Virus de la Policia - android

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential Android malware activity associated with the “Virus de la Policia” campaign, which may involve unauthorized device access or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they escalate into data breaches or operational disruptions.

YARA Rule

rule BaDoink : official android
{
		meta:
		author = "Fernando Denis https://twitter.com/fdrg21"
		reference = "https://koodous.com/"
		description = "Virus de la Policia - android"
		sample = "9bc0fb0f05bbf25507104a4eb74e8066b194a8e6a57670957c0ad1af92189921"

	strings:
		
		//$url_string_1 = "http://police-mobile-stop.com"
		//$url_string_2 = "http://mobile-policeblock.com"
		
		$type_a_1 ="6589y459gj4058rt"
	
		$type_b_1 = "Q,hu4P#hT;U!XO7T,uD"
		$type_b_2 = "+Gkwg#M!lf>Laq&+J{lg"

//		$type_c_1 = "ANIM_STYLE_CLOSE_ENTER"
//		$type_c_2 = "TYPE_VIEW_ACCESSIBILITY_FOCUSED"
//		$type_c_3 = "TYPE_VIEW_TEXT_SELECTION_CHANGED"
//		$type_c_4 = "FLAG_REQUEST_ENHANCED_WEB_ACCESSIBILITY"

	condition:
		androguard.app_name("BaDoink") or
		//all of ($url_string_*) or
		$type_a_1 or
		all of ($type_b*) 
//		all of ($type_c_*)
		
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 9 string patterns in its detection logic.

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: Android device management tool (e.g., MobileIron, Microsoft Intune) performing a scheduled device wipe or reset.
  Filter/Exclusion: Check for known device management tool signatures or process names like mobileiron or intunewds.

• Scenario: System administrator using Android Debug Bridge (ADB) to push or pull files during routine maintenance.
  Filter/Exclusion: Exclude processes initiated from the adb command-line tool or check for adb in the command line context.

• Scenario: Scheduled backup job using Google Drive Backup or Samsung Cloud Backup that temporarily writes to system directories.
  Filter/Exclusion: Exclude processes associated with known backup services like com.google.android.apps.docs or com.samsung.android.providers.context.

• Scenario: Security software (e.g., Kaspersky, Bitdefender) performing a full system scan and temporarily writing to system directories.
  Filter/Exclusion: Exclude processes with known AV tool signatures or check for AV vendor-specific process names.

• Scenario: Android system update or OTA (Over-The-Air) update being applied via Google Play Console or Samsung Kies.
  Filter/Exclusion: Exclude processes related to OTA updates, such as com.android.providers.downloads or com.samsung.android.providers.context.