The hypothesis is that the detected behavior represents an Android Pornclicker Trojan attempting to exfiltrate data by connecting to a remote host and downloading malicious JavaScript and URL lists used for redirecting users to adult content. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data exfiltration and user exploitation attempts early in the attack lifecycle.
YARA Rule
rule trojan: pornClicker
{
meta:
description = "Ruleset to detect android pornclicker trojan, connects to a remote host and obtains javascript and a list from urls generated, leading to porn in the end."
sample = "5a863fe4b141e14ba3d9d0de3a9864c1339b2358386e10ba3b4caec73b5d06ca"
reference = "https://blog.malwarebytes.org/cybercrime/2016/06/trojan-clickers-gaze-cast-upon-google-play-store/?utm_source=facebook&utm_medium=social"
author = "Koodous Project"
strings:
$a = "SELEN3333"
$b = "SELEN33"
$c = "SELEN333"
$api = "http://mayis24.4tubetv.xyz/dmr/ya"
condition:
($a and $b and $c and $api) or androguard.url(/mayis24\.4tubetv\.xyz/)
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Legitimate Android App Update Server Communication
Description: A legitimate app update server is being accessed by an Android app to fetch JavaScript files as part of a dynamic update process.
Filter/Exclusion: http.host != "update.example.com" or http.url contains "update.js"
Scenario: Scheduled Job Fetching JavaScript for Web Content Generation
Description: A scheduled job on an Android device is retrieving JavaScript files from a remote server to dynamically generate web content (e.g., for a company intranet).
Filter/Exclusion: process.name contains "scheduled_job" or http.url contains "/content_generator.js"
Scenario: Admin Task to Retrieve Configuration Scripts from a Central Server
Description: An admin task is pulling JavaScript configuration files from a central server to manage device settings or policies.
Filter/Exclusion: process.name contains "admin_config_pull" or http.url contains "/config.js"
Scenario: Mobile Device Management (MDM) Tool Syncing Policies
Description: An MDM tool is syncing JavaScript-based policies from a remote server to enforce security settings on managed Android devices.
Filter/Exclusion: process.name contains "MDM_sync" or http.host contains "mdm.example.com"
Scenario: Legitimate Use of Webpack or Babel for JavaScript Bundling
Description: A development environment is using Webpack or Babel to fetch JavaScript files from a remote server as part of a build process.
Filter/Exclusion: http.url contains "webpack.config.js" or http.url contains "babel.min.js"