What is Pithus?

Pithus is a free and open-source mobile threat intelligence platform for activists, journalists, NGOs, researchers...

Pithus is the answer to the exponential growth of mobile threats. Malicious apps, fake apps, data laundering are the main threats when it comes to mobile security. Their detection and analysis should be available for all and not the property of a private company. Unlike some commercial solutions with exorbitant prices, Pithus is a entirely open platform supported and maintained by the community. Threats such as permanent tracking and data laundering are made possible by the total lack of transparency and the lack of understanding around what and how data is gathered. Pithus brings transparency through clear and structured reports. Activists, journalists, NGOs, and any other technical community can easily generate these reports and leverage them to better understand the threat landscape.

If you have any question, feel free to contact us at pandora [at] pithus [dot] org or file an issue on Github.

You can also come talk to us on our Discord server.

If you would like to explore some of Pithus' features and have a real world example of how you can work with this tool, we have a TryHackMe room dedicated to Pithus. Try it here: https://tryhackme.com/room/androidmalwareanalysis.

We need your support

For the moment, Pithus is maintained by only one person, support her! Pithus hosting costs 29€ per month.

General features

  • Domain names analysis: extract and analyze domain names from the apk
  • Permissions detection: get insights on permissions required by the application
  • Certificates information: get information on signing certificates
  • Activities, services, receivers, ...: identify the different entry points of the application
  • Download sample & export report: login and click on the buttons!

Threat intel

  • Search: find samples by using Lucene query language
  • Fingerprints: search by SHA-x and pivot on UAID, ssdeep or dexofuzzy hashes
  • Hunt & Retro-hunt: import your rule sets to hunt malware
  • Pivot: quickly pivot on various indicators such as domain, certificate and more
  • VT & MalwareBazaar: get information from other threat intelligence providers
  • Sample life timeline: get insights on the sample lifespan, birth and death
  • Similar samples: find similar samples based on binary fuzzy hashing

Security And Privacy

  • Packer detection: identify compilers, packers, obfuscators and more
  • 3rd-party tracking detection: identify 3rd-parties collecting data such as ads, analytics ans more
  • Manifest configuration analysis: detect potential vulnerabilities such as debug flag, tap-jacking and more
  • Network configuration analysis: detect common configuration issues such as clear traffic and more
  • Code analysis: detect common vulnerabilities found in source code
  • NIAP/OWASP analysis: detect vulnerabilities based on well-known standards
  • Behavior analysis: detect location of common code behaviors

Limitations

Pithus is currently in beta and runs on a personal computer. The number of returned results is limited to 50. Pithus only does static analysis.

Pithus, the opened pandora's box

The Pandora myth is a kind of theodicy, addressing the question of why there is evil in the world. According to this, Pandora opened a jar (pithos) (commonly referred to as "Pandora's box") releasing all the evils of humanity.

Wikipedia

How Pithus works

Pithus analyses, which we want to be as comprehensive as possible, rely on multiple well-known tools such as:

Samples detected as malicious are automatically uploaded to MalwareBazaar.

Under the hood, Pithus is based on: