This AIL feeder pushes annotated APK to an AIL instance for yara detection.
It goes something like this:
flowchart TD
scraping_play_store --> id1
id1-->downloading--> id4
id1-->analysis_baselining
id4-->analysis_baselining --> id3
analysis_baselining --> id5
id4-->analysis_hunting --> id2
id1-->analysis_hunting
id5-->id6
id2-->ail-feeder-apk-->id6
id1[(scrap)]
id2[(hunt)]
id3[(baseline)]
id5[(images.bloom)]
id4[(raccoon)]
id6[(AIL)]
- fill out
etc/ail-feeder-apk.cfg
to define which keywords to search for, what developper certificates are trusted, AIL credentials, raccoon installation, etc. - use
bin/scrap_playstore.py
to scrap the applications on the playstore that correspond to your keywords - the results are placed into thescrap
lmdb, - use
bin/download_apks.py
to download/update all the .apk files throughraccoon
- the resulting files are placed inraccoon
home folder, - use
bin/analysis.py baselining
to create the baseline - the resulting bloom filter isimages.bloom
by default, and abaseline
lmdb, - use
bin/analysis.py hunting
to create thehunt
lmdb, - use
bin/feeder-apk.py
to push the content of thehunt
lmdb to the AIL instance. - The AIL instance receive
json
annotation regarding the APK, and run the correspondingYARA
rules against these files.
for instance:
import "androguard"
rule andro_fleur
{
condition:
androguard.image(0) == 1
}
bin/analysis.py hunting <some.apk>
can be used to add an local apk file to thehunt
lmdb.
This feeder has several requirements for the AIL instances to treat its input correctly:
-
an AIL instance using a yara version compiled with
androfleur
support:- androfleur is a modified version of androguard-yara module that supports lookup into DCSO bloom filter files.
- an AIL fork with the correct yara version is available here: https://github.com/gallypette/ail-framework/tree/custoyara
-
raccoon 4 needs to be installed and configured to use a google account, see https://raccoon.onyxbits.de/documentation/
- At the moment the tool produces way too many false positive
androfleur
should return a match count instead of success/failure. This would allow for yara rules to trigger only above a threashold. - databases of known files could be queried (or their filters) to filter out false positives.
- the tool could mine playstore comments and score for threat detection.
- additional an dex decompilation step can produce intereseting detection means.
The project has been co-funded by CEF-TC-2020-2 - 2020-EU-IA-0260 - JTAN - Joint Threat Analysis Network.