Sneed-Reactivity/yara-mikesxrs/Mikesxrs/android_tempting_cedar_spyware.yar

rule android_tempting_cedar_spyware
{
	meta:
    	Author = "@X0RC1SM"
      Date = "2018-03-06"
      Reference = "https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware"
	strings:
		  $PK_HEADER = {50 4B 03 04}
	   	$MANIFEST = "META-INF/MANIFEST.MF"
	  	$DEX_FILE = "classes.dex"
		  $string = "rsdroid.crt"
	
	condition:
    	$PK_HEADER in (0..4) and $MANIFEST and $DEX_FILE and any of ($string*)
}