Xamarin.Android (Build fully native Android apps using C#)

[mike-hunhoff]

Consider writing capa rules for Xamarin.Android applications:

Xamarin.Android exposes the complete Android SDK for .NET developers. Build fully native Android apps using C# or F# in Visual Studio.

(credit)

Developers can write cross-platform and platform-specific C# (Android, iOS) . Here, we should aim to target Android-specific C# implemented via Mono.Android:

(credit)

Xamarin.Android framework has been leveraged by malware authors:

• https://blog.cyble.com/2021/10/22/fake-voicemail-app-built-through-xamarin-platform-spreads-spyware/
• https://maldr0id.blogspot.com/2015/03/android-malware-goes-mono-net-and-lua.html

Quick hunt on VT finds:

• f22974d0d7736ed5cf04102d42d9db5f1592463c137921c02595f382411fb595

We already have some coverage on this sample:

Deliverables:

• understand Mono.Android SDK and its uses by malware authors
• develop capa rules based on this understanding

[komen205]

Hello,

I'm not sure if this will be helpful in any way, but maybe identifying that the file is actually a Xamarin application could be quite useful. Since now it seems that it only identifies that the file is a dotnet one.

We can do this by targeting the magic "XALZ", for reference, dotnet/android#4686