예제 #1
0
def check(indicators, path, verbose=False):
    """
    Check an APK with given indicators
    Returns True/False, string (explanation of the discovery)
    """
    m = hashlib.sha256()
    with open(path, 'rb') as f:
        data = f.read()
        m.update(data)
    res = search(m.hexdigest(), indicators['sha256'], 'value')
    if verbose:
        print("SHA256: {}".format(m.hexdigest()))
    if res:
        if verbose:
            print("Known Stalkerware hash: {}".format(res))
            return True, "Known Stalkerware hash: {}".format(res)
    else:
        if verbose:
            print("App hash not in the indicator database")

    apk = APK(path)
    res = search(apk.get_package(), indicators['appids'], 'package')
    if verbose:
        print("Package id: {}".format(apk.get_package()))
    if res:
        if verbose:
            print("Known stalkerware package id: {}".format(res))
        return True, "Known stalkerware package id: {}".format(res)
    else:
        if verbose:
            print("Package id not in the indicators")

    if len(apk.get_certificates()) > 0:
        cert = apk.get_certificates()[0]
        sha1 = cert.sha1_fingerprint.replace(' ', '')
        if verbose:
            print("Certificate: {}".format(sha1))
        res = search(sha1, indicators['certificates'], 'certificate')
        if res:
            if verbose:
                print("Known Stalkerware certificate: {}".format(res))
            return True, "Known Stalkerware certificate: {}".format(res)
        else:
            if verbose:
                print("Certificate not in the indicators")
    else:
        if verbose:
            print("No certificate in this APK")
    if 'yara' in indicators:
        for dex in apk.get_all_dex():
            res = indicators['yara'].match(data=dex)
            if len(res) > 0:
                if verbose:
                    print("Matches yara rules {}".format(res[0]))
                return True, "Yara rule {}".format(res[0])
            else:
                if verbose:
                    print("Does not match any yara rules")
    return False, ""
예제 #2
0
    if res:
        print("Known Stalkerware hash: {}".format(res))
    else:
        print("App hash not in the indicator database")

    print("")

    apk = APK(args.APK)
    res = search(apk.get_package(), indicators['appids'], 'package')
    print("Package id: {}".format(apk.get_package()))
    if res:
        print("Known stalkerware package id: {}".format(res))
    else:
        print("Package id not in the indicators")

    print("")

    if len(apk.get_certificates()) > 0:
        cert = apk.get_certificates()[0]
        sha1 = cert.sha1_fingerprint.replace(' ', '')
        print("Certificate: {}".format(sha1))
        res = search(sha1, indicators['certificates'], 'certificate')
        if res:
            print("Known Stalkerware certificate: {}".format(res))
        else:
            print("Certificate not in the indicators")
    else:
        print("No certificate in this APK")

    # TODO : add rules and androguard rules