stalkerware_indicators/
structs.rs

1use serde::{Deserialize, Serialize};
2use std::net::IpAddr;
3
4/// A rule entry that lists indicators of compromise for a strain of stalkerware
5#[derive(Debug, PartialEq, Eq, Serialize, Deserialize)]
6pub struct Rule {
7    /// A canonical name for this strain
8    pub name: String,
9    /// Other names this stalkerware is known as
10    #[serde(default)]
11    pub names: Vec<String>,
12    /// The kind of app, either `stalkerware` or `watchware`
13    pub r#type: String,
14    /// App identifiers this stalkerware uses
15    #[serde(default)]
16    pub packages: Vec<String>,
17    /// Domains that are involved in distributing the app itself (eg. the .apk)
18    #[serde(default)]
19    pub distribution: Vec<String>,
20    /// Certificates that are in use with this stalkerware
21    #[serde(default)]
22    pub certificates: Vec<String>,
23    /// Websites that are related to this stalkerware (eg. marketing or panels)
24    #[serde(default)]
25    pub websites: Vec<String>,
26    /// Domains and IP addresses that are used by C2 infrastructure
27    #[serde(default)]
28    pub c2: C2Rule,
29}
30
31/// Struct for C2 infos
32#[derive(Debug, PartialEq, Eq, Default, Serialize, Deserialize)]
33pub struct C2Rule {
34    /// List of known C2 ip addresses
35    #[serde(default)]
36    pub ips: Vec<IpAddr>,
37    /// List of known C2 ip domains
38    #[serde(default)]
39    pub domains: Vec<String>,
40}