This rule try to detects Android FakeBank_Fanta

Hunt Hypothesis

The hypothesis is that this rule detects the presence of the FakeBank_Fanta malware on Android devices by identifying suspicious behavior indicative of banking trojan activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential financial fraud and data exfiltration threats early.

YARA Rule

rule Android_FakeBank_Fanta
{
	meta:
		author = "Jacob Soo Lead Re"
		date = "14-July-2016"
		description = "This rule try to detects Android FakeBank_Fanta"
		source = "https://blog.trendmicro.com/trendlabs-security-intelligence/fake-bank-app-phishes-credentials-locks-users-out/"

	condition:
		androguard.service(/SocketService/i) and 
		androguard.receiver(/MyAdmin/i) and 
		androguard.receiver(/Receiver/i) and 
		androguard.receiver(/NetworkChangeReceiver/i)
		
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Backup Job
  Description: A legitimate scheduled backup job using adb backup or Android Debug Bridge (ADB) is executed, which may trigger the rule due to similar command patterns.
  Filter/Exclusion: Exclude processes initiated by adb or with backup in the command line, or filter by user root or system if the backup is known to be system-managed.

• Scenario: Android Debug Bridge (ADB) Usage by Admin
  Description: An administrator is using ADB to debug or manage devices, which may involve commands that resemble malicious activity.
  Filter/Exclusion: Exclude processes where the command includes adb and the user is a known admin or has elevated privileges (e.g., root or system).

• Scenario: Android Package Installation via ADB
  Description: A system administrator installs an application using adb install, which may be flagged due to the presence of suspicious command-line arguments.
  Filter/Exclusion: Exclude processes where the command includes adb install and the package name is known to be a legitimate system app or managed by the enterprise.

• Scenario: Android System Update via ADB
  Description: A system update is being pushed to a device using ADB, which may trigger the rule due to the use of similar command structures.
  Filter/Exclusion: Exclude processes where the command includes adb push or adb reboot and the source path is a known system update directory (e.g., /system/updates/).

• Scenario: Android Logcat Monitoring by Security Tools
  Description: A security monitoring tool or SIEM is using logcat to collect logs, which may be misinterpreted as malicious activity due to similar command patterns.
  Filter/Exclusion: Exclude processes where the command includes