assoechap / stalkerware-indicators Goto Github PK
View Code? Open in Web Editor NEWIndicators of stalkerware apps
Indicators of stalkerware apps
Add some documentation pointing to https://stopstalkerware.org/information-for-survivors/
We should check what domains are present in Tinycheck and missing in our ioc file, and augment the later with the former.
curl https://raw.githubusercontent.com/KasperskyLab/TinyCheck/main/assets/iocs.json | jq '.iocs[] | select (.tag =="stalkerware" ) | select (.type=="domain" )
Switch to CC-BY-SA, and add some text explaining that if the license is problematic, please do reach out, we're happy to figure something out.
The API looks simple enough: https://threatfox.abuse.ch/api/
TODO
Hi @Te-k
Please look carefully at line 148 "www.appspy.com" in file "network.csv".
Looks like a mistake was occurred because domain appspy.com belongs to a Online News/Magazine of Steel Media Ltd.
Hello guys, I'm victim of espionage and I'm trying to find some clue. Because I know I'm spied but I haven't found anything on my devices (pc and phones). In my opinion it's something of very sophisticated and could be something life a file-less tool. For file-less I mean something that is not installed on the disk but it's resident only in ram. The the pc can be infected everytime I connect the browser to the net.
Anyway, my problem is that, as I can see all the IOC are in the domain format and not ip. I installed a raspberry with suricata and default free rules but it's not connected to the internet. It's just connected to the mirroring port of the switch, the ethernet port is just sniffing the traffic but can't resolve any domain. Then I'lll try to resolve the hosts file in the ip format but I'll do that from the infected machine after that I'll copy the files in the suricata rpi.. so if you're interested I'll send you the converted files... but to be honest maybe would be better if this work will do by someone else.. or I'll try to write a script to convert all the files and I'll send u the script..
Sort files in a generated folder + clarify how to contribute
We at My Privacy DNS have imported this domain from your source some time ago, and today I was walking through the lists unmanned #Spyware domains and this come up https://0xacab.org/my-privacy-dns/matrix/-/issues/89838 But when I'm visiting the domain it look like it is taken over by parkingcrew.net
: https://0xacab.org/my-privacy-dns/matrix/-/issues/20936
The question is, why did out bot through it back at me, saying it not a Pirated domain?? do you happen to know something I don't?
No need to have empty keys everywhere.
We might want, once #70 if closed, to suggest the use of the IOC to the following entities:
Many anti-viruses are flagging stalkerware
We should check if we're detecting them:
Namely:
Check how github communities do that these days, maybe add a CoC also?
Report them here to github, since it's against their ToS.
I'm using these indicators with MVT and they are very helpful! These indicators work well for detecting potential surveillance/stalkerware software links in chat and browser history but I've realized that they don't detect that these flagged apps are actually installed.
My process now is to check manually for risky apps if we see an alert for one of these domains. It would be great to collect and add the application names for relevant iOS apps to this IOC list. Here are two examples from Life360 an FindMyKids.
com.wheremychildren.ios
com.life360.safetymap
Thanks for your working putting this IOC list together!
Check the IOC of:
As suggested by the Kaspersky people, it would be nice to have a separate file for watchware.
Please could you provide instructions on how to use ioc.yaml?
In a blog post check_apk.py file is mentioned, but seems no longer belongs to the repository. :-(
Actions :
See this sheet.
It was made in 2018, so some apps are dead, this will require some triage.
https://github.com/Te-k/stalkerware-indicators/blob/eb832dcec7677adf739e73845dae285c3c8fd1cd/appid.yaml#L22
and
https://github.com/Te-k/stalkerware-indicators/blob/eb832dcec7677adf739e73845dae285c3c8fd1cd/appid.yaml#L54
The name without a space it used everywhere except for the 1st link above.
Have something like this instead:
certificates:
fingerprint: []
cname: []
org: []
cname_re: []
org-re: []
Hi,
I discovered a new package name for Snoopza app : com.android.core.mngp
.
Apparently, they use the same pattern to name their application : com.android.core.mng*.
VT analysis : https://www.virustotal.com/gui/file/8ceccb0637ecb2ebe90a96ea63e99603be67e4e4e20b2195c69feef633136558/detection
Have a good day,
Léandre
Hiya @Te-k and thank you for this amazing repo that you guys have put together and are constantly maintaining. I have a few malicious Android stalkerware APKs how do I add it to the IOCs in any of the formats that are there in the generated folder.
Adds github pages for this repo
It would be nice to make use of github actions to generate webpages out of our ./vendors folder, and enrich them with:
Currently, we're tracking different things network-wise:
Are we ok with this state of affairs? Either way, we should document what we're tracking network-wise, to avoid surprising netops/partners/users/…
Tasks :
Let's assume that you own a phone that is under surveillance.
If you do a factory reset, after a few days the mobile is compromised again.
All stalkeware tools fail.
You are nearly sure your organization is using a surveillance provider with zero-day exploits, probably SMS ones.
You can root the device to ls all files with date and size.
Would be useful to compare two ls snapshots, first once device is reseted, and second after a couple of weeks?
What advice will you provide to do that?
I currently don't have samples for all of them unfortunately.
8CA3D60AD8FD3584370ACFADDFC29979F25D57D3
isn't on VTAdd scripts to:
website
instead of domain, missing
tag`, …)Having an action pushing updated generated files creates problems with forks and PR, how can we improve that?
Maybe a git pre-commit hook + a daily option?
We already have it in our IoC list, but we should take advantage of the recently published research on it to see if we can improve some of our tracking/tooling.
Apps:
For shady-but-not-stalkerware things like https://play.google.com/store/apps/details?id=com.mspy.lite
hosts_full.txt
and a hosts.txt
file.A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.