APKiD
APKiD copied to clipboard
rednaga
Obfuscapk - LibEncryption plugin Closes #158
Given the fact that Yara is very limited when it comes to Android, I have created the only reliable rule to detect a plugin of Obfuscapk.
Unfortunately, I don't have access to VT hunting, but I have posted the rule on Koodous.
Thanks for submitting a PR and not just an issue.
The link you give to yara limitations talks about how yara only scans the apks. This is not an issue with apkid because it scans the apk as well as dex, elf, and embedded apk files. Knowing this, can you write a rule that detects the obfuscation itself? This is much better than relying on the apk to tell you if the elf is obfuscated. Sometimes the apk isn't available, and heuristics on the obfuscation tend to be a bit more robust.
Can @packmad upload the sample to Koodous? Or another public service?
Don't know what's wrong with Koodous, the upload is always broken. I have uploaded it on apklab
@packmad Could we target this class? https://github.com/ClaudiuGeorgiu/Obfuscapk/blob/master/src/obfuscapk/resources/java/DecryptAsset.java#L1
If they use Obfuscapk correctly, it is then renamed by another obfuscation pass.
However, I wrote a rule to detect encrypted libs in the asset folder
rule Obfuscapk_LibEncryption
{
meta:
description = "Obfuscapk - LibEncryption plugin"
url = "https://github.com/ClaudiuGeorgiu/Obfuscapk/blob/master/src/obfuscapk/resources/java/DecryptAsset.java#L27"
author = "packmad - https://twitter.com/packm4d"
strings:
$lib_arm = /assets\/lib\.arm(eabi|64)-v[0-9a-zA-Z]{2}\.[!-~]+\.so/
$lib_x86 = /assets\/lib\.x86(_64)?\.[!-~]+\.so/
condition:
any of them
}