This rule try to detects Android.Banking.RuMMS

Hunt Hypothesis

The hypothesis is that the rule detects potential Android.Banking.RuMMS malware by identifying suspicious network or behavioral patterns associated with known malicious activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that may evade traditional detection methods.

YARA Rule

rule Android_RuMMS
{
	meta:
		author = "reverseShell - https://twitter.com/JReyCastro"
		date = "2016/04/02"
		description = "This rule try to detects Android.Banking.RuMMS"
		sample = "13569bc8343e2355048a4bccbe92a362dde3f534c89acff306c800003d1d10c6 "
		source = "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"

	condition:
		androguard.package_name("org.starsizew") or
		androguard.package_name("com.tvone.untoenynh") or
		androguard.package_name("org.zxformat") and
		androguard.permission(/android.permission.RECEIVE_SMS/) and
		androguard.permission(/android.permission.RECEIVE_BOOT_COMPLETED/)
		
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Legitimate system backup process using rsync or tar
  Filter/Exclusion: Check for known backup directories (e.g., /backup, /var/backups) or process names containing backup, rsync, or tar.

• Scenario: Scheduled job for log rotation using logrotate
  Filter/Exclusion: Filter processes with logrotate in the command line or check for log directories (e.g., /var/log/, /tmp/).

• Scenario: Administrative task using adb (Android Debug Bridge) for device management
  Filter/Exclusion: Exclude processes with adb in the command line or filter by user (e.g., root, admin).

• Scenario: Mobile device management (MDM) tool like Microsoft Intune or MobileIron performing remote configuration
  Filter/Exclusion: Filter by known MDM tools or check for specific command-line arguments related to configuration pushes.

• Scenario: Legitimate Android app update process using APK expansion or Google Play Services
  Filter/Exclusion: Check for known app update directories (e.g., /data/app/) or filter by known app packages (e.g., com.google.android.gms).