Koodous rulesets
I have an account on Koodous - linked here. There are a few rulesets I have added, I shall post the content for the same here:
  • rule PornLock
    {
    meta:
    description = "Rule to detect specific Porn related Lockscreen"
    sample = "f7c9a55d07069af95c18c8dd62b1c66568e3b79af551d95c7bf037a107e6526e"


    strings:
    $r = "res/xml/device_admin_data.xml"
    $b = "Update"
    $c = "XXX"
    $d = "Porn"
    $e = "Adult"


    condition:
    ($r and androguard.service(/.Service\d{2}/) and $b and $c) or ($r and androguard.service(/.Service\d{2}/) and $b and $d) or ($r and androguard.service(/.Service\d{2}/) and $b and $e)
    }

  • rule PornApps
    {
    meta:
    description = "Rule to detect certain Porn related apps"
    sample = "baea1377a3d6ea1800a0482c4c0c4d8cf50d22408dcf4694796ddab9b011ea14"

    strings:
    $a = "/system/bin/vold"

    condition:
    androguard.activity(/.HejuActivity/) and $a
    }

  • rule Developers_with_known_malicious_apps
    {
    meta:
    description = "This rule lists app from developers with a history of malicious apps"
    sample = "69b4b32e4636f1981841cbbe3b927560"

    strings:
    $a = "Londatiga"

    $b = "evaaee3ge3aqg"

    $c = "gc game"

    $d = "jagcomputersecuitity"

    condition:
    ($a and androguard.certificate.sha1("ECE521E38C5E9CBEA53503EAEF1A6DDD204583FA")) or
    (androguard.certificate.sha1("1CA6B5C6D289C3CCA9F9CC0E0F616FBBE4E0573B")) or
    ($b and androguard.certificate.sha1("79981C39859BFAC4CDF3998E7BE26148B8D94197")) or
    ($c and androguard.certificate.sha1("CA763A4F5650A5B685EF07FF31587FA090F005DD")) or
    ($d and androguard.certificate.sha1("4CC79D06E0FE6B0E35E5B4C0CB4F5A61EEE4E2B8"))
    }

  • rule DroidJack infested apps
    {
    meta:
    description = "This rule detects malicious apps with DroidJack components"
    sample = "51b1872a8e2257c660e4f5b46412cb38"

    condition:
    androguard.package_name("net.droidjack.server") and
    androguard.service(/net\.droidjack\.server\./)
    }

  • rule Malicious_Apps_with_VirusService
    {
    meta:
    description = "This rule detects apps with VirusService"
    sample = "5C0A65D3AE9F45C9829FDF216C6E7A75AD33627A"

    condition:
    androguard.service(/\.VirusService/i)
    }

The rules will be updated as they are added.
Home