Adversaries may use fake batterybotpro click fraud campaigns to generate fraudulent clicks and generate revenue through ad fraud. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential ad fraud activities that could compromise revenue and system integrity.
YARA Rule
rule batterybotpro : ClickFraud AdFraud SMS Downloader_Trojan android
{
meta:
description = "http://research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html"
sample = "cc4e024db858d7fa9b03d7422e760996de6a4674161efbba22d05f8b826e69d5"
author = "https://twitter.com/fdrg21"
condition:
androguard.activity(/com\.polaris\.BatteryIndicatorPro\.BatteryInfoActivity/i) and
androguard.permission(/android\.permission\.SEND_SMS/)
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate system update or patch deployment using WSUS (Windows Server Update Services)
Filter/Exclusion: Exclude traffic originating from the WSUS server or IP addresses associated with internal update distribution systems.
Scenario: Scheduled job running PowerShell scripts for system maintenance or configuration management
Filter/Exclusion: Exclude PowerShell scripts executed from known system management tools like Ansible, Chef, or Puppet, or from scheduled tasks with known legitimate command-line arguments.
Scenario: Internal CI/CD pipeline executing automated tests or deployments using Jenkins or GitHub Actions
Filter/Exclusion: Exclude traffic from CI/CD agents or IP ranges associated with internal development and deployment infrastructure.
Scenario: Log management tool (e.g., Splunk, ELK Stack) performing data ingestion or indexing tasks
Filter/Exclusion: Exclude traffic from known log management servers or internal IP ranges used by log collection agents.
Scenario: Remote desktop or administration tool (e.g., Microsoft Remote Desktop, TeamViewer) used by administrators for system management
Filter/Exclusion: Exclude connections from known admin workstations or IP ranges used for remote administration.