Feed

Koodous offers the possibility to get the Feed of detected applications, scans and malware.

Note

The feed is only available to analysts who have the Corporate API. For any further information please contact us at info@koodous.com.

How the feed works

The feed is the mechanism that most optimally provides the flow of applications, analysis and detections generated by the system.

There are two types of feed packages, those generated every 5 minutes and those generated every hour.

  • %Y%m%dT%H%M (Feed every 5 minutes).

  • %Y%m%dT%H (Feed every hour).

Examples of package names: 20210521T05, 20210521T1015.

Apk feeds

The apk feed consists of a zip file composed of json files with the apk information and their download link (valid for 7 days from the date of feed creation).

The meaning of each field is as follows:

{
    "sha256": "",
    "md5": "",
    "sha1": "",
    "app": "",
    "package_name": "",
    "company": "",
    "version": "",
    "size": 0,
    "tags": "",
    "is_trusted": false,
    "is_installed": false,
    "is_corrupted": false,
    "is_detected": false,
    "rating": 0,
    "download_link": ""
}

The tags field is a string with the tags separated by commas, the rest of the fields are a simple string of what is described by the field name itself. If more information is required, please refer to the documentation of the apk endpoint fields.

Analysis Feeds

The analysis feed is composed of a json file for each apk report, compressed in zip format. The name of each report is the sha256 hash of the apk.

Each file has the name {sha256}.json, which includes a list of each of the detections that have been created or updated in the specified time range. created or updated in the specified time range.

Detected apk analysis feeds

The detections feed is a zip with the format detected_{package}.zip composed of the detections json files.

Match through a (social) rule

Matches that are created by a social rule will be used as a detection method.

The source field will contain the hashid of the Ruleset with the format ruleset-<hashid>.

The information field will have the format:

{
    "``ruleset_hashid``: ``<hashid>``,
    "ruleset_name":"<ruleset_name>",
    "rules_matched": [
        "<rule_name_1>",
        ...,
        "<rule_name_n",
    ]
}

Accumulated negative votes

When a sample is negatively voted by the community and a negative score is accumulated, it is marked as malware.

The source field will have the fixed value community.

The information field will have the format:

{
    "``community_rating``: <rating of the Apk>.
}

Antivirus

Antivirus creates detections with additional information about each antivirus.

The source field will have the value of the antivirus name.

The information field will have the format:

{
    "signature": <signature of the antivirus for the sample>,
    "score": <antivirus score>,
    "tags": [<tag1>, ..., <tagN>],
    "first_detection_at":"<date of first detection>", // In ISO-8601 format.
    "additional_information": <additional information provided by each antivirus (no fixed format)>.
}

Endpoints

GET /feed/

List of available feed packages.

Query Parameters

  • feed_type – allows filtering by feed type between the apks, analyses or detected values.

  • package_type – allows filtering by package type between the 5-minutes or 1-hour values.

  • package_datetime – search for a particular package in ISO 8601 format.

GET /feed/(str: hashid)/

Details of a feed package.

Example server response:

HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": "3q2BolejXejNmGQB",
    "url": "https://developer.koodous.com/feed/4q2VolejRejNmGQB/",
    "package": "20210521T05",
    "feed_type": "apks",
    "package_type": "1-hour",
    "package_datetime": "2022-03-19T22:00:00+01:00",
    "download_url": "https://storage.gra.cloud.ovh.net/v1/AUTH_/feed-apk/apk_20220319T22.zip"
}
GET /feed/apks/

Apk feed package for the last 5 minutes.

Example server response:

HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": "ZXpL9BO6BeOQa8ev",
    "url": "https://developer.koodous.com/feed/ZXpL9BO6BeOQa8ev/",
    "package": "20220320T0900",
    "feed_type": "apks",
    "package_type": "5-minutes",
    "package_datetime": "2022-03-20T09:00:00+01:00",
    "download_url": "https://storage.gra.cloud.ovh.net/v1/AUTH_/feed-apk/apk_20220320T0900.zip"
}
GET /feed/analyses/

Analyses feed package for the last 5 minutes.

Example server response:

HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": "QoVqKZ1P3qdv3y0B",
    "url": "https://developer.koodous.com/feed/QoVqKZ1P3qdv3y0B/",
    "package": "20220320T0905",
    "feed_type": "analyses",
    "package_type": "5-minutes",
    "package_datetime": "2022-03-20T09:05:00+01:00",
    "download_url": "https://storage.gra.cloud.ovh.net/v1/AUTH_/feed-analysis/analysis_20220320T0905.zip"
}
GET /feed/detected/

Analyses of the detected apks feed package for the last 5 minutes.

Example server response:

HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": "Ro9EPbGXkJ1kW4rg",
    "url": "https://developer.koodous.com/feed/Ro9EPbGXkJ1kW4rg/",
    "package": "20220320T0905",
    "feed_type": "detected",
    "package_type": "5-minutes",
    "package_datetime": "2022-03-20T09:05:00+01:00",
    "download_url": "https://storage.gra.cloud.ovh.net/v1/AUTH_/feed-detected/detected_20220320T0905.zip"
}