def check(indicators, path, verbose=False): """ Check an APK with given indicators Returns True/False, string (explanation of the discovery) """ m = hashlib.sha256() with open(path, 'rb') as f: data = f.read() m.update(data) res = search(m.hexdigest(), indicators['sha256'], 'value') if verbose: print("SHA256: {}".format(m.hexdigest())) if res: if verbose: print("Known Stalkerware hash: {}".format(res)) return True, "Known Stalkerware hash: {}".format(res) else: if verbose: print("App hash not in the indicator database") apk = APK(path) res = search(apk.get_package(), indicators['appids'], 'package') if verbose: print("Package id: {}".format(apk.get_package())) if res: if verbose: print("Known stalkerware package id: {}".format(res)) return True, "Known stalkerware package id: {}".format(res) else: if verbose: print("Package id not in the indicators") if len(apk.get_certificates()) > 0: cert = apk.get_certificates()[0] sha1 = cert.sha1_fingerprint.replace(' ', '') if verbose: print("Certificate: {}".format(sha1)) res = search(sha1, indicators['certificates'], 'certificate') if res: if verbose: print("Known Stalkerware certificate: {}".format(res)) return True, "Known Stalkerware certificate: {}".format(res) else: if verbose: print("Certificate not in the indicators") else: if verbose: print("No certificate in this APK") if 'yara' in indicators: for dex in apk.get_all_dex(): res = indicators['yara'].match(data=dex) if len(res) > 0: if verbose: print("Matches yara rules {}".format(res[0])) return True, "Yara rule {}".format(res[0]) else: if verbose: print("Does not match any yara rules") return False, ""
if res: print("Known Stalkerware hash: {}".format(res)) else: print("App hash not in the indicator database") print("") apk = APK(args.APK) res = search(apk.get_package(), indicators['appids'], 'package') print("Package id: {}".format(apk.get_package())) if res: print("Known stalkerware package id: {}".format(res)) else: print("Package id not in the indicators") print("") if len(apk.get_certificates()) > 0: cert = apk.get_certificates()[0] sha1 = cert.sha1_fingerprint.replace(' ', '') print("Certificate: {}".format(sha1)) res = search(sha1, indicators['certificates'], 'certificate') if res: print("Known Stalkerware certificate: {}".format(res)) else: print("Certificate not in the indicators") else: print("No certificate in this APK") # TODO : add rules and androguard rules