Android Marcher evolution continues
Earlier samples of Marcher had a simple naming convention for Service and Receivers:
  • (packagename).services.MainService
  • (packagename).services.ClearService
  • (packagename).ShutdownReceiver
  • (packagename).BootReceiver
New marcher samples have names with much less clarity
  • (packagename).p093o
  • (packagename).p022y
  • (packagename).p092m
  • (packagename).p077g
  • (packagename).p040k
  • (packagename).p045g

I have added a YARA Ruleset on Koodous to catch samples that show this pattern - https://koodous.com/my_rulesets/2719:
  • androguard.service(/\.[a-z]{1}[0-9]{3}[a-z]{1}\b/)
  • androguard.receiver(/\.[a-z]{1}[0-9]{3}[a-z]{1}\b/)
Will update about the detections soon
Home