We should check what domains are present in Tinycheck and missing in our ioc file, and augment the later with the former.

curl https://raw.githubusercontent.com/KasperskyLab/TinyCheck/main/assets/iocs.json |  jq '.iocs[] | select (.tag =="stalkerware" ) | select (.type=="domain" )

Find recent mspy C2 et indicators

Add reference link to each Suricata rule

Change the license

Switch to CC-BY-SA, and add some text explaining that if the license is problematic, please do reach out, we're happy to figure something out.

Share our IoC with ThreatFox

The API looks simple enough: https://threatfox.abuse.ch/api/

Remove watchware from the STIX2 file

TODO

appspy

Hi @Te-k
Please look carefully at line 148 "www.appspy.com" in file "network.csv".
Looks like a mistake was occurred because domain appspy.com belongs to a Online News/Magazine of Steel Media Ltd.

Hello guys, I'm victim of espionage and I'm trying to find some clue. Because I know I'm spied but I haven't found anything on my devices (pc and phones). In my opinion it's something of very sophisticated and could be something life a file-less tool. For file-less I mean something that is not installed on the disk but it's resident only in ram. The the pc can be infected everytime I connect the browser to the net.
Anyway, my problem is that, as I can see all the IOC are in the domain format and not ip. I installed a raspberry with suricata and default free rules but it's not connected to the internet. It's just connected to the mirroring port of the switch, the ethernet port is just sniffing the traffic but can't resolve any domain. Then I'lll try to resolve the hosts file in the ip format but I'll do that from the infected machine after that I'll copy the files in the suricata rpi.. so if you're interested I'll send you the converted files... but to be honest maybe would be better if this work will do by someone else.. or I'll try to write a script to convert all the files and I'll send u the script..

Sort files + Clarify how to contribute

Sort files in a generated folder + clarify how to contribute

Regarding `tr.appmia.com`

We at My Privacy DNS have imported this domain from your source some time ago, and today I was walking through the lists unmanned #Spyware domains and this come up https://0xacab.org/my-privacy-dns/matrix/-/issues/89838 But when I'm visiting the domain it look like it is taken over by parkingcrew.net: https://0xacab.org/my-privacy-dns/matrix/-/issues/20936

The question is, why did out bot through it back at me, saying it not a Pirated domain?? do you happen to know something I don't?

Remove empty keys

No need to have empty keys everywhere.

Reach out to potential users

We might want, once #70 if closed, to suggest the use of the IOC to the following entities:

DNS

IDS/XTR/…

Alienvault OTX
Anomali Match
- contacted by @jvoisin the 2023-03-02
Snort
Proofpoint Emerging Threats OPEN (Used by default by Suricata)
- Contacted via Twitter by @jvoisin
- Pinged again the 2023-03-02
Rapid7
contacted by @jvoisin the 2023-03-02
Sekoia
- contacted by @jvoisin the 2023-03-02
Zscaler
- contacted by @jvoisin the 2023-03-02
RST
- contacted by @jvoisin the 2023-03-02
Inquest
- contacted by @jvoisin the 2023-03-02

MISP-based things:

Forensic tools

Threat Intel

stratosphereips
- Contacted via their form by @jvoisin the 2023-03-02
https://surveillancemonitor.org/

(Mobile) anti-viruses

Many anti-viruses are flagging stalkerware

Malwarebyte @jboursier-mwb
ClamAV: Used by a lot of open-source anti-spam email machineries
- The form is here
https://github.com/divested-mobile/hypatia
- Divested-Mobile/Hypatia@76d06b5

Others

Add Patrick Hinchy stalkerware

We should check if we're detecting them:

Namely:

Adds an how to contribute file

Check how github communities do that these days, maybe add a CoC also?

Report crapware to github

Report them here to github, since it's against their ToS.

https://github.com/bmshifat/TecSpy

Add iOS application names for potential stalkerware/tracking apps

I'm using these indicators with MVT and they are very helpful! These indicators work well for detecting potential surveillance/stalkerware software links in chat and browser history but I've realized that they don't detect that these flagged apps are actually installed.

My process now is to check manually for risky apps if we see an alert for one of these domains. It would be great to collect and add the application names for relevant iOS apps to this IOC list. Here are two examples from Life360 an FindMyKids.

com.wheremychildren.ios
com.life360.safetymap

Thanks for your working putting this IOC list together!

Check the coverage of various reports

Check the IOC of:

Have a separate file for watchwares

As suggested by the Kaspersky people, it would be nice to have a separate file for watchware.

how can ioc.yaml be used

Please could you provide instructions on how to use ioc.yaml?
In a blog post check_apk.py file is mentioned, but seems no longer belongs to the repository. :-(

Transfer repository

Actions :

Add XDSpy

https://xdspy.app/

Add the apps from ISDI

See this sheet.

It was made in 2018, so some apps are dead, this will require some triage.

Improve the linter

Find sample for SentryPC Android version

Cf. https://blog.sentrypc.com/2022/07/sentrypc-for-android-10-has-been-released

Different names for the same malware?

https://github.com/Te-k/stalkerware-indicators/blob/eb832dcec7677adf739e73845dae285c3c8fd1cd/appid.yaml#L22
and
https://github.com/Te-k/stalkerware-indicators/blob/eb832dcec7677adf739e73845dae285c3c8fd1cd/appid.yaml#L54

The name without a space it used everywhere except for the 1st link above.

Reorganize the `certificates` key

Have something like this instead:

certificates:
  fingerprint: []
  cname: []
  org: []
  cname_re: []
  org-re: []

[Contribution] Package name for Snoopza

Hi,
I discovered a new package name for Snoopza app : com.android.core.mngp .
Apparently, they use the same pattern to name their application : com.android.core.mng*.

VT analysis : https://www.virustotal.com/gui/file/8ceccb0637ecb2ebe90a96ea63e99603be67e4e4e20b2195c69feef633136558/detection

Have a good day,
Léandre

Add OgyMogy

https://ogymogy.com/
https://ogymoggy.firebaseio.com/

Adding new IOCs

Hiya @Te-k and thank you for this amazing repo that you guys have put together and are constantly maintaining. I have a few malicious Android stalkerware APKs how do I add it to the IOCs in any of the formats that are there in the generated folder.

Webpage on Echap website

Adds github pages for this repo

Publish github pages

It would be nice to make use of github actions to generate webpages out of our ./vendors folder, and enrich them with:

Hosting provider
Google Analytics Tags

Add AhMyth

https://github.com/AhMyth/AhMyth-Android-RAT

A bunch of new indicators

Hi @Te-k and thank you for your awesome work.
By taking your indicators (list of hosts, IPs) as input, I scripted a search on ApkLab and have extracted both packages and certificates of apps communicating with specified hosts.

Here is the JSON dump.

Decide what we want to do with regard to websites vs. C2

Currently, we're tracking different things network-wise:

C2
Websites
C2 that are also Websites
IP Addresses, that are C2, websites, and sometimes both

Are we ok with this state of affairs? Either way, we should document what we're tracking network-wise, to avoid surprising netops/partners/users/…

Tasks :

Update the README to clarify what we consider stalkerware
Update the README to clarify what we include in network indicators and different files
Migrate network.csv to network.yml
Include information on C2/website in network.yml
Update generation scripts, include a network.csv file for readability

Check that we're not missing anything from https://github.com/craiu/mobiletrackers

comparing two snapshots as stalkeware indicators

Let's assume that you own a phone that is under surveillance.
If you do a factory reset, after a few days the mobile is compromised again.
All stalkeware tools fail.
You are nearly sure your organization is using a surveillance provider with zero-day exploits, probably SMS ones.
You can root the device to ls all files with date and size.

Would be useful to compare two ls snapshots, first once device is reseted, and second after a couple of weeks?
What advice will you provide to do that?

Check stalkerware apps

https://www.santeplusmag.com/il-est-desormais-possible-despionner-vos-contacts-sur-whatsapp-pour-savoir-avec-qui-et-de-quoi-ils-parlent-ma-vie-au-quotidien-000015917/

https://www.santeplusmag.com/comment-espionner-un-telephone-legalement-ma-vie-au-quotidien-000015842/

A couple of missing ones

I currently don't have samples for all of them unfortunately.

antifurtodroid.com
- #31
callsmstracker.com
- #32
aispyer.com
- #33
androidlost.com
asgardtech.ru
a-spy.com
- samples
blurspy.com
- #36
coupletracker.com
- latest sample
- #37
easyphonetrack.com
- latest version
- #30
evaspy.com
- 8CA3D60AD8FD3584370ACFADDFC29979F25D57D3 isn't on VT
eyezy.com
- download url
- latest sample
- #27
freespy / spyzee.com
- Rebrand of TruthSpy?
fonemonitor.co
- #38
myfonemate.com
- Sample
- Rebrand of mSpy
- #39
mobilespy.at
- Rebrand of Asgardtech malwares?
ownspy.com
- #40
sap4mobile.com
- #41
spappmonitoring.com
spycell.net
spyphone.com / spyfone.com
spytoapp.com
- #35
spytrac.com and its keylogger
teensafe.net
tispy.net
thewispy.com
theispyoo.com / myfonemate.com / freefonespy.com
spyera.com
- #24 #25 #26

Generate dns blocklist

Linter

Add scripts to:

check formatting
check that the YAML keys are coherent (website instead of domain, missing tag`, …)
warn on duplicates
check that stalkerware names in the IOC are present in the README as well