Merge pull request #87 from plutec/master

Added rule to detect a type of SMSFraud

Merge pull request #87 from plutec/master
Added rule to detect a type of SMSFraud
2bf7930b · mmorenog · 368746c4 · b2132b23 · 2bf7930b
Commit 2bf7930b authored Feb 08, 2016 by mmorenog
Hide whitespace changes
Inline Side-by-side

Showing with 35 additions and 0 deletions

Android_SMSFraud.yar Mobile_Malware/Android_SMSFraud.yar +35 -0

No files found.
--- a/Mobile_Malware/Android_SMSFraud.yar
+++ b/Mobile_Malware/Android_SMSFraud.yar
+rule smsfraud
+{
+    meta:
+        author = "Antonio Sánchez https://twitter.com/plutec_net"
+        reference = "https://koodous.com/"
+        description = "This rule detects a kind of SMSFraud trojan"
+        sample = "265890c3765d9698091e347f5fcdcf1aba24c605613916820cc62011a5423df2"
+        sample2 = "112b61c778d014088b89ace5e561eb75631a35b21c64254e32d506379afc344c"
+
+    strings:
+        $a = "E!QQAZXS"
+        $b = "__exidx_end"
+        $c = "res/layout/notify_apkinstall.xmlPK"
+
+    condition:
+    all of them
+        
+}
+
+rule smsfraud2 {
+    meta:
+        author = "Antonio Sánchez https://twitter.com/plutec_net"
+        reference = "https://koodous.com/"
+        sample = "0200a454f0de2574db0b58421ea83f0f340bc6e0b0a051fe943fdfc55fea305b"
+        sample2 = "bff3881a8096398b2ded8717b6ce1b86a823e307c919916ab792a13f2f5333b6"
+
+    strings:
+        $a = "pluginSMS_decrypt"
+        $b = "pluginSMS_encrypt"
+        $c = "__dso_handle"
+        $d = "lib/armeabi/libmylib.soUT"
+        $e = "]Diok\"3|"
+    condition:
+        all of them
+}