feat(rules): androdr-084 actively-exploited-CVE rule + 52 threat-intel IOCs#212
Merged
Merged
Conversation
…-rules submodule Bundles new device_posture rule androdr-084 (res/raw + engine registration) and bumps the android-sigma-rules submodule to e9ce9e3, which adds the rule mirror and 52 threat-intel IOC entries (BTMOB, TrickMo, Astrinox, Massiv, SaferRat, RecruitRat, PixRevolution, AndroRAT, Antidot, Asin). androdr-084 fires when the device's unpatched actively-exploited CVE set contains CVE-2025-48595 (June 2026 ASB, no-interaction Framework EoP under limited targeted exploitation). level: medium (device_posture severity cap), report_safe_state: true — same unpatched_cve_id|contains mechanism as the 048-052 campaign rules; CVE arrives via the live CISA-KEV/OSV refresh. The 52 IOCs reach devices via IocUpdateWorker pulling rules-repo main (res/raw is cold-start only); they are additive vs on-device mirror-feed coverage (0 overlaps) and validate clean. Verified: full testDebugUnitTest (550 tests, 0 failures), validate-rule.py, validate-ioc-data.py x3, strict complementarity, and on a physical Galaxy Z Fold2 (Android 13, patch 2024-08-01) where 084 fires correctly in Device Flags. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Output of the
update-rules-e2epipeline (HitL-approved). Adds one bundled SIGMA rule and bumps theandroid-sigma-rulessubmodule (→e9ce9e3, rules#30) which carries the rule mirror + 52 threat-intel IOC entries.Rule
androdr-084— Device vulnerable to an actively exploited CVEres/raw/sigma_androdr_084_actively_exploited_cve.yml+ registration inSigmaRuleEngine.kt.device_auditor/level: medium(thedevice_postureseverity cap —highis silently clamped bySeverityCapPolicyand rejected byAllRulesHaveCategoryTest) /report_safe_state: true.unpatched_cve_id|containsmechanism as campaign rules 048–052; the CVE arrives via the live CISA-KEV/OSV refresh (not the cold-start snapshot — consistent with siblings).IOCs (in the submodule bump, +52, all additive)
40 apk_hash + 8 c2_domain + 4 package_name across BTMOB, TrickMo, Astrinox, Massiv, SaferRat, RecruitRat, PixRevolution, AndroRAT, Antidot (MALWARE) and 3 Asin (SPYWARE). They reach devices via
IocUpdateWorkerpulling rules-repomain;res/rawis cold-start only.Validation
./gradlew testDebugUnitTest→ 550 tests, 0 failures (incl.GateFourFixtureTest,BundledRulesManifestCompletenessTest,BundledRules/IocDataSchemaCrossCheckTest,AllRulesHaveCategoryTest).validate-rule.py,validate-ioc-data.py(×3), strict complementarity → PASS.Real-device verification
Installed on a physical Galaxy Z Fold2 (Android 13, patch 2024-08-01). Loads 57 bundled rules incl. 084 (zero parse errors); after a scan, androdr-084 fires correctly in Device Flags with the right title, evidence count ("19 CVEs"), and remediation.
🤖 Generated with Claude Code