This rule try to detects Clicker.G samples

Hunt Hypothesis

Clicker.G malware is often used in credential theft campaigns, and this rule detects potential indicators of its presence by identifying suspicious file behaviors associated with its execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.

YARA Rule

rule Android_Clicker_G
{
	meta:
		author = "Jacob Soo Lead Re"
		date = "01-July-2016"
		description = "This rule try to detects Clicker.G samples"
		reference = "https://blogs.mcafee.com/mcafee-labs/android-malware-clicker-dgen-found-google-play/"
	strings:
		$a = "upd.php?text="
	condition:
		androguard.receiver(/MyBroadCastReceiver/i) and $a
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://blogs.mcafee.com/mcafee-labs/android-malware-clicker-dgen-found-google-play/
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Windows Task Scheduler to run a legitimate system cleanup job that includes a script with a string similar to “Clicker.G” due to a naming convention or log file reference.
  Filter/Exclusion: Exclude processes initiated by Task Scheduler or filter based on the CommandLine containing schtasks.exe or TaskScheduler.

• Scenario: A Microsoft Endpoint Protection (EPP) update or scan generates a false positive due to a signature that matches a benign file name or string used in the update package.
  Filter/Exclusion: Exclude processes associated with mpengine.exe or MpCmdRun.exe and filter based on the ProcessName or CommandLine containing “Microsoft Defender” or “Windows Defender”.

• Scenario: A PowerShell script used for log analysis or system monitoring includes a string like “Clicker.G” in a regular expression or log parsing context, triggering the rule.
  Filter/Exclusion: Exclude processes with powershell.exe where the CommandLine contains -Command or -File and includes a known log analysis script or tool.

• Scenario: A Windows Event Log parser or SIEM tool (e.g., Splunk, ELK Stack) is processing logs and includes the term “Clicker.G” in a log message due to a misconfigured regex or keyword.
  Filter/Exclusion: Exclude events with EventID or Source related to log parsing tools, or filter based on the EventMessage containing “log parser” or “SIEM”.

• Scenario: A system backup tool (e.g., Veeam, Acronis) includes a string similar to “Clicker.G” in its backup log files or configuration files.
  Filter/Exclusion: Exclude processes associated with backup tools (e