Rule for detection of Android Spywaller samples

Hunt Hypothesis

Android Spywaller samples may be detected through unusual network behavior or file execution patterns indicative of malware communication and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential espionage threats before they cause significant damage.

YARA Rule

rule android_spywaller : android
{
	meta:
		description = "Rule for detection of Android Spywaller samples"
		sample = "7b31656b9722f288339cb2416557241cfdf69298a749e49f07f912aeb1e5931b"
		source = "http://blog.fortinet.com/post/android-spywaller-firewall-style-antivirus-blocking"

	strings:
		$str_1 = "droid.png"
		$str_2 = "getSrvAddr"
		$str_3 = "getSrvPort"		
		$str_4 = "android.intent.action.START_GOOGLE_SERVICE"

	condition:
		androguard.certificate.sha1("165F84B05BD33DA1BA0A8E027CEF6026B7005978") or
		androguard.permission(/android.permission.INTERNET/) and
		androguard.permission(/android.permission.READ_PHONE_STATE/) and 
		all of ($str_*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Legitimate Android Debug Bridge (ADB) usage during device provisioning
  Description: A system administrator uses ADB to push diagnostic tools or configuration files to a device during setup.
  Filter/Exclusion: Exclude processes where the command includes adb push and the source path contains /system/bin/ or /data/local/tmp/.

• Scenario: Scheduled backup job using Android Debug Bridge (ADB)
  Description: A backup script runs nightly to copy application data via ADB to a remote server.
  Filter/Exclusion: Exclude processes where the command includes adb backup and the destination path is a known backup location (e.g., /backup/ or a server IP in the allowed IP list).

• Scenario: Android Studio build process using ADB for device testing
  Description: A developer uses Android Studio to deploy an app to a test device using ADB.
  Filter/Exclusion: Exclude processes where the command includes adb install or adb logcat and the device is registered in the development environment (e.g., via adb devices).

• Scenario: System update via ADB by enterprise management tools
  Description: An enterprise management tool like Mobile Device Management (MDM) uses ADB to push system updates or patches to devices.
  Filter/Exclusion: Exclude processes where the command includes adb push or adb reboot and the source is a known MDM server or internal update repository.

• Scenario: Security tool deployment using ADB for Android endpoint protection
  Description: A security tool like Microsoft Intune or Cisco AMP deploys an agent to an Android device using ADB.
  Filter/Exclusion: Exclude processes where the command includes adb push and the file being pushed is a known security agent (e.g., `agent.apk