the application's memory
  • Manage and categorise hooks by adding them in to modules
  • Automate long-taking / boring processes

Combined with mango, its twin brother, it can cover 90% of your needs during an Android's application review:

Screenshot 2023-02-22 at 09 08 42

Installation

Medusa requires a Frida server to run in a rooted mobile device or emulator. Download the Frida server binary for your device's architecture from here, push it in your device (adb push binary /data/local/tmp), chmod it to executable and you are ready to go. You can find thousands of tutorials on how to do that so I am stoping it here.

  1. Clone the Medusa repo

$git clone https://github.com/Ch0pin/medusa.git

  1. Navigate to the /medusa directory
  2. Install the python requirements

$pip install -r requirements.txt

Running

The medusa.py

If everything goes as expected you can run medusa in one of the following ways:

  1. Chmod the /medusa/medusa shell script to executable and run it (you can also add it in your path, so it can run from anywhere): ./medusa
  2. Run the medusa python script $python3 /medusa/medusa.py

In case you are using a recipe, you can add the -r option followed by the recipe file (see the usage sections on how to create and use a recipe).

The mango.py

Mango is the complementary script of medusa that can be used to perform various of operations, starting from wrapping simple adb commands, to more complicated tasks, like patching the debug flag, parsing the manifest, printing the application's possible exposure points and many many more. To run it, use the /medusa/mango shell script or run $python3 mango.py:

  1. Chmod the /medusa/mango shell script to executable and run it (you can also add it in your path, so it can run from anywhere):./mango
  2. Run the mango python script $python3 /medusa/mango.py

If you are not using mango for first time, you can give as a parameter the db file created from the previous session (see usage regarding the db file):

$mango mypapps.db

Medusa modules

Medusa modules are customised Frida scripts that can be combined and run under a Frida session. At the time of writing this wiki, Medusa counts more than 90 modules classified according to their usage in the following categories:

backdoor, cordova, services, code_loading, webviews, intents, spyware, encryption, clipboard, bluetooth, sms_fraud, content_providers, helpers, exploits, file_system, db_queries, sockets, compression, clickers, base64, runtime, firebase, http_communications, JNICalls, flutter

As the names imply, each one of these categories contains modules that can be used to hook relative API calls. For example the "intents" category includes the following modules:

  • intents/incoming_intents
  • intents/intent_monitor_v2
  • intents/pending_intents
  • intents/intent_creation_monitor
  • intents/outgoing_intents
  • intents/start_activity

Each on of them hooks a subset of useful API calls which are relative to Android intents.