Yara rule for detection of Fake AliPay Sms Stealer

Hunt Hypothesis

The hypothesis is that the Yara rule detects the presence of a malicious Fake AliPay SMS stealer, which is designed to exfiltrate user credentials through fake SMS messages. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential credential theft attacks before they lead to broader compromise.

YARA Rule

rule Android_AliPay_smsStealer : android
{
	meta:
		description = "Yara rule for detection of Fake AliPay Sms Stealer"
		sample = "f4794dd02d35d4ea95c51d23ba182675cc3528f42f4fa9f50e2d245c08ecf06b"
		source = "http://research.zscaler.com/2016/02/fake-security-app-for-alipay-customers.html"
		ref = "https://analyst.koodous.com/rulesets/1192"
		author = "https://twitter.com/5h1vang"

	strings:
		$str_1 = "START_SERVICE"
		$str_2 = "extra_key_sms"
		$str_3 = "android.provider.Telephony.SMS_RECEIVED"
		$str_4 = "mPhoneNumber"

	condition:
		androguard.certificate.sha1("0CDFC700D0BDDC3EA50D71B54594BF3711D0F5B2") or
		androguard.permission(/android.permission.RECEIVE_SMS/) and
		androguard.permission(/android.permission.INTERNET/) and
		androguard.permission(/android.permission.RECEIVE_BOOT_COMPLETED/) and 		
		all of ($str_*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Legitimate AliPay SMS Verification Process
  Description: A user receives a fake AliPay SMS as part of a legitimate account verification process.
  Filter/Exclusion: Check for presence of aliyun.com or alipay.com in the SMS content, or filter by user account activity logs showing legitimate verification attempts.

• Scenario: Scheduled System Maintenance Job
  Description: A system administrator runs a scheduled job that includes a script with strings resembling the AliPay SMS stealer.
  Filter/Exclusion: Filter by process owner (user == "admin") or check for presence of known system maintenance scripts (e.g., systemd, cron, or task scheduler job names).

• Scenario: Security Tool or SIEM Configuration Test
  Description: A security analyst is testing a detection rule by simulating a Fake AliPay SMS Stealer in a sandboxed environment.
  Filter/Exclusion: Filter by process name (process.name == "sandbox.exe" or process.name == "vmtoolsd"), or check for presence of a test environment flag in the system logs.

• Scenario: Legitimate Third-Party Application with AliPay Integration
  Description: A legitimate application (e.g., Shopify, Magento, or Zoho) uses AliPay for payment processing and includes AliPay-related strings in its codebase.
  Filter/Exclusion: Filter by application name (process.name == "shopify.exe" or process.name == "magento-cli"), or check for presence of known legitimate AliPay integration libraries.

• Scenario: User-Initiated AliPay Transaction Simulation
  Description: A user manually simulates an AliPay transaction for testing purposes, which includes fake SMS content.
  Filter/Exclusion: Filter by user input logs (user.input == "simulate transaction"