New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improving Yara for Android #1145
Comments
As you said, extracting all the information about the Android app would involve decompressing the ZIP file, parsing XML, and so on. Putting all of that into a single module would add a lot of complexity and dependencies, and that's the kind of work that is easier to do in some other language, like Python. I think that the Koodous approach is the best one, extract all the information using external code, and provide YARA with all the information in a JSON file that you can use with a custom-made module. It's a shame that Koodous is not releasing that portion of the code. |
Do you think it would be possible to write a Yara plugin in another language (like Rust) that is usable with yara but remove a lot of potential security issues ? |
That's no possible unfortunately. Plugins are intended to be compiled into YARA, they are not designed to be dynamically loaded. |
ok, good to know, thanks |
Hi, did you write a Yara plugin for android ? If the answer is yes, does your plugin allows to check strings or regex directly in the dex classes ? |
Hi,
It feels that yara is pretty limited with android malware for several reasons :
Right now, the only solution I know is androguard-yara by Koodous but it does not actually parse the APK but rely on an external JSON file generated by Koodous platform using androguard and the code to generate this JSON is not open source, so it is impossible to use androguard-yara without the Koodous platform.
I am wondering if it would be interesting to develop a yara extension for Android, which would :
I see two important limitations to this idea :
What do you think y'all ?
The text was updated successfully, but these errors were encountered: