Home

Awesome

#Androguard module for Yara This module for Yara is part of the Koodous project https://koodous.com and it integrates static APK analysis with Yara. You can use it to find APKs by package name, permissions or API level, etc. You can find the documentation for this module in the Koodous documentation's site: http://docs.koodous.com/yara/androguard/

Preparing compilation

If you want to use this module, first you need to re-compile Yara with the androguard module. To do so, you need to modify some files. Follow the basic steps in the official docs: http://yara.readthedocs.org/en/latest/writingmodules.html#building-our-hello-world

MODULE(pe)
MODULE(elf)
MODULE(math)

#ifdef CUCKOO
MODULE(cuckoo)
MODULE(androguard)
#endif
MODULES =  modules/tests.c
MODULES += modules/pe.c

if CUCKOO
MODULES += modules/cuckoo.c
MODULES += modules/androguard.c
endif
./bootstrap.sh
./configure --enable-cuckoo
make
make install

Using Androguard module

Androguard module is ready to use with Koodous reports, hence we provide an script called download_androguard_report.py (inside this repository) to get this reports automatically.

TOKEN = 'HERE'
$ python download_androguard_report.py -s d8adb784d08a951ebacf2491442cf90d21c20192085e44d1cd22e2b6bdd4ef5f

Androguard report saved in d8adb784d08a951ebacf2491442cf90d21c20192085e44d1cd22e2b6bdd4ef5f-report.json
$ yara -x androguard=d8adb784d08a951ebacf2491442cf90d21c20192085e44d1cd22e2b6bdd4ef5f-report.json rule.yar sample.apk

clicker sample.apk