[Clamav-devel] Clam Scan on Android APK

Sujit Nandan sujit at innovaidesystems.com
Sat Oct 17 07:18:27 EDT 2015


Hi Steven,

We found the infected apk from
http://contagiodump.blogspot.in/2011/03/take-sample-leave-sample-mobile-malware.html
http://www.mediafire.com/download/a31f86dzejilwea/026_capture-site.com_ocjp.zip
is the zip file which contains an apk with the name btm.apk which is our
concerned apk.

Query in my mind right now is that whether we need to extract the content
of the apk before sending for scan with clam or does it
extract internally.

Thanks a lot for your quick response.

Regards,
Sujit

On Fri, Oct 16, 2015 at 9:41 PM, Steven Morgan <smorgan at sourcefire.com>
wrote:

> One of the triggers for the BC.Exploit.Andr bytecode is the zip file magic
> at offset 0. If you are using --leave-temps, the inner files are extracted,
> but the zip file magic is lost.
>
> On Fri, Oct 16, 2015 at 7:51 AM, Sujit Nandan <sujit at innovaidesystems.com>
> wrote:
>
> > Hi Everybody,
> >
> > I want to know how clam creates signature with infected android APK.
> Right
> > now we are totally in dark. Clam has determined an APK as infected with
> > malware but when we run clamscan on extracted content from that APK it is
> > not able to detect any malware. Can anybody brief me the steps about how
> > the signature is created or what is the proper way to scan an APK in
> > android.
> >
> > Regards,
> > Sujit
> > _______________________________________________
> > http://lurker.clamav.net/list/clamav-devel.html
> > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>


More information about the clamav-devel mailing list