Create Android_AVITOMMS.yar

47a7f172 · mmorenog · GitHub · 1cd187f6 · 47a7f172
Commit 47a7f172 authored Jul 06, 2016 by mmorenog Committed by GitHub Jul 06, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 0 deletions

Android_AVITOMMS.yar Mobile_Malware/Android_AVITOMMS.yar +33 -0

No files found.
--- a/Mobile_Malware/Android_AVITOMMS.yar
+++ b/Mobile_Malware/Android_AVITOMMS.yar
+import "androguard"
+
+rule Android_AVITOMMS_Variant
+{
+	meta:
+		author = "Jacob Soo Lead Re"
+		date = "28-May-2016"
+		description = "This rule try to detects Spy.Banker AVITO-MMS Variant"
+		source = "https://blog.avast.com/android-banker-trojan-preys-on-credit-card-information"
+
+	condition:
+		(androguard.receiver(/AlarmReceiverKnock/) and 
+		 androguard.receiver(/BootReciv/) and 
+		 androguard.receiver(/AlarmReceiverAdm/))
+		
+}
+
+rule Android_AVITOMMS_Rule2
+{
+	meta:
+		author = "Jacob Soo Lead Re"
+		date = "01-July-2016"
+		description = "This rule try to detects Spy.Banker AVITO-MMS Variant"
+		source = "https://blog.avast.com/android-banker-trojan-preys-on-credit-card-information"
+
+	condition:
+		androguard.service(/IMService/) and 
+		androguard.receiver(/BootReciv/) and 
+		androguard.permission(/android.permission.RECEIVE_BOOT_COMPLETED/i) and 
+		androguard.permission(/android.permission.KILL_BACKGROUND_PROCESSES/i) and 
+		androguard.permission(/android.permission.SEND_SMS/i) and
+		androguard.permission(/android.permission.INTERNET/i)
+}