From 6425b29845d29364f160b32edf15115ff1e84824 Mon Sep 17 00:00:00 2001
From: mmorenog <mmorenog@users.noreply.github.com>
Date: Wed, 8 Jul 2015 12:33:24 +0200
Subject: [PATCH] Update and rename Android_banker.yar to Android_malware_banker.yar

---
 Malware_Mobile/Android_banker.yar         |  1 -
 Malware_Mobile/Android_malware_banker.yar | 37 +++++++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)
 delete mode 100644 Malware_Mobile/Android_banker.yar
 create mode 100644 Malware_Mobile/Android_malware_banker.yar

diff --git a/Malware_Mobile/Android_banker.yar b/Malware_Mobile/Android_banker.yar
deleted file mode 100644
index 8b13789..0000000
--- a/Malware_Mobile/Android_banker.yar
+++ /dev/null
@@ -1 +0,0 @@
-
diff --git a/Malware_Mobile/Android_malware_banker.yar b/Malware_Mobile/Android_malware_banker.yar
new file mode 100644
index 0000000..e1fed78
--- /dev/null
+++ b/Malware_Mobile/Android_malware_banker.yar
@@ -0,0 +1,37 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule Android_Malware : iBanking
+{
+	meta:
+		author = "Xylitol xylitol@malwareint.com"
+		date = "2014-02-14"
+		description = "Match first two bytes, files and string present in iBanking"
+		reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3166"
+		
+	strings:
+		// Generic android
+		$pk = {50 4B}
+		$file1 = "AndroidManifest.xml"
+		// iBanking related
+		$file2 = "res/drawable-xxhdpi/ok_btn.jpg"
+		$string1 = "bot_id"
+		$string2 = "type_password2"
+	condition:
+		($pk at 0 and 2 of ($file*) and ($string1 or $string2))
+}
+
+import "androguard"
+
+rule Installer: banker
+{
+	meta:
+		author = "https://twitter.com/plutec_net"
+		reference = "https://koodous.com/"
+		description = "Applications with Installer as an application name"
+
+	condition:
+		androguard.package_name("Jk7H.PwcD")
+}
+
--
libgit2 0.26.0