The hypothesis is that the detection identifies potential Android devices infected with the Cedar spyware through suspicious file artifacts, indicating possible adversary compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate covert surveillance activities early.
YARA Rule
rule android_tempting_cedar_spyware
{
meta:
Author = "@X0RC1SM"
Date = "2018-03-06"
Reference = "https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware"
strings:
$PK_HEADER = {50 4B 03 04}
$MANIFEST = "META-INF/MANIFEST.MF"
$DEX_FILE = "classes.dex"
$string = "rsdroid.crt"
condition:
$PK_HEADER in (0..4) and $MANIFEST and $DEX_FILE and any of ($string*)
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: A system administrator is using Android Debug Bridge (ADB) to debug a legitimate application.
Filter/Exclusion: Exclude processes where the command line includes adb or android-sdk.
Scenario: A scheduled job runs Android Studio to build and package an internal app for deployment.
Filter/Exclusion: Exclude processes where the executable path contains android-studio or studio.sh.
Scenario: An IT team uses Fastlane to automate Android app builds and deployments.
Filter/Exclusion: Exclude processes where the command line includes fastlane or gradle.
Scenario: A user is installing a legitimate app using Google Play Console or APK installation tools.
Filter/Exclusion: Exclude processes where the command line includes adb install, pm install, or google-play.
Scenario: A developer is using Android Studio to run a test suite or emulator for testing.
Filter/Exclusion: Exclude processes where the command line includes emulator, run-tests, or androidTest.