19 lines
510 B
Text
19 lines
510 B
Text
import "androguard"
|
|
|
|
rule Android_RuMMS
|
|
{
|
|
meta:
|
|
author = "Jacob Soo Lead Re"
|
|
date = "19-May-2016"
|
|
description = "This rule try to detects Android.Banking.RuMMS"
|
|
source = "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
|
|
|
|
condition:
|
|
(androguard.service(/\.Tb/) and
|
|
androguard.service(/\.Ad/) and
|
|
androguard.receiver(/\.Ac/) and
|
|
androguard.receiver(/\.Ma/)) or
|
|
(androguard.url(/http\:\/\/37\.1\.207/) and
|
|
androguard.url(/\/api\/\?id\=7/))
|
|
|
|
}
|