https://bit.ly/3o8A7TF - ๐ Permhash โ A New Approach to Analyzing Permissions Permhash is an extensible framework designed to hash the declared permissions of Chromium-based browser extensions and Android Packages (APKs) for clustering, hunting, and pivoting. This research aims to demonstrate permhash's potential for wide use across the security industry. ๐ Chromium Extensions & APKs Permissions Both Chromium Extensions and APKs require permissions to function, specifying their level of access. Unfortunately, adversaries can abuse these permissions in malicious extensions and APKs for unauthorized actions. ๐ฏ Adversaries Exploiting Permissions Mandiant has observed various adversaries using malicious extensions and APKs, including UNC3873, BRAINSTORM, BRAINFOG, BRAINLINK, and Nation State Actors like ARCHIPELAGO (subset of APT43) and APT42. ๐ Permhash Hypothesis & Execution Permhash aims to calculate a hash of a joined string of permissions from an extension or APK, serving as a data-point for hunting, clustering, and pivoting between like file types. ๐ Permhash at Scale Permhash analysis of 11,575 extension manifest samples and 13,372 APK samples revealed interesting patterns that can be used to identify malicious extensions and APKs effectively. ๐ Permhash in the Wild Permhash has successfully identified samples of VENOMSOFT, CERBERUS Android Trojan, and LEMONJUICE Android backdoor, proving its potential in identifying and pivoting between malicious samples. โ ๏ธ Cautionary Tale APT43 samples demonstrate that as extension versions change, permissions may change, modifying the permhash. This is expected behavior since permhash is adversary-defined. ๐ ๏ธ Using Permhash Mandiant and VirusTotal have made permhash available within the VirusTotal Platform, and Mandiant has released a permhash Python library to calculate permhash values for CRX, APK, CRX manifests, or APK manifests. ๐ก๏ธ Protection & Mitigation Google, Mandiant, and other security teams are committed to countering advanced threats through Enhanced Safe Browsing, Advanced Protection Program, and Google's Security Checkup. ๐ Conclusion Permhash can help researchers, analysts, and threat hunters identify connections between large datasets and discover previously unknown related samples, making it a valuable tool in cybersecurity.