The hypothesis is that the detection identifies potential banker trojan activity where an adversary is using overlaying techniques to hide malicious code execution within legitimate processes. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data exfiltration or lateral movement.
YARA Rule
rule android_overlayer
{
meta:
description = "This rule detects the banker trojan with overlaying functionality"
source = "https://www.zscaler.com/blogs/research/android-banker-malware-goes-social"
author = "https://twitter.com/5h1vang"
strings:
$str_1 = "tel:"
$str_2 = "lockNow" nocase
$str_3 = "android.app.action.ADD_DEVICE_ADMIN"
$str_4 = "Cmd_conf" nocase
$str_5 = "Sms_conf" nocase
$str_6 = "filter2"
condition:
androguard.certificate.sha1("6994ED892E7F0019BCA74B5847C6D5113391D127") or
(androguard.permission(/android.permission.INTERNET/) and
androguard.permission(/android.permission.READ_SMS/) and
androguard.permission(/android.permission.READ_PHONE_STATE/) and
all of ($str_*))
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as a scheduled disk cleanup or log rotation, may trigger the rule due to file system activity.
Filter/Exclusion: Exclude processes associated with known system maintenance tools like cleanmgr.exe or logrotate (Linux), or filter by process names matching msiexec.exe, schtasks.exe, or taskhost.exe.
Scenario: Admin Performing File Integrity Check
Description: An administrator may be using a tool like Sysmon or Process Monitor to check file integrity or perform forensic analysis, which could resemble overlaying behavior.
Filter/Exclusion: Exclude processes with parent process names like explorer.exe, cmd.exe, or powershell.exe when running known integrity check tools such as fciv.exe or hashsum.
Scenario: Software Update or Patch Deployment
Description: A legitimate software update or patch deployment (e.g., via SCCM, Chocolatey, or Windows Update) may involve file modifications that resemble overlaying.
Filter/Exclusion: Exclude processes associated with update tools like msiexec.exe, choco.exe, or wuauclt.exe. Filter by file paths in known update directories such as C:\Windows\Temp or C:\Program Files\Microsoft\Windows\Update.
Scenario: User-Initiated File Copy or Paste Operation
Description: A user may be manually copying or pasting files, which could trigger the rule if the operation involves overwriting or modifying files.
Filter/Exclusion: Exclude processes initiated by user interaction (e.g., explorer.exe, cmd.exe, or powershell.exe) and filter by file paths that are commonly used for user file operations.
**Scenario: Antivirus or Endpoint