UnitreeGo2 (Mobile)

September 8, 2024 · SANS NetWars 2024 mobileandroidapkstatic-analysis

Challenge

Event: SANS NetWars — Mobile
Category: Mobile / Android
Artifact: unitreeGo2.apk (companion app for the Unitree Go2 robot dog)

Writeup

Decompiling the APK

The APK is unpacked with apktool, which decodes the resources and disassembles the DEX bytecode to smali:

apktool d unitreeGo2.apk

Reading the decoded AndroidManifest.xml gives the application package name:

com.unitree.doggo2

Enumerating permissions

Rather than scrolling smali, the declared permissions can be dumped directly from the APK:

aapt dump permissions unitreeGo2.apk

Cross-referencing the declared permissions against Android’s dangerous permission groups, eight fall into the dangerous category:

Permission
`ACCESS_COARSE_LOCATION`
`ACCESS_FINE_LOCATION`
`CALL_PHONE`
`WRITE_EXTERNAL_STORAGE`
`READ_EXTERNAL_STORAGE`
`CAMERA`
`RECORD_AUDIO`
`READ_PHONE_STATE`

Total dangerous permissions: 8

Exported activity

The manifest also declares the application’s exported entry point — the activity launched when the app starts and the one reachable from outside the app:

com.unitree.doggo2.ui.activity.launch.LaunchActivity