capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard
verified publisher icon mandiant

Xamarin.Android (Build fully native Android apps using C#)

Open mike-hunhoff opened this issue 2 years ago • 1 comments

Consider writing capa rules for Xamarin.Android applications:

Xamarin.Android exposes the complete Android SDK for .NET developers. Build fully native Android apps using C# or F# in Visual Studio.

(credit)

Developers can write cross-platform and platform-specific C# (Android, iOS) . Here, we should aim to target Android-specific C# implemented via Mono.Android:

Screen Shot 2023-02-22 at 10 42 23 AM

(credit)

Xamarin.Android framework has been leveraged by malware authors:

  • https://blog.cyble.com/2021/10/22/fake-voicemail-app-built-through-xamarin-platform-spreads-spyware/
  • https://maldr0id.blogspot.com/2015/03/android-malware-goes-mono-net-and-lua.html

Quick hunt on VT finds:

We already have some coverage on this sample:

Screen Shot 2023-02-22 at 11 33 12 AM

Deliverables:

  • understand Mono.Android SDK and its uses by malware authors
  • develop capa rules based on this understanding

mike-hunhoff avatar Feb 22 '23 18:02 mike-hunhoff

Hello,

I'm not sure if this will be helpful in any way, but maybe identifying that the file is actually a Xamarin application could be quite useful. Since now it seems that it only identifies that the file is a dotnet one.

We can do this by targeting the magic "XALZ", for reference, https://github.com/xamarin/xamarin-android/pull/4686

komen205 avatar Mar 20 '23 22:03 komen205