Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improving Yara for Android #1145

Closed
Te-k opened this issue Oct 13, 2019 · 5 comments
Closed

Improving Yara for Android #1145

Te-k opened this issue Oct 13, 2019 · 5 comments

Comments

@Te-k
Copy link

Te-k commented Oct 13, 2019

Hi,

It feels that yara is pretty limited with android malware for several reasons :

  • APKs are zip archives, so yara signatures are not helping there, most people build yara rules for the dex file
  • It is not possible to build rules using APK information (manifest, certificate etc.)

Right now, the only solution I know is androguard-yara by Koodous but it does not actually parse the APK but rely on an external JSON file generated by Koodous platform using androguard and the code to generate this JSON is not open source, so it is impossible to use androguard-yara without the Koodous platform.

I am wondering if it would be interesting to develop a yara extension for Android, which would :

  • Extract information from the Manifest, the certificate and resources
  • Allows to check strings or regex directly in the dex classes

I see two important limitations to this idea :

  • Considering how many format would be needed to parse (ZIP, certificate, android xml etc.), it seems heavy and hard to write securely and efficiently in C/C++
  • I am not sure there is a way in the current Yara plugin specification to do string or regex search in anything else than the main file

What do you think y'all ?
@plusvic
Copy link
Member

plusvic commented Oct 15, 2019

As you said, extracting all the information about the Android app would involve decompressing the ZIP file, parsing XML, and so on. Putting all of that into a single module would add a lot of complexity and dependencies, and that's the kind of work that is easier to do in some other language, like Python.

I think that the Koodous approach is the best one, extract all the information using external code, and provide YARA with all the information in a JSON file that you can use with a custom-made module. It's a shame that Koodous is not releasing that portion of the code.

@Te-k
Copy link
Author

Te-k commented Oct 15, 2019

Do you think it would be possible to write a Yara plugin in another language (like Rust) that is usable with yara but remove a lot of potential security issues ?

@plusvic
Copy link
Member

plusvic commented Oct 16, 2019

That's no possible unfortunately. Plugins are intended to be compiled into YARA, they are not designed to be dynamically loaded.

@Te-k
Copy link
Author

Te-k commented Oct 22, 2019

ok, good to know, thanks

@Te-k Te-k closed this as completed Oct 22, 2019
@packmad packmad mentioned this issue Jan 4, 2020
Closed
@krnick krnick mentioned this issue Feb 25, 2020
Open
@JonathanHaldarov
Copy link

Hi, did you write a Yara plugin for android ? If the answer is yes, does your plugin allows to check strings or regex directly in the dex classes ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@plusvic @Te-k @JonathanHaldarov