VT hunting rules for Android malware

1,926 views
Skip to first unread message

jumbo freak

unread,
Jun 4, 2014, 10:09:28 AM6/4/14
to virus...@googlegroups.com
Hi all,
I was interested to know if any one had success in writing good Yara rules for harvesting Android malware in VT intelligence. All i could think of is writing rules based on strings in resource and other bytes visible from APK.  How about writing rules for Classes.dex or Android Manifest file ? I know VT api supports "androguard : <string>" but we can't use them inside yara rule as far as i know, correct me if i'm wrong. Anyone had any success in collecting samples and want to share it with community. 

Thanks in advance.

Emiliano Martinez

unread,
Jun 5, 2014, 3:55:57 AM6/5/14
to virus...@googlegroups.com
Hello,

Intelligence hunting syntax is richer than the plain Yara syntax because it defines several externals. The ones that might particularly interesting for you are:
- file_type
- tags
- positives

This enables you to write a simple rule such as:

rule Example_1
{
  condition:
    tags contains "apk" and positives > 10
}

This would trigger on any APK sample with more than 10 AV detections. Similarly, you can combine these new features with the traditional Yara syntax, in order to focus exclusively on APKs that contain certain patterns, etc. 

You can learn more about this at:

Regards.


--
--
Choose a file, check it with more than 40 antivirus, fast and easy: http://www.virustotal.com

---
You received this message because you are subscribed to the Google Groups "VirusTotal" group.
To unsubscribe from this group and stop receiving emails from it, send an email to virustotal+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

leona leo

unread,
Jul 9, 2014, 10:10:38 AM7/9/14
to virus...@googlegroups.com


среда, 4 июня 2014 г., 14:09:28 UTC пользователь jumbo freak написал:
Hi all,
I was interested to know if any one had success in writing good Yara rules for harvesting Android malware in VT intelligence. All i could think of is writing rules based on strings in resource and other bytes visible from APK.  How about writing rules for Classes.dex or Android Manifest file ? I know VT api supports "androguard : <string>" but we can't use them inside yara rule as far as i know, correct me if i'm wrong. Anyone had any success in collecting samples and want to share it with community. 

Shivang Desai

unread,
Jun 23, 2015, 4:14:27 AM6/23/15
to virus...@googlegroups.com
Hi Emiliano,

For implementing this rule on VT, do we need to buy subscription from VT ? 
Can this rule implementation be done on regular email registration ? 

Thanks,

Emiliano Martinez

unread,
Jun 23, 2015, 4:17:34 AM6/23/15
to virus...@googlegroups.com
Malware Hunting is only available in VirusTotal Intelligence, which is a private platform requiring licensing.

Regards.

--
--
Choose a file, check it with more than 50 antivirus, fast and easy: http://www.virustotal.com

Shivang Desai

unread,
Jun 26, 2015, 3:40:29 AM6/26/15
to virus...@googlegroups.com
Thanks. Hoping for one soon. :-) 

Regards,
Shivang Desai.

jumbo freak

unread,
Apr 26, 2018, 5:41:28 AM4/26/18
to VirusTotal
Hi VT,
there are lot of improvements in android analysis, especially behavior and relationship mapping, good work. 
Have done any updates to threat hunting, can we use androguard in yara rule ? can we hunt files on based on behavior ?
Reply all
Reply to author
Forward
0 new messages