βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β π
π² π
π
π
π
π€ π² π
π¦βπ₯ π
β
β πππππ πππ©π β
β 0xDEADBEEF β’ RED TEAM β’ PHOENIX OPS β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Android Service Attack Surface Analyzer
Automated reconnaissance and attack command generation for Android services
FalconServiceAnalyzer is an offensive security tool that automates the discovery and analysis of Android service attack surfaces. It goes beyond simple enumeration by generating ready-to-use attack commands and providing actionable intelligence for penetration testing.
-
Intelligent Service Classification
- Detects: Started, Bound, Hybrid, AIDL, Messenger services
- Identifies exported vs non-exported services
- Obfuscation detection
-
Attack Command Generation
- Started services: Ready ADB commands
- Bound services: PoC/Frida guidance (no fake exploits)
- Permission requirement detection
-
Static Analysis
- Smali code inspection
- Runtime.exec detection
- Intent extras handling analysis
- Exported service enumeration
-
Dual Input Modes
- APK files (automatic decompilation)
- Pre-decompiled folders (fast mode)
-
Rich Reporting
- Interactive HTML reports with dark theme
- Structured JSON output
- Attack surface statistics
# Debian/Ubuntu
sudo apt install apktool python3 jq
# Arch Linux
sudo pacman -S apktool python jqgit clone https://github.com/falcon0x1/FalconServiceAnalyzer.git
cd FalconServiceAnalyzer
chmod +x falcon_service_analyzer.sh# Analyze APK (will decompile)
./falcon_service_analyzer.sh target.apk
# Fast mode with pre-decompiled folder
./falcon_service_analyzer.sh /path/to/decompiled_app/
# With Jadx support
./falcon_service_analyzer.sh -j target.apkanalysis_<app_name>_<timestamp>/
βββ source/ # Decompiled APK
βββ reports/
βββ json/
β βββ service_1.json
β βββ final_report.json
βββ html/
β βββ index.html # Interactive report
βββ attack_scripts/ # Generated PoC templates
When a service implements onStartCommand, it can be triggered directly:
adb shell am start-service -n com.example.app/.VulnerableServiceFalconServiceAnalyzer automatically generates these commands for discovered started services.
Bound services require client-side implementation. The tool:
- Identifies the binding mechanism (AIDL/Messenger)
- Provides guidance for PoC development
- Does NOT suggest fake ADB exploits
Services implementing both patterns get ADB commands for the started interface, plus notes about the bound interface.
[π
] Service #1: com.example.app.AuthService
[π
] Exported: true
[π€] Type: started
[π¦βπ₯] Attack: adb shell am start-service -n com.example.app/.AuthService
[π
] Findings: 2 potential issue(s)- Bug Bounty: Rapid service attack surface enumeration
- Penetration Testing: Automated reconnaissance phase
- Security Research: Service behavior analysis
- CTF: Quick service vulnerability identification
For authorized security testing only.
This tool is intended for:
- Applications you own
- Authorized penetration testing engagements
- Security research with proper permissions
- Educational purposes in controlled environments
Unauthorized testing of applications is illegal. You are solely responsible for compliance with applicable laws and regulations.
Contributions welcome! Areas of interest:
- Additional vulnerability detection patterns
- Frida script generation
- AIDL interface parsing
- Custom PoC templates
Made by falcon0x1
- GitHub: @falcon0x1
- Focus: Offensive Security β’ Android β’ Web β’ AD
π
π² π
π
π
π
π€ π² π
π¦βπ₯ π
MIT License - See LICENSE file for details
Part of the falcon0x1 offensive security toolkit