rule android_meterpreter { meta: author="73mp74710n" comment="Metasploit Android Meterpreter Payload" strings: $checkPK = "META-INF/PK" $checkHp = "[Hp^" $checkSdeEncode = /;.Sk/ $stopEval = "eval" $stopBase64 = "base64_decode" condition: any of ($check*) or any of ($stop*) }