Sneed-Reactivity/yara-mikesxrs/pombredanne/Android_RuMMS.yar

20 lines
510 B
Text
Raw Normal View History

import "androguard"
rule Android_RuMMS
{
meta:
author = "Jacob Soo Lead Re"
date = "19-May-2016"
description = "This rule try to detects Android.Banking.RuMMS"
source = "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
condition:
(androguard.service(/\.Tb/) and
androguard.service(/\.Ad/) and
androguard.receiver(/\.Ac/) and
androguard.receiver(/\.Ma/)) or
(androguard.url(/http\:\/\/37\.1\.207/) and
androguard.url(/\/api\/\?id\=7/))
}