1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule smsfraud1 : android
{
meta:
author = "Antonio Sánchez https://twitter.com/plutec_net"
reference = "https://koodous.com/"
description = "This rule detects a kind of SMSFraud trojan"
sample = "265890c3765d9698091e347f5fcdcf1aba24c605613916820cc62011a5423df2"
sample2 = "112b61c778d014088b89ace5e561eb75631a35b21c64254e32d506379afc344c"
strings:
$a = "E!QQAZXS"
$b = "__exidx_end"
$c = "res/layout/notify_apkinstall.xmlPK"
condition:
all of them
}
rule smsfraud2 : android {
meta:
author = "Antonio Sánchez https://twitter.com/plutec_net"
reference = "https://koodous.com/"
sample = "0200a454f0de2574db0b58421ea83f0f340bc6e0b0a051fe943fdfc55fea305b"
sample2 = "bff3881a8096398b2ded8717b6ce1b86a823e307c919916ab792a13f2f5333b6"
strings:
$a = "pluginSMS_decrypt"
$b = "pluginSMS_encrypt"
$c = "__dso_handle"
$d = "lib/armeabi/libmylib.soUT"
$e = "]Diok\"3|"
condition:
all of them
}