The detection identifies potential deployment of a HackingTeam Android implant that checks for specific version ranges, indicating possible adversary persistence or reconnaissance activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by advanced persistent threats leveraging known malicious Android payloads.
YARA Rule
rule HackingTeam_Android : Android Implant
{
meta:
description = "HackingTeam Android implant, known to detect version v4 - v7"
author = "Tim 'diff' Strazzere <strazz@gmail.com>"
reference = "http://rednaga.io/2016/11/14/hackingteam_back_for_your_androids/"
date = "2016-11-14"
version = "1.0"
strings:
$decryptor = { 12 01 // const/4 v1, 0x0
D8 00 ?? ?? // add-int/lit8 ??, ??, ??
6E 10 ?? ?? ?? 00 // invoke-virtual {??} -> String.toCharArray()
0C 04 // move-result-object v4
21 45 // array-length v5, v4
01 02 // move v2, v0
01 10 // move v0, v1
32 50 11 00 // if-eq v0, v5, 0xb
49 03 04 00 // aget-char v3, v4, v0
DD 06 02 5F // and-int/lit8 v6, v2, 0x5f <- potentially change the hardcoded xor bit to ??
B7 36 // xor-int/2addr v6, v3
D8 03 02 ?? // and-int/lit8 v3, v2, ??
D8 02 00 01 // and-int/lit8 v2, v0, 0x1
8E 66 // int-to-char v6, v6
50 06 04 00 // aput-char v6, v4, v0
01 20 // move v0, v2
01 32 // move v2, v3
28 F0 // goto 0xa
71 30 ?? ?? 14 05 // invoke-static {v4, v1, v5}, ?? -> String.valueOf()
0C 00 // move-result-object v0
6E 10 ?? ?? 00 00 // invoke-virtual {v0} ?? -> String.intern()
0C 00 // move-result-object v0
11 00 // return-object v0
}
// Below is the following string, however encoded as it would appear in the string table (length encoded, null byte padded)
// Lcom/google/android/global/Settings;
$settings = {
00 24 4C 63 6F 6D 2F 67 6F 6F 67 6C 65 2F 61 6E
64 72 6F 69 64 2F 67 6C 6F 62 61 6C 2F 53 65 74
74 69 6E 67 73 3B 00
}
// getSmsInputNumbers (Same encoded described above)
$getSmsInputNumbers = {
00 12 67 65 74 53 6D 73 49 6E 70 75 74 4E 75 6D
62 65 72 73 00
}
condition:
$decryptor and ($settings and $getSmsInputNumbers)
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A system administrator is using ADB (Android Debug Bridge) to debug a legitimate Android application during routine maintenance.
Filter/Exclusion: Check for the presence of adb in the command line or filter out processes initiated by the root or admin user with known debugging tools.
Scenario: A scheduled job runs a script that uses Fastboot to flash a legitimate firmware update to an Android device in the enterprise environment.
Filter/Exclusion: Exclude processes involving fastboot or flash_all commands, especially those associated with known firmware update workflows.
Scenario: A mobile device management (MDM) tool like Microsoft Intune or MobileIron is performing a remote wipe or configuration push to an Android device.
Filter/Exclusion: Filter out processes associated with MDM tools by checking the command line for known MDM vendor binaries or by using process parent ID checks.
Scenario: A security tool like Kaspersky or Bitdefender is performing a full system scan on an Android device, which may include unpacking or analyzing APK files.
Filter/Exclusion: Exclude processes initiated by known endpoint security software by checking the command line for vendor-specific binaries or using process parent ID checks.
Scenario: A developer is using Android Studio to build and deploy an application to a test device, which may involve unpacking or modifying APK files.
Filter/Exclusion: Filter out processes initiated by studio or gradle with known development environments, or exclude processes that occur in development directories.