feat(forensic): add get_certificate() to extract APK signing certificate#935
Open
pulorsok wants to merge 6 commits into
Open
feat(forensic): add get_certificate() to extract APK signing certificate#935pulorsok wants to merge 6 commits into
pulorsok wants to merge 6 commits into
Conversation
Added new Quark rules for Antidot malware detection, detailing behaviors and identified threats. Included summary report and tested APKs.
Updated images and descriptions in the malware report to reflect new findings and behaviors detected by Quark.
Added new Quark rule for detecting Arsink malware, detailing its behaviors and testing results.
The Forensic module exposes APK metadata (strings, URLs, IPs, content/ file URIs, base64, Android APIs) but had no way to surface the signing certificate. Certificate subject/issuer and fingerprints are useful IOCs for provenance and family clustering (e.g. AOSP test-key self-signing). Add Forensic.get_certificate(), which reuses the certificate parsing already available from the Androguard backend and returns a list of dicts (subject, issuer, serial number, sha1/sha256 fingerprint, validity period, signature algorithm). Returns an empty list for unsigned input, bare DEX, or the rizin backend. Add a matching test in tests/forensic/test_forensic.py asserting the signing certificate of the existing sample. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #935 +/- ##
==========================================
- Coverage 81.32% 78.89% -2.44%
==========================================
Files 80 81 +1
Lines 6952 7131 +179
==========================================
- Hits 5654 5626 -28
- Misses 1298 1505 +207
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Add
Forensic.get_certificate()to surface the APK's signing certificate.Why
The
Forensicmodule already extracts APK metadata (strings, URLs, IPs, content/file URIs, base64, Android APIs) but had no way to get the signing certificate. Certificate subject/issuer and fingerprints are useful IOCs for provenance and family clustering — e.g. flagging AOSP test-key self-signing, which is common in repackaged malware.How
get_certificate()reuses the certificate parsing already available from the Androguard backend (no new dependency) and returns a list of dicts:subject,issuer,serial_number,sha1,sha256,not_before,not_after,signature_algorithm. Returns an empty list for unsigned input, a bare DEX, or the rizin backend.Test
Adds
test_get_certificateintests/forensic/test_forensic.py, asserting the signing cert (subject/issuer/sha256/sig-algo) of the existing test sample14d9f1a92dd984d6040cc41ed06e273e.apk.Notes
Backend support: implemented for the Androguard backend; rizin backend returns
[](can be added in a follow-up).🤖 Generated with Claude Code