Add support for check APK certificate hash IOCs (#557)

* Fix bug loading indicators which I introduced in 81b647b * Add support for matching on APK certificate hash IOCs
2026-02-12 16:42:45 +00:00 · 2024-10-18 16:35:50 +02:00
parent 665806db98
commit 3afe218c7c
5 changed files with 74 additions and 4 deletions
--- a/tests/android_androidqf/test_packages.py
+++ b/tests/android_androidqf/test_packages.py
@@ -86,3 +86,19 @@ class TestAndroidqfPackages:
            module.detected[0]["matched_indicator"]["value"]
            == "31037a27af59d4914906c01ad14a318eee2f3e31d48da8954dca62a99174e3fa"
        )
+
+    def test_packages_certificate_hash_ioc(self, module, indicators_factory):
+        module.indicators = indicators_factory(
+            app_cert_hashes=[
+                "c7e56178748be1441370416d4c10e34817ea0c961eb636c8e9d98e0fd79bf730"
+            ]
+        )
+
+        run_module(module)
+
+        assert len(module.detected) == 1
+        assert module.detected[0]["name"] == "com.malware.muahaha"
+        assert (
+            module.detected[0]["matched_indicator"]["value"]
+            == "c7e56178748be1441370416d4c10e34817ea0c961eb636c8e9d98e0fd79bf730"
+        )
--- a/tests/artifacts/androidqf/packages.json
+++ b/tests/artifacts/androidqf/packages.json
@@ -212,7 +212,7 @@
                "certificate": {
                    "Md5": "54d5b5aca1e7e76bb1a26c61a9381b93",
                    "Sha1": "4ba9d1f82adb7be841bcf53b03ddae857747199a",
-                    "Sha256": "31037a27af59d4914906c01ad14a318eee2f3e31d48da8954dca62a99174e3fa",
+                    "Sha256": "c7e56178748be1441370416d4c10e34817ea0c961eb636c8e9d98e0fd79bf730",
                    "ValidFrom": "2021-01-15T22:03:53Z",
                    "ValidTo": "2051-01-15T22:03:53Z",
                    "Issuer": "C=US, ST=California, L=Mountain View, O=Google Inc., OU=Android, CN=Android",
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -37,6 +37,7 @@ def indicators_factory(indicator_file):
        file_names=[],
        processes=[],
        app_ids=[],
+        app_cert_hashes=[],
        android_property_names=[],
        files_sha256=[],
    ):
@@ -50,6 +51,7 @@ def indicators_factory(indicator_file):
        ind.ioc_collections[0]["app_ids"].extend(app_ids)
        ind.ioc_collections[0]["android_property_names"].extend(android_property_names)
        ind.ioc_collections[0]["files_sha256"].extend(files_sha256)
+        ind.ioc_collections[0]["app_cert_hashes"].extend(app_cert_hashes)

        return ind