Search probably apks relationships

Hunt Hypothesis

Adversaries may use APK files to establish persistence or exfiltrate data by leveraging relationships between suspicious packages. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware or covert communication channels embedded in mobile applications.

YARA Rule

rule towelhacking_behaviour
{
	meta:
		author = "Fernando Denis Ramirez https://twitter.com/fdrg21"
		reference = "https://koodous.com/"
		description = "Search probably apks relationships"


	condition:
		androguard.certificate.sha1("180ADFC5DE49C0D7F643BD896E9AAC4B8941E44E") or 
		( androguard.activity(/net.prospectus.*/i) and androguard.permission(/android.permission.WRITE_CONTACT/) and
		androguard.permission(/android.permission.ACCESS_COARSE_UPDATES/))
		
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using apktool to decompile a legitimate APK file for analysis or debugging purposes.
  Filter/Exclusion: Check for presence of apktool in the command line or process name, and exclude processes initiated by admin accounts with known decompilation tasks.

• Scenario: A scheduled job runs adb commands to push and pull files between a development device and a build server.
  Filter/Exclusion: Exclude processes involving adb that are initiated by a known CI/CD job or service account, and filter based on command-line arguments like adb push or adb pull.

• Scenario: A developer is using Android Studio to build and debug an APK, which temporarily creates and unpacks APK files in the project directory.
  Filter/Exclusion: Exclude processes related to Android Studio or its associated tools, and filter based on file paths within the project directory structure.

• Scenario: A system update or OTA package is being deployed, which includes unpacking APK files as part of the update process.
  Filter/Exclusion: Exclude processes associated with update services or OTA deployment tools, and filter based on known update directories or file names.

• Scenario: A security tool like MobSF (Mobile Security Framework) is analyzing APK files for vulnerabilities, which involves unpacking and inspecting the files.
  Filter/Exclusion: Exclude processes initiated by known security tools or analysis platforms, and filter based on process names or command-line arguments related to analysis workflows.