Yara detection for Android Locker app named Pink Club

Hunt Hypothesis

The detection identifies potential Android Locker malware named Pink Club, which may restrict device access and display malicious content. SOC teams should proactively hunt for this behavior to mitigate ransomware-like tactics and protect user data in their Azure Sentinel environment.

YARA Rule

rule Android_pinkLocker : android
{
	meta:
		description = "Yara detection for Android Locker app named Pink Club"
		author = "@5h1vang"
		ref1 = "https://www.virustotal.com/es/file/388799cbbe2c8ddc0768c4b994379508e602f68503888a001635c3be2c8c350d/analysis/"
		ref2 = "https://analyst.koodous.com/rulesets/1186"
		sample = "388799cbbe2c8ddc0768c4b994379508e602f68503888a001635c3be2c8c350d"
		
	strings:
		$str_1 = "arnrsiec sisani"
		$str_2 = "rhguecisoijng ts"
		$str_3 = "assets/data.db"
		$str_4 = "res/xml/device_admin_sample.xmlPK" 

	condition:
		androguard.url(/lineout\.pw/) or 
		androguard.certificate.sha1("D88B53449F6CAC93E65CA5E224A5EAD3E990921E") or
		androguard.permission(/android.permission.INTERNET/) and
		androguard.permission(/android.permission.DISABLE_KEYGUARD/) and
		all of ($str_*)
		
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled backup job using Android Debug Bridge (ADB)

  • Description: A scheduled job using ADB might execute scripts that resemble the behavior of the Pink Club Locker app, such as modifying system settings or files.
  • Suggestion: Filter by process name adb or check for adb in the command line arguments.

• Scenario: System update or patching via Mobile Device Management (MDM) tool

  • Description: An MDM tool like Microsoft Intune or VMware Workspace ONE might deploy updates that temporarily modify system files or settings, triggering the detection rule.
  • Suggestion: Exclude processes related to MDM tools (e.g., IntuneAgent, WorkspaceOne) or filter by known update scripts.

• Scenario: Admin task to reset device settings using ADB

  • Description: An admin might use ADB to reset device settings, which could include actions similar to those performed by the Pink Club Locker app.
  • Suggestion: Filter by user context (e.g., root, admin) or check for adb shell in the command line.

• Scenario: Legitimate Android app with similar file structure

  • Description: A legitimate app with a similar file structure or naming convention (e.g., PinkClub) could trigger the rule due to false positive matching.
  • Suggestion: Exclude apps with known legitimate names or filter by package name (e.g., com.example.pinkclub).

• Scenario: Automated security scan using tools like Tripwire or OSSEC

  • Description: Security tools might scan for known malicious patterns, and if the detection rule is too broad, it could flag legitimate files during a scan.
  • Suggestion: Exclude processes associated with security tools (e.g., tripwire, ossec) or apply a whitelist for known scan directories.