Fake Facebook applications may be used by adversaries to distribute malware or steal user credentials, making proactive hunting in Azure Sentinel critical to identify and mitigate potential compromise vectors. SOC teams should actively investigate such applications to detect early-stage adversarial activity and prevent lateral movement or data exfiltration.
YARA Rule
rule fake_facebook_2 : fake android
{
meta:
author = "https://twitter.com/plutec_net"
reference = "https://koodous.com/"
description = "Detects fake facebook applications"
hash_0 = "7be33c2d27121968d2f7081ae2b04965238a3c15c7aae62d006f629d64e0b58e"
hash_1 = "c1264c689393880361409eb02570fd49bec91c88569d39062e13c0c8ae0e1806"
hash_2 = "70d5cc909d5718674474a54b44f83bd194cbdd2d99354d52cd868b334fb5f3de"
hash_3 = "38e757abd5e015e3c3690ea0fdc2ff1e04b716651645a8c4ca6a63185856fe29"
hash_4 = "ba0b8fe37b4874656ad129dd4d96fdec181e2c3488985309241b0449bb4ab84f"
hash_5 = "7be33c2d27121968d2f7081ae2b04965238a3c15c7aae62d006f629d64e0b58e"
hash_6 = "c1264c689393880361409eb02570fd49bec91c88569d39062e13c0c8ae0e1806"
hash_7 = "7345c3124891b34607a07e93c8ab6dcbbf513e24e936c3710434b085981b815a"
condition:
androguard.app_name("Facebook") and
not androguard.package_name(/com.facebook.katana/) and
not androguard.certificate.issuer(/O=Facebook Mobile/)
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate Facebook App Deployment via CI/CD Pipeline
Description: A DevOps team uses a CI/CD tool like Jenkins or GitHub Actions to deploy a legitimate Facebook app as part of an application release.
Filter/Exclusion: Check for known CI/CD toolnames (e.g., jenkins, github-actions, gitlab-ci) in the process name or command line arguments.
Scenario: Scheduled Facebook App Maintenance Task
Description: A system administrator schedules a maintenance task using a tool like cron or Task Scheduler to update or monitor a valid Facebook app.
Filter/Exclusion: Exclude processes associated with scheduled tasks (e.g., cron, task scheduler, at), or filter by known admin tools like ansible or puppet.
Scenario: Facebook App Debugging with Postman or curl
Description: A developer uses Postman or curl to test API endpoints of a legitimate Facebook app during debugging or integration testing.
Filter/Exclusion: Exclude requests made from known development tools (e.g., postman, curl, httpie) or filter by specific API endpoints used during testing.
Scenario: Facebook App Integration with Third-Party Tools
Description: A company uses a third-party tool like Zapier or Integromat to integrate with a Facebook app for automation (e.g., social media posting).
Filter/Exclusion: Exclude traffic from known integration platforms (e.g., zapier, integromat, make.com) or filter by known API endpoints used by these platforms.
Scenario: Facebook App Monitoring via Log Management Tools
Description: A security team uses a log management tool like Splunk or ELK Stack to monitor activity related to a legitimate Facebook app.
*Filter/Ex