Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. devel
Clam Scan on Android APK
sujit at innovaidesystems
Oct 16, 2015, 4:51 AM
Post #1 of 5 (2431 views)
Permalink
Hi Everybody,

I want to know how clam creates signature with infected android APK. Right
now we are totally in dark. Clam has determined an APK as infected with
malware but when we run clamscan on extracted content from that APK it is
not able to detect any malware. Can anybody brief me the steps about how
the signature is created or what is the proper way to scan an APK in
android.

Regards,
Sujit
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
Re: Clam Scan on Android APK [ In reply to ]
smorgan at sourcefire
Oct 16, 2015, 8:43 AM
Post #2 of 5 (2398 views)
Permalink
Hi,

What is the virus name? I believe there are byte code signatures that
process APKs.

Steve

On Fri, Oct 16, 2015 at 7:51 AM, Sujit Nandan <sujit@innovaidesystems.com>
wrote:

> Hi Everybody,
>
> I want to know how clam creates signature with infected android APK. Right
> now we are totally in dark. Clam has determined an APK as infected with
> malware but when we run clamscan on extracted content from that APK it is
> not able to detect any malware. Can anybody brief me the steps about how
> the signature is created or what is the proper way to scan an APK in
> android.
>
> Regards,
> Sujit
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
Re: Clam Scan on Android APK [ In reply to ]
smorgan at sourcefire
Oct 16, 2015, 9:11 AM
Post #3 of 5 (2396 views)
Permalink
One of the triggers for the BC.Exploit.Andr bytecode is the zip file magic
at offset 0. If you are using --leave-temps, the inner files are extracted,
but the zip file magic is lost.

On Fri, Oct 16, 2015 at 7:51 AM, Sujit Nandan <sujit@innovaidesystems.com>
wrote:

> Hi Everybody,
>
> I want to know how clam creates signature with infected android APK. Right
> now we are totally in dark. Clam has determined an APK as infected with
> malware but when we run clamscan on extracted content from that APK it is
> not able to detect any malware. Can anybody brief me the steps about how
> the signature is created or what is the proper way to scan an APK in
> android.
>
> Regards,
> Sujit
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
Re: Clam Scan on Android APK [ In reply to ]
sujit at innovaidesystems
Oct 17, 2015, 4:18 AM
Post #4 of 5 (2399 views)
Permalink
Hi Steven,

We found the infected apk from
http://contagiodump.blogspot.in/2011/03/take-sample-leave-sample-mobile-malware.html
http://www.mediafire.com/download/a31f86dzejilwea/026_capture-site.com_ocjp.zip
is the zip file which contains an apk with the name btm.apk which is our
concerned apk.

Query in my mind right now is that whether we need to extract the content
of the apk before sending for scan with clam or does it
extract internally.

Thanks a lot for your quick response.

Regards,
Sujit

On Fri, Oct 16, 2015 at 9:41 PM, Steven Morgan <smorgan@sourcefire.com>
wrote:

> One of the triggers for the BC.Exploit.Andr bytecode is the zip file magic
> at offset 0. If you are using --leave-temps, the inner files are extracted,
> but the zip file magic is lost.
>
> On Fri, Oct 16, 2015 at 7:51 AM, Sujit Nandan <sujit@innovaidesystems.com>
> wrote:
>
> > Hi Everybody,
> >
> > I want to know how clam creates signature with infected android APK.
> Right
> > now we are totally in dark. Clam has determined an APK as infected with
> > malware but when we run clamscan on extracted content from that APK it is
> > not able to detect any malware. Can anybody brief me the steps about how
> > the signature is created or what is the proper way to scan an APK in
> > android.
> >
> > Regards,
> > Sujit
> > _______________________________________________
> > http://lurker.clamav.net/list/clamav-devel.html
> > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
Re: Clam Scan on Android APK [ In reply to ]
sujit at innovaidesystems
Oct 23, 2015, 12:09 AM
Post #5 of 5 (2377 views)
Permalink
Hi Steven,

I am following up with this mail just to bring under your attention the
problem related to apk file scan as mentioned in previous mail.

I also have another query regarding creating a avbases (Clam AV signature)
which has only malware relevant to Android OS.
This is because full avsignature base is huge if we consider memory
limation of handheld os like Android.

Eagerly waiting for your valuable response.

Regards,
Sujit



On Sat, Oct 17, 2015 at 4:48 PM, Sujit Nandan <sujit@innovaidesystems.com>
wrote:

> Hi Steven,
>
> We found the infected apk from
> http://contagiodump.blogspot.in/2011/03/take-sample-leave-sample-mobile-malware.html
>
> http://www.mediafire.com/download/a31f86dzejilwea/026_capture-site.com_ocjp.zip
> is the zip file which contains an apk with the name btm.apk which is our
> concerned apk.
>
> Query in my mind right now is that whether we need to extract the content
> of the apk before sending for scan with clam or does it
> extract internally.
>
> Thanks a lot for your quick response.
>
> Regards,
> Sujit
>
> On Fri, Oct 16, 2015 at 9:41 PM, Steven Morgan <smorgan@sourcefire.com>
> wrote:
>
>> One of the triggers for the BC.Exploit.Andr bytecode is the zip file magic
>> at offset 0. If you are using --leave-temps, the inner files are
>> extracted,
>> but the zip file magic is lost.
>>
>> On Fri, Oct 16, 2015 at 7:51 AM, Sujit Nandan <sujit@innovaidesystems.com
>> >
>> wrote:
>>
>> > Hi Everybody,
>> >
>> > I want to know how clam creates signature with infected android APK.
>> Right
>> > now we are totally in dark. Clam has determined an APK as infected with
>> > malware but when we run clamscan on extracted content from that APK it
>> is
>> > not able to detect any malware. Can anybody brief me the steps about how
>> > the signature is created or what is the proper way to scan an APK in
>> > android.
>> >
>> > Regards,
>> > Sujit
>> > _______________________________________________
>> > http://lurker.clamav.net/list/clamav-devel.html
>> > Please submit your patches to our Bugzilla: http://bugs.clamav.net
>> >
>> > http://www.clamav.net/contact.html#ml
>> >
>> _______________________________________________
>> http://lurker.clamav.net/list/clamav-devel.html
>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal