rule android_tempting_cedar_spyware { meta: Author = "@X0RC1SM" Date = "2018-03-06" Reference = "https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware" strings: $PK_HEADER = {50 4B 03 04} $MANIFEST = "META-INF/MANIFEST.MF" $DEX_FILE = "classes.dex" $string = "rsdroid.crt" condition: $PK_HEADER in (0..4) and $MANIFEST and $DEX_FILE and any of ($string*) }