DeathRing is a Chinese Trojan that is pre-installed on a number of smartphones most popular in Asian and African countri

Hunt Hypothesis

DeathRing is a pre-installed Chinese Trojan on popular smartphones in Asian and African countries, indicating potential covert surveillance and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate persistent, low-severity threats that could compromise user data.

YARA Rule

rule Android_DeathRing
{
	meta:
		author = "Jacob Soo Lead Re"
		date = "06-June-2016"
		description = "DeathRing is a Chinese Trojan that is pre-installed on a number of smartphones most popular in Asian and African countries. Detection volumes are moderate, though we consider this a concerning threat given its pre-loaded nature and the fact that we are actively seeing detections of it around the world."
		source = "https://blog.lookout.com/blog/2014/12/04/deathring/"

	condition:
		androguard.service(/MainOsService/i) and
        androguard.receiver(/ApkUninstallReceiver/i)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: System Maintenance Task Using adb
  Description: A system administrator is performing routine maintenance using Android Debug Bridge (adb) to push updates or debug devices.
  Filter/Exclusion: Exclude processes initiated by known admin accounts (e.g., root, admin, system) or those involving adb commands.
  Example Filter: process.name = adb AND user.name = root

• Scenario: Scheduled Job for Backup Using adb
  Description: A scheduled job is configured to back up user data using adb commands on enterprise Android devices.
  Filter/Exclusion: Exclude processes associated with backup services or scheduled tasks (e.g., backup-service, backup-job).
  Example Filter: process.name = adb AND process.args LIKE '%backup%'

• Scenario: Android Debug Bridge (ADB) Debugging Session
  Description: A developer is using ADB to debug an application on a company-issued Android device.
  Filter/Exclusion: Exclude processes initiated from development environments or with known debugging flags (e.g., adb shell, adb logcat).
  Example Filter: process.name = adb AND process.args LIKE '%shell%'

• Scenario: Mobile Device Management (MDM) Tool Interaction
  Description: An MDM tool (e.g., Microsoft Intune, VMware Workspace ONE) is interacting with Android devices to enforce policies or push configurations.
  Filter/Exclusion: Exclude processes associated with known MDM vendors or system management tools.
  Example Filter: process.name = com.android.management OR process.name = com.microsoft.intune

• Scenario: Android System Update via ADB
  Description: An IT team is using ADB to push system updates or patches to Android devices in a controlled environment.
  Filter/Exclusion: