[Clamav-devel] Clam Scan on Android APK

Discussion:

(too old to reply)

Sujit Nandan

2015-10-16 11:51:39 UTC

Hi Everybody,

I want to know how clam creates signature with infected android APK. Right
now we are totally in dark. Clam has determined an APK as infected with
malware but when we run clamscan on extracted content from that APK it is
not able to detect any malware. Can anybody brief me the steps about how
the signature is created or what is the proper way to scan an APK in
android.

Regards,
Sujit
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

Steven Morgan

2015-10-16 15:43:58 UTC

Permalink

Hi,

What is the virus name? I believe there are byte code signatures that
process APKs.

Steve

Post by Sujit Nandan
Hi Everybody,
I want to know how clam creates signature with infected android APK. Right
now we are totally in dark. Clam has determined an APK as infected with
malware but when we run clamscan on extracted content from that APK it is
not able to detect any malware. Can anybody brief me the steps about how
the signature is created or what is the proper way to scan an APK in
android.
Regards,
Sujit
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
http://www.clamav.net/contact.html#ml

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

Steven Morgan

2015-10-16 16:11:50 UTC

Permalink

One of the triggers for the BC.Exploit.Andr bytecode is the zip file magic
at offset 0. If you are using --leave-temps, the inner files are extracted,
but the zip file magic is lost.

Sujit Nandan

2015-10-17 11:18:27 UTC

Permalink

Hi Steven,

We found the infected apk from
http://contagiodump.blogspot.in/2011/03/take-sample-leave-sample-mobile-malware.html
http://www.mediafire.com/download/a31f86dzejilwea/026_capture-site.com_ocjp.zip
is the zip file which contains an apk with the name btm.apk which is our
concerned apk.

Query in my mind right now is that whether we need to extract the content
of the apk before sending for scan with clam or does it
extract internally.

Thanks a lot for your quick response.

Regards,
Sujit

Post by Steven Morgan
One of the triggers for the BC.Exploit.Andr bytecode is the zip file magic
at offset 0. If you are using --leave-temps, the inner files are extracted,
but the zip file magic is lost.

Post by Sujit Nandan
Hi Everybody,
I want to know how clam creates signature with infected android APK.

Right

Post by Sujit Nandan
now we are totally in dark. Clam has determined an APK as infected with
malware but when we run clamscan on extracted content from that APK it is
not able to detect any malware. Can anybody brief me the steps about how
the signature is created or what is the proper way to scan an APK in
android.
Regards,
Sujit
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
http://www.clamav.net/contact.html#ml

Sujit Nandan

2015-10-23 07:09:00 UTC

Permalink

Hi Steven,

I am following up with this mail just to bring under your attention the
problem related to apk file scan as mentioned in previous mail.

I also have another query regarding creating a avbases (Clam AV signature)
which has only malware relevant to Android OS.
This is because full avsignature base is huge if we consider memory
limation of handheld os like Android.

Eagerly waiting for your valuable response.

Regards,
Sujit

Post by Sujit Nandan
Hi Steven,
We found the infected apk from
http://contagiodump.blogspot.in/2011/03/take-sample-leave-sample-mobile-malware.html
http://www.mediafire.com/download/a31f86dzejilwea/026_capture-site.com_ocjp.zip
is the zip file which contains an apk with the name btm.apk which is our
concerned apk.
Query in my mind right now is that whether we need to extract the content
of the apk before sending for scan with clam or does it
extract internally.
Thanks a lot for your quick response.
Regards,
Sujit

Post by Sujit Nandan
Hi Everybody,
I want to know how clam creates signature with infected android APK.

Right

Post by Sujit Nandan
now we are totally in dark. Clam has determined an APK as infected with
malware but when we run clamscan on extracted content from that APK it

Post by Sujit Nandan
not able to detect any malware. Can anybody brief me the steps about how
the signature is created or what is the proper way to scan an APK in
android.
Regards,
Sujit
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
http://www.clamav.net/contact.html#ml