Generative AI-Powered Explainable Malware Analysis & Risk Orchestration for Android Banking Fraud
Important
KAVACH (ΰ€ΰ€΅ΰ€) translates to Shield or Armor in Sanskrit. It acts as an automated, defensive sandbox shield protecting banking consumers and financial institutions from cloned, fraudulent applications circulated over WhatsApp, Telegram, and SMS phishing hooks.
- π¨ The Problem: Shadow Fraud Campaigns
- π‘ The Solution: KAVACH V2 Paradigm
- βοΈ Core Analysis Pillars & Subsystems
- π The V2 Risk Scoring Model & Signature Engine
- π¬ Core Discovery: AndroidManifest Zip Header Evasion
- ποΈ Pipeline Sequence Diagram
- π Directory Layout
- π οΈ Setup & Quickstart Guide
- π» Technology Stack
- π License
Mobile banking applications have become the core of retail banking. To exploit this trust, cybercriminals bypass formal application stores (like Google Play Store) and launch targeted social engineering campaigns distributing cloned, malicious APKs over WhatsApp, Telegram, and SMS phishing links.
These clones impersonate legitimate utility apps, support packages, or bank services (e.g., IndusInd Credit Card, ICICI Mobile Banking, or Appointment Booking). Once installed:
- Accessibility Abuse: They coerce victims into enabling Accessibility Services. This grants the app the ability to view the screen contents, simulate gestures, click buttons, and silently auto-approve permissions.
- Credential Harvesting: Clones draw overlay window layers (
SYSTEM_ALERT_WINDOW) over legitimate banking applications to intercept login credentials. - SMS & OTP Interception: They listen for incoming SMS messages to steal OTP tokens, enabling unauthorized financial exfiltration.
Traditional anti-malware solutions rely on static hashes that are easily bypassed via dynamic packer wrappers, class encryption, or formatting alterations. Manual reverse engineering is slow, creating a massive gap in responsive threat intelligence.
KAVACH AI V2 orchestrates static decompilation, active dynamic emulation, machine learning models, and Generative AI to deliver a unified, explainable threat-scoring framework:
Kavach automatically decompiles, installs, launches, instruments, and audits the target application inside a secure sandbox to expose exactly what the application is doing, why it was classified under a specific threat profile, and what data is at risk.
- Androguard & JADX Integration: Extracts AndroidManifest structure, services, intent filters, receivers, and decompiles classes.
- Static Rule Sweeps: Evaluates bytecode using compiled YARA and Semgrep rules targeting anti-analysis evasion, cryptographic weaknesses, and banking patterns.
- Headless Emulation: Deploys the target APK onto a secure Android Virtual Device (AVD).
- Dynamic Playbook Engine: Automatically interacts with the application interface (clicking inputs, submitting forms, dismissing permissions) to drive the app into executing its core payloads.
- Frida Hooking: Intercepts low-level Java API calls at runtime, logging SMS interception (
SmsManager.sendTextMessage), overlay layouts (WindowManager.addView), filesystem writes, and network socket bindings.
- Drebin Random Forest: Extracts static permission vectors to classify benign vs. malicious layouts.
- CNN Opcode Analyzer: Evaluates Dalvik instruction opcodes to flag structural patterns typical of packed or obfuscated Trojan campaigns.
- ML Ensemble Manager: Integrates scores from Random Forest, CNN, and Permission2Vec models to generate a robust prediction baseline.
- Data Source to Sink Propagation: Tracks variables from protected sources (e.g., contacts, SMS inbox, location) to exfiltration sinks (e.g., socket writes, HTTP callback connections).
- Vulnerability Mapping: Highlights clear paths where sensitive credentials or verification tokens flow out of the device.
- Log Interpretation: Audits raw dynamic execution events and decompiled bytecode blocks.
- Natural Language Advisories: Produces clear explanation timelines, risk verdicts, and step-by-step reverse-engineering walkthroughs for analysts.
Kavach V2 shifts from arbitrary composite math to a transparent, AV-style threat model:
-
Threat Potential: Maximum capability risk score derived from matched signatures (
$0 - 100$ ). -
Evidence Corroboration: Decoupled verification certainty based on independent source agreement (Static, Dynamic, AI, Network) (
$0 - 100%$ ). -
Behavior Coverage: Explorer UI test completeness metrics (
$0 - 100%$ ). - Likely Malware Family: Matched family archetype signature.
-
Top Behaviors: Explicit lists of observed behaviors (e.g.
Overlay Phishing,SMS Interception).
Kavach matches behaviors against signature templates inside behavior_catalog.json:
-
Android Banking Trojan: Required Overlay + Accessibility (Base Severity:
$95$ ). -
Android Spyware / Infostealer: Required Sensitive Data Harvesting (Base Severity:
$70$ ). -
Potentially Unwanted App (PUA): Optional cleartext C2, evasion, or DEX loading (Base Severity:
$30$ ).
-
Status:
Matched(all required signatures met),Partial Match(some required signatures met), orUnmatched. -
Confidence:
High(source agreement count$\ge 4$ ),Medium(source agreement count in$2, 3$ ), orLow(source agreement count$\le 1$ ). - Missing Behavior Reasons: Explains why a signature behavior was missing (e.g. "SMS Interception: No runtime hooks triggered because dynamic execution never reached that code path").
Kavach rates the validation backing for each analysis domain qualitatively using an Evidence Card metric. This represents how comprehensively a threat verdict is supported by static rules, dynamic hooks, network telemetry, visual cues, and AI analysis.
| Target Specimen | Threat Potential | Verdict | Corroboration % | Likely Malware Family | Signature Status | Static | Dynamic | Network | Behavior | AI |
|---|---|---|---|---|---|---|---|---|---|---|
| InsecureBankv2.apk | 100 | CRITICAL | 36.5% | Android Banking Trojan | Matched (High) | β β β ββ | β β β ββ | βββββ | β β β ββ | β β β β β |
| Appointment_booking.apk | 74 | HIGH | 39.3% | Android Spyware / Infostealer | Matched (Medium) | βββββ | β β β β β | βββββ | β β β β β | β β β β β |
| indusind_card_1.apk | 33 | LOW | 39.6% | Potentially Unwanted App (PUA) | Matched (Medium) | βββββ | β β β β β | βββββ | β ββββ | β β β β β |
| selendroid-test-app-fresh.apk | 12 | SAFE | 25.0% | Benign Application | Unmatched | β β β ββ | βββββ | βββββ | βββββ | βββββ |
- Static (β ββββ to β β β β β ): Declared permissions, dangerous flags, and YARA/Semgrep static rule matches.
- Dynamic (β ββββ to β β β β β ): Active Frida trace execution event counts.
- Network (β ββββ to β β β β β ): Hardcoded C2 domains and cleartext HTTP call sockets.
- Behavior (β ββββ to β β β β β ): Behavior catalog mapping density.
- AI (β ββββ to β β β β β ): Deep Gemini autopsy logic checks.
During testing against active Telangana WhatsApp campaigns (e.g. indusind_card_1.apk), Kavach exposed a critical evasion tactic:
- Static tools (
aapt dump,mobsf) failed to parse permissions, outputting:Zip: size mismatch on inflated file (0 vs 5644)ERROR: AndroidManifest.xml is corrupt - The Evasion: Attackers deliberately corrupt Zip directory headers or sizes. The Android runtime is lenient and inflates the APK successfully on devices, but reverse-engineering toolkits crash or return empty manifest results.
- Kavach Integration: Kavach V2 detects this anomaly. When manifest data is absent but static decompilation or Frida logs reveal execution paths, Kavach logs an explicit behavior:
AndroidManifest Evasion & Corruption(Defense Evasion, Severity 8).
sequenceDiagram
autonumber
actor Analyst as Security Analyst
participant UI as Next.js Dashboard
participant API as FastAPI Backend
participant Sandbox as Frida Sandbox (AVD)
participant ML as YARA & ML Classifier
participant LLM as Google Gemini API
Analyst->>UI: Upload Suspicious APK
UI->>API: POST /api/scan/upload
API->>API: Decompile & Run Static Scans (AndroidManifest Evasion Check)
API->>Sandbox: Install APK & Trigger Frida Hooks
Sandbox->>API: Return Network & Filesystem Telemetry Logs
API->>ML: Run YARA Signatures & Drebin RF Classifier
API->>LLM: Send Code Snippets + Telemetry + Evidence Card
LLM->>API: Return Executive Summary & Risk Verdict
API->>Analyst: Display Interactive Report & Traceable Explainability Chain
kavach-ai/
βββ backend/ # FastAPI REST backend, requirements, and analysis engines
β βββ rules/ # Behavior catalog signatures, YARA rules, and filters
β βββ models/ # Trained Random Forest ML classification models
β βββ code_interpreter/ # Decompiled bytecode interpretation and LLM integration
β βββ templates/ # Jinja templates for PDF / HTML advisory reports
βββ frontend/ # Next.js App Router UI dashboard and React components
βββ scripts/ # DevOps helper scripts (setup, start, verification, graph updates)
βββ evals/ # Local agent evaluations harness and scenario checklists
βββ .github/ # GitHub Actions CI & Docker publishing workflows
βββ README.md # The primary project index
Clone the repository and run the setup script:
git clone https://github.com/RamNarra/KAVACH-AI.git
cd KAVACH-AI
./scripts/setup.shOpen the newly created .env file in the root directory and add your API credentials:
GEMINI_API_KEY="your-google-gemini-token"
MOBSF_API_KEY="your-mobsf-api-token"Run the unified startup script:
./scripts/start.sh- UI Dashboard:
http://localhost:3000 - REST API Backend:
http://localhost:8080
- Frontend UI: Next.js 16 (App Router), TypeScript, React 19, Material UI, Framer Motion, D3.js.
- API Service: FastAPI, Uvicorn, Celery, SQLAlchemy.
- Analysis Instruments: MobSF API, Androguard, Quark Engine, Yara-Python, Frida.
- AI Integration: Google GenAI SDK (Gemini 3.5), Scikit-Learn (Random Forest).
- Infrastructure: PostgreSQL 17, Redis, Docker.
Distributed under the Apache License 2.0.