Update Android_RuMMS.yar

ee87baa6 · mmorenog · GitHub · ae7349a0 · ee87baa6
Commit ee87baa6 authored Jul 06, 2016 by mmorenog Committed by GitHub Jul 06, 2016
Show whitespace changes
Inline Side-by-side

Showing with 18 additions and 0 deletions

Android_RuMMS.yar Mobile_Malware/Android_RuMMS.yar +18 -0

No files found.
--- a/Mobile_Malware/Android_RuMMS.yar
+++ b/Mobile_Malware/Android_RuMMS.yar
@@ -21,3 +21,21 @@ rule Android_RuMMS
 		androguard.permission(/android.permission.RECEIVE_BOOT_COMPLETED/)
 }
+rule Android_RuMMS_0
+{
+	meta:
+		author = "Jacob Soo Lead Re"
+		date = "19-May-2016"
+		description = "This rule try to detects Android.Banking.RuMMS"
+		source = "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
+	condition:
+		(androguard.service(/\.Tb/) and 
+		 androguard.service(/\.Ad/) and 
+		 androguard.receiver(/\.Ac/) and 
+		 androguard.receiver(/\.Ma/)) or
+        (androguard.url(/http\:\/\/37\.1\.207/) and 
+		 androguard.url(/\/api\/\?id\=7/))
+}