You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The third-party/android-sigma-rules rule repo is a public-facing detection-rule catalog that is intended to byte-mirror what AndroDR ships in app/src/main/res/raw/sigma_*.yml. Today there is significant drift.
PR rules#16 catches up device_auditor/ (rules 040–052 + manifests). This issue tracks the remaining work.
Out-of-scope from rules#16 — what still needs to land
Missing entirely from the submodule (17 rules):
androdr_atom_app_launch.yml
androdr_atom_device_admin_grant.yml
androdr_atom_dns_lookup.yml
androdr_atom_package_install.yml
androdr_atom_permission_use.yml
androdr_corr_001_install_then_admin.yml
androdr_corr_002_install_then_permission.yml
androdr_corr_003_permission_then_c2.yml
androdr_corr_004_surveillance_burst.yml
androdr_067_notification_listener.yml
androdr_071_crash_loop_anti_forensics.yml
androdr_072_persistent_wakelock.yml
androdr_073_battery_daily_pattern.yml
androdr_074_package_install_history_pattern.yml
androdr_075_platform_compat_override.yml
androdr_076_database_path_access.yml
Need to be added under their matching <service>/ directory.
Content drift to reconcile (substantive, not cosmetic):
androdr-011 (surveillance_permissions) — bundled has a from_trusted_store: true filter that the submodule lacks.
androdr-002 (cert_hash_ioc) — submodule has a "Tripwire" comment the bundled doesn't.
androdr-016 (system_name_disguise) — submodule has a guidance: field bundled lacks.
Cosmetic em-dash vs -- drift across descriptions of rules 001, 015, 017, 020, 061, 062. Decide on canonical separator (the bundled side mostly uses --) and sweep.
One submodule-only rule (process_monitor/androdr_030_spyware_process.yml) that's not bundled in AndroDR. Decide: keep as aspirational catalog entry, or remove because AndroDR doesn't ship process monitoring?
Acceptance criteria
All bundled app/src/main/res/raw/sigma_androdr_*.yml files have a byte-equal counterpart in the submodule (after stripping the sigma_ prefix).
rules.txt + rules.sha256 regenerated to cover the new set.
A decision recorded for androdr-030 (keep or drop).
Single submodule PR + paired AndroDR pointer-bump PR.
Background
The
third-party/android-sigma-rulesrule repo is a public-facing detection-rule catalog that is intended to byte-mirror what AndroDR ships inapp/src/main/res/raw/sigma_*.yml. Today there is significant drift.PR rules#16 catches up
device_auditor/(rules 040–052 + manifests). This issue tracks the remaining work.Out-of-scope from rules#16 — what still needs to land
Missing entirely from the submodule (17 rules):
androdr_atom_app_launch.ymlandrodr_atom_device_admin_grant.ymlandrodr_atom_dns_lookup.ymlandrodr_atom_package_install.ymlandrodr_atom_permission_use.ymlandrodr_corr_001_install_then_admin.ymlandrodr_corr_002_install_then_permission.ymlandrodr_corr_003_permission_then_c2.ymlandrodr_corr_004_surveillance_burst.ymlandrodr_067_notification_listener.ymlandrodr_071_crash_loop_anti_forensics.ymlandrodr_072_persistent_wakelock.ymlandrodr_073_battery_daily_pattern.ymlandrodr_074_package_install_history_pattern.ymlandrodr_075_platform_compat_override.ymlandrodr_076_database_path_access.ymlNeed to be added under their matching
<service>/directory.Content drift to reconcile (substantive, not cosmetic):
androdr-015— bundled was downgraded tolevel: low"Unrecognized system app" in PR Three alarming false positives on Samsung Galaxy Z Fold 2 (SM-F916B) #147; submodule still has the oldlevel: high"Firmware Implant" form withattack.t1398tag.androdr-011(surveillance_permissions) — bundled has afrom_trusted_store: truefilter that the submodule lacks.androdr-002(cert_hash_ioc) — submodule has a "Tripwire" comment the bundled doesn't.androdr-016(system_name_disguise) — submodule has aguidance:field bundled lacks.Cosmetic em-dash vs
--drift across descriptions of rules 001, 015, 017, 020, 061, 062. Decide on canonical separator (the bundled side mostly uses--) and sweep.One submodule-only rule (
process_monitor/androdr_030_spyware_process.yml) that's not bundled in AndroDR. Decide: keep as aspirational catalog entry, or remove because AndroDR doesn't ship process monitoring?Acceptance criteria
app/src/main/res/raw/sigma_androdr_*.ymlfiles have a byte-equal counterpart in the submodule (after stripping thesigma_prefix).rules.txt+rules.sha256regenerated to cover the new set.androdr-030(keep or drop).