Adversaries may repackaging malicious APK samples using a backdoor-apk shell script to evade detection and distribute payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential supply chain attacks and early-stage malware distribution.
YARA Rule
rule koodous : official
{
meta:
description = "Detects samples repackaged by backdoor-apk shell script"
Reference = "https://github.com/dana-at-cp/backdoor-apk"
strings:
$str_1 = "cnlybnq.qrk" // encrypted string "payload.dex"
condition:
$str_1 and
androguard.receiver(/\.AppBoot$/)
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: System update or patching process using adb to push and install a legitimate APK
Filter/Exclusion: Check for adb push or adb install commands in the same log entry, or filter by adb usage during known maintenance windows.
Scenario: Automated build and deployment using gradle or maven to package an application
Filter/Exclusion: Include gradle build or maven package in the exclusion list, or filter by build server IP addresses or known CI/CD tools.
Scenario: Scheduled job for APK signing or repackaging using apksigner or jarsigner
Filter/Exclusion: Exclude processes involving apksigner or jarsigner, or filter by user accounts with signing privileges (e.g., build-user or signing-service).
Scenario: Admin task to repackage an internal app for distribution using a custom shell script
Filter/Exclusion: Exclude scripts named repackage.sh or build_apk.sh, or filter by user accounts with administrative privileges (e.g., admin-user or sysadmin).
Scenario: Security tool or EDR agent performing integrity checks and repackaging APKs for analysis
Filter/Exclusion: Exclude processes associated with known security tools (e.g., CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint), or filter by tool-specific process names.