The droidian rule detects potential Android malware leveraging specific YARA signatures associated with known malicious behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may evade traditional detection methods.
YARA Rule
rule droidian: amtrckr
{
meta:
family = "droidian"
condition:
androguard.url(/z0\.tkurd\.net/)
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate Android app signing using jarsigner
Filter/Exclusion: Check for jarsigner in the command line with known signing keys or certificate fingerprints.
Example Filter: process.exe.name: jarsigner and process.args: -signedjar
Scenario: Scheduled backup job using adb backup
Filter/Exclusion: Filter by adb commands executed during known backup windows or by user root/system.
Example Filter: process.exe.name: adb and process.args: backup and user.name: root
Scenario: Android Debug Bridge (ADB) usage by developers during testing
Filter/Exclusion: Exclude processes initiated by developer accounts or with adb commands that are part of CI/CD pipelines.
Example Filter: process.exe.name: adb and user.name: developer or process.args: shell
Scenario: System integrity check using apkanalyzer or aapt
Filter/Exclusion: Filter for known security tools like apkanalyzer or aapt used in app analysis workflows.
Example Filter: process.exe.name: apkanalyzer or process.exe.name: aapt
Scenario: Android package installation via pm install by system services
Filter/Exclusion: Exclude processes initiated by system services or with pm install commands that are part of app deployment pipelines.
Example Filter: process.exe.name: pm and process.args: install and user.name: system