The hypothesis is that the detection rule identifies potential Android.Triada.Malware activity through suspicious process execution or file access patterns commonly associated with this malware family. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may evade traditional detection methods.
YARA Rule
rule Android_Triada : android
{
meta:
author = "reverseShell - https://twitter.com/JReyCastro"
date = "2016/03/04"
description = "This rule try to detects Android.Triada.Malware"
sample = "4656aa68ad30a5cf9bcd2b63f21fba7cfa0b70533840e771bd7d6680ef44794b"
source = "https://securelist.com/analysis/publications/74032/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/"
strings:
$string_1 = "android/system/PopReceiver"
condition:
all of ($string_*) and
androguard.permission(/android.permission.KILL_BACKGROUND_PROCESSES/) and
androguard.permission(/android.permission.SYSTEM_ALERT_WINDOW/) and
androguard.permission(/android.permission.GET_TASKS/)
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system administrator is using ADB (Android Debug Bridge) to push a legitimate app to a test device for development purposes.
Filter/Exclusion: Exclude processes where the command line includes adb push or adb install and the destination path is a known development directory (e.g., /data/local/tmp/).
Scenario: A scheduled job runs Fastboot to flash a custom recovery image to a device during a routine maintenance window.
Filter/Exclusion: Exclude processes where the command line includes fastboot flash and the device is in a known maintenance or testing environment.
Scenario: An enterprise IT team uses Android Enterprise to deploy a company-wide policy update via Google Enterprise Mobility Management (EMM).
Filter/Exclusion: Exclude processes where the command line includes dm-verity or ota and the source is a known EMM server IP or domain.
Scenario: A developer is using Android Studio to debug an app, which triggers system calls that resemble malicious behavior.
Filter/Exclusion: Exclude processes where the parent process is studio or idea and the command line includes adb shell or logcat.
Scenario: A backup job runs rsync to copy user data to a remote server, which may include system files that trigger the rule.
Filter/Exclusion: Exclude processes where the command line includes rsync and the source or destination path matches known backup directories (e.g., /backup/, /data/backup/).