Skip to content

RamNarra/KAVACH-AI

Repository files navigation

Bank of India IIT Hyderabad


πŸ›‘οΈ KAVACH AI (ΰ€•ΰ€΅ΰ€š AI)

Generative AI-Powered Explainable Malware Analysis & Risk Orchestration for Android Banking Fraud

FastAPI NextJS Gemini Docker Python


Important

KAVACH (ΰ€•ΰ€΅ΰ€š) translates to Shield or Armor in Sanskrit. It acts as an automated, defensive sandbox shield protecting banking consumers and financial institutions from cloned, fraudulent applications circulated over WhatsApp, Telegram, and SMS phishing hooks.


πŸ“Œ Table of Contents


🚨 The Problem: Shadow Fraud Campaigns

Mobile banking applications have become the core of retail banking. To exploit this trust, cybercriminals bypass formal application stores (like Google Play Store) and launch targeted social engineering campaigns distributing cloned, malicious APKs over WhatsApp, Telegram, and SMS phishing links.

These clones impersonate legitimate utility apps, support packages, or bank services (e.g., IndusInd Credit Card, ICICI Mobile Banking, or Appointment Booking). Once installed:

  • Accessibility Abuse: They coerce victims into enabling Accessibility Services. This grants the app the ability to view the screen contents, simulate gestures, click buttons, and silently auto-approve permissions.
  • Credential Harvesting: Clones draw overlay window layers (SYSTEM_ALERT_WINDOW) over legitimate banking applications to intercept login credentials.
  • SMS & OTP Interception: They listen for incoming SMS messages to steal OTP tokens, enabling unauthorized financial exfiltration.

Traditional anti-malware solutions rely on static hashes that are easily bypassed via dynamic packer wrappers, class encryption, or formatting alterations. Manual reverse engineering is slow, creating a massive gap in responsive threat intelligence.


πŸ’‘ The Solution: KAVACH V2 Paradigm

KAVACH AI V2 orchestrates static decompilation, active dynamic emulation, machine learning models, and Generative AI to deliver a unified, explainable threat-scoring framework:

$$\text{Evidence (Sinks/Perms)} \longrightarrow \text{Finding (Semgrep/Frida)} \longrightarrow \text{Behavior (Catalog)} \longrightarrow \text{Capability Class} \longrightarrow \text{Likely Malware Family}$$

Kavach automatically decompiles, installs, launches, instruments, and audits the target application inside a secure sandbox to expose exactly what the application is doing, why it was classified under a specific threat profile, and what data is at risk.


βš™οΈ Core Analysis Pillars & Subsystems

1. Static Code Autopsy & Decompilation

  • Androguard & JADX Integration: Extracts AndroidManifest structure, services, intent filters, receivers, and decompiles classes.
  • Static Rule Sweeps: Evaluates bytecode using compiled YARA and Semgrep rules targeting anti-analysis evasion, cryptographic weaknesses, and banking patterns.

2. Active Sandbox Emulation & Playbook UI Automation

  • Headless Emulation: Deploys the target APK onto a secure Android Virtual Device (AVD).
  • Dynamic Playbook Engine: Automatically interacts with the application interface (clicking inputs, submitting forms, dismissing permissions) to drive the app into executing its core payloads.
  • Frida Hooking: Intercepts low-level Java API calls at runtime, logging SMS interception (SmsManager.sendTextMessage), overlay layouts (WindowManager.addView), filesystem writes, and network socket bindings.

3. Multi-Model ML Pipeline

  • Drebin Random Forest: Extracts static permission vectors to classify benign vs. malicious layouts.
  • CNN Opcode Analyzer: Evaluates Dalvik instruction opcodes to flag structural patterns typical of packed or obfuscated Trojan campaigns.
  • ML Ensemble Manager: Integrates scores from Random Forest, CNN, and Permission2Vec models to generate a robust prediction baseline.

4. Taint Flow Analysis Engine

  • Data Source to Sink Propagation: Tracks variables from protected sources (e.g., contacts, SMS inbox, location) to exfiltration sinks (e.g., socket writes, HTTP callback connections).
  • Vulnerability Mapping: Highlights clear paths where sensitive credentials or verification tokens flow out of the device.

5. Generative AI Synthesis (Gemini)

  • Log Interpretation: Audits raw dynamic execution events and decompiled bytecode blocks.
  • Natural Language Advisories: Produces clear explanation timelines, risk verdicts, and step-by-step reverse-engineering walkthroughs for analysts.

πŸ“Š The V2 Risk Scoring Model & Signature Engine

Kavach V2 shifts from arbitrary composite math to a transparent, AV-style threat model:

1. Decoupled Core Metrics

  • Threat Potential: Maximum capability risk score derived from matched signatures ($0 - 100$).
  • Evidence Corroboration: Decoupled verification certainty based on independent source agreement (Static, Dynamic, AI, Network) ($0 - 100%$).
  • Behavior Coverage: Explorer UI test completeness metrics ($0 - 100%$).
  • Likely Malware Family: Matched family archetype signature.
  • Top Behaviors: Explicit lists of observed behaviors (e.g. Overlay Phishing, SMS Interception).

2. AV-Style Signature Matching

Kavach matches behaviors against signature templates inside behavior_catalog.json:

  • Android Banking Trojan: Required Overlay + Accessibility (Base Severity: $95$).
  • Android Spyware / Infostealer: Required Sensitive Data Harvesting (Base Severity: $70$).
  • Potentially Unwanted App (PUA): Optional cleartext C2, evasion, or DEX loading (Base Severity: $30$).

Match Statuses & Confidence Resolution

  • Status: Matched (all required signatures met), Partial Match (some required signatures met), or Unmatched.
  • Confidence: High (source agreement count $\ge 4$), Medium (source agreement count in $2, 3$), or Low (source agreement count $\le 1$).
  • Missing Behavior Reasons: Explains why a signature behavior was missing (e.g. "SMS Interception: No runtime hooks triggered because dynamic execution never reached that code path").

3. Evidence Card Domain Ratings & E2E Validation Matches

Kavach rates the validation backing for each analysis domain qualitatively using an Evidence Card metric. This represents how comprehensively a threat verdict is supported by static rules, dynamic hooks, network telemetry, visual cues, and AI analysis.

Target Specimen Threat Potential Verdict Corroboration % Likely Malware Family Signature Status Static Dynamic Network Behavior AI
InsecureBankv2.apk 100 CRITICAL 36.5% Android Banking Trojan Matched (High) β˜…β˜…β˜…β˜†β˜† β˜…β˜…β˜…β˜†β˜† β˜†β˜†β˜†β˜†β˜† β˜…β˜…β˜…β˜†β˜† β˜…β˜…β˜…β˜…β˜…
Appointment_booking.apk 74 HIGH 39.3% Android Spyware / Infostealer Matched (Medium) β˜†β˜†β˜†β˜†β˜† β˜…β˜…β˜…β˜…β˜… β˜†β˜†β˜†β˜†β˜† β˜…β˜…β˜…β˜…β˜† β˜…β˜…β˜…β˜…β˜…
indusind_card_1.apk 33 LOW 39.6% Potentially Unwanted App (PUA) Matched (Medium) β˜†β˜†β˜†β˜†β˜† β˜…β˜…β˜…β˜…β˜… β˜†β˜†β˜†β˜†β˜† β˜…β˜†β˜†β˜†β˜† β˜…β˜…β˜…β˜…β˜…
selendroid-test-app-fresh.apk 12 SAFE 25.0% Benign Application Unmatched β˜…β˜…β˜…β˜†β˜† β˜†β˜†β˜†β˜†β˜† β˜†β˜†β˜†β˜†β˜† β˜†β˜†β˜†β˜†β˜† β˜†β˜†β˜†β˜†β˜†
  • Static (β˜…β˜†β˜†β˜†β˜† to β˜…β˜…β˜…β˜…β˜…): Declared permissions, dangerous flags, and YARA/Semgrep static rule matches.
  • Dynamic (β˜…β˜†β˜†β˜†β˜† to β˜…β˜…β˜…β˜…β˜…): Active Frida trace execution event counts.
  • Network (β˜…β˜†β˜†β˜†β˜† to β˜…β˜…β˜…β˜…β˜…): Hardcoded C2 domains and cleartext HTTP call sockets.
  • Behavior (β˜…β˜†β˜†β˜†β˜† to β˜…β˜…β˜…β˜…β˜…): Behavior catalog mapping density.
  • AI (β˜…β˜†β˜†β˜†β˜† to β˜…β˜…β˜…β˜…β˜…): Deep Gemini autopsy logic checks.

πŸ”¬ Core Discovery: AndroidManifest Zip Header Evasion

During testing against active Telangana WhatsApp campaigns (e.g. indusind_card_1.apk), Kavach exposed a critical evasion tactic:

  • Static tools (aapt dump, mobsf) failed to parse permissions, outputting: Zip: size mismatch on inflated file (0 vs 5644) ERROR: AndroidManifest.xml is corrupt
  • The Evasion: Attackers deliberately corrupt Zip directory headers or sizes. The Android runtime is lenient and inflates the APK successfully on devices, but reverse-engineering toolkits crash or return empty manifest results.
  • Kavach Integration: Kavach V2 detects this anomaly. When manifest data is absent but static decompilation or Frida logs reveal execution paths, Kavach logs an explicit behavior: AndroidManifest Evasion & Corruption (Defense Evasion, Severity 8).

πŸ›οΈ Pipeline Sequence Diagram

sequenceDiagram
    autonumber
    actor Analyst as Security Analyst
    participant UI as Next.js Dashboard
    participant API as FastAPI Backend
    participant Sandbox as Frida Sandbox (AVD)
    participant ML as YARA & ML Classifier
    participant LLM as Google Gemini API

    Analyst->>UI: Upload Suspicious APK
    UI->>API: POST /api/scan/upload
    API->>API: Decompile & Run Static Scans (AndroidManifest Evasion Check)
    API->>Sandbox: Install APK & Trigger Frida Hooks
    Sandbox->>API: Return Network & Filesystem Telemetry Logs
    API->>ML: Run YARA Signatures & Drebin RF Classifier
    API->>LLM: Send Code Snippets + Telemetry + Evidence Card
    LLM->>API: Return Executive Summary & Risk Verdict
    API->>Analyst: Display Interactive Report & Traceable Explainability Chain
Loading

πŸ“ Directory Layout

kavach-ai/
β”œβ”€β”€ backend/            # FastAPI REST backend, requirements, and analysis engines
β”‚   β”œβ”€β”€ rules/          # Behavior catalog signatures, YARA rules, and filters
β”‚   β”œβ”€β”€ models/         # Trained Random Forest ML classification models
β”‚   β”œβ”€β”€ code_interpreter/ # Decompiled bytecode interpretation and LLM integration
β”‚   └── templates/      # Jinja templates for PDF / HTML advisory reports
β”œβ”€β”€ frontend/           # Next.js App Router UI dashboard and React components
β”œβ”€β”€ scripts/            # DevOps helper scripts (setup, start, verification, graph updates)
β”œβ”€β”€ evals/              # Local agent evaluations harness and scenario checklists
β”œβ”€β”€ .github/            # GitHub Actions CI & Docker publishing workflows
└── README.md           # The primary project index

πŸ› οΈ Setup & Quickstart Guide

1. Environment Setup

Clone the repository and run the setup script:

git clone https://github.com/RamNarra/KAVACH-AI.git
cd KAVACH-AI
./scripts/setup.sh

2. Configure Credentials

Open the newly created .env file in the root directory and add your API credentials:

GEMINI_API_KEY="your-google-gemini-token"
MOBSF_API_KEY="your-mobsf-api-token"

3. Launch Local Servers

Run the unified startup script:

./scripts/start.sh
  • UI Dashboard: http://localhost:3000
  • REST API Backend: http://localhost:8080

πŸ’» Technology Stack

  • Frontend UI: Next.js 16 (App Router), TypeScript, React 19, Material UI, Framer Motion, D3.js.
  • API Service: FastAPI, Uvicorn, Celery, SQLAlchemy.
  • Analysis Instruments: MobSF API, Androguard, Quark Engine, Yara-Python, Frida.
  • AI Integration: Google GenAI SDK (Gemini 3.5), Scikit-Learn (Random Forest).
  • Infrastructure: PostgreSQL 17, Redis, Docker.

πŸ“„ License

Distributed under the Apache License 2.0.

About

Generative AI-Powered Mobile Banking Trojan Sandbox & Explainable Threat Auditing System

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors