The hypothesis is that the detected behavior indicates an Android malware named BadMirror is establishing communication with a command and control server to exfiltrate device information and execute remote commands. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise of Android devices within their environment.
YARA Rule
rule Android_BadMirror
{
meta:
author = "Jacob Soo Lead Re"
date = "06-June-2016"
description = "BadMirror is Android malware. The malware sends information to its remote CnC (phone number, MAC adddress, list of installed applications...) but it also has the capability to execute a few commands such as \"app\" (download an APK) or \"page\" (display a given URL)."
source = "https://blog.fortinet.com/post/badmirror-new-android-malware-family-spotted-by-sherlockdroid"
condition:
androguard.service(/SimInsService/i) and
androguard.permission(/android.permission.READ_PHONE_STATE/i)
}This YARA rule can be deployed in the following contexts:
Scenario: System Update or Patching Process
Description: A legitimate system update or patching process may collect device information (e.g., MAC address) as part of inventory or compliance checks.
Filter/Exclusion: Exclude events where the source is a known system update tool (e.g., Google Play Services, Android System Update, or adb commands used by IT admins).
Scenario: Mobile Device Management (MDM) Inventory Scan
Description: MDM tools like Microsoft Intune, Jamf, or MobileIron often gather device information (e.g., MAC address, installed apps) for asset management and compliance.
Filter/Exclusion: Exclude events where the source is a known MDM tool (e.g., com.microsoft.intune.mdm, com.jamfsoftware.jamf, or com.mobileiron.agent).
Scenario: Scheduled Job for Device Inventory
Description: A scheduled job run by an admin (e.g., using cron or Task Scheduler) to collect device information for reporting or auditing purposes.
Filter/Exclusion: Exclude events where the process is associated with a known admin task (e.g., adb shell, fastboot, or logcat commands executed by a user with elevated privileges).
Scenario: Android Debug Bridge (ADB) Usage by Admin
Description: IT administrators may use ADB to push files, pull logs, or execute commands on Android devices during troubleshooting or deployment.
Filter/Exclusion: Exclude events where the process is initiated via ADB and the user is a known admin (e.g., check for adb in the command line and user in the admin group).
Scenario: Network Discovery or Monitoring Tool
Description: Network discovery tools like Nmap, **Wireshark