Android_FinSpy.yar

// Published under the GNU-GPLv2 license. It’s open to any user or organization,
//    as long as you use it under this license.

rule finspy : cdshide android
{

	meta:
		description = "Detect Gamma/FinFisher FinSpy for Android #GovWare"
		date = "2020/01/07"
		author = "Thorsten Schröder - ths @ ccc.de (https://twitter.com/__ths__)"
		reference1 = "https://github.com/devio/FinSpy-Tools"
		reference2 = "https://github.com/Linuzifer/FinSpy-Dokumentation"
		reference3 = "https://www.ccc.de/de/updates/2019/finspy"
		sample = "c2ce202e6e08c41e8f7a0b15e7d0781704e17f8ed52d1b2ad7212ac29926436e"

	strings:
		$re = /\x50\x4B\x01\x02[\x00-\xff]{32}[A-Za-z0-9+\/]{6}/

	condition:
		$re and (#re > 50)
}
	// Published under the GNU-GPLv2 license. It’s open to any user or organization,
	// as long as you use it under this license.

	rule finspy : cdshide android
	{

	meta:
	description = "Detect Gamma/FinFisher FinSpy for Android #GovWare"
	date = "2020/01/07"
	author = "Thorsten Schröder - ths @ ccc.de (https://twitter.com/__ths__)"
	reference1 = "https://github.com/devio/FinSpy-Tools"
	reference2 = "https://github.com/Linuzifer/FinSpy-Dokumentation"
	reference3 = "https://www.ccc.de/de/updates/2019/finspy"
	sample = "c2ce202e6e08c41e8f7a0b15e7d0781704e17f8ed52d1b2ad7212ac29926436e"

	strings:
	$re = /\x50\x4B\x01\x02[\x00-\xff]{32}[A-Za-z0-9+\/]{6}/

	condition:
	$re and (#re > 50)
	}