Apks from the ASSD developer may indicate the presence of malicious or unauthorized applications that could be used for lateral movement or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of mobile devices or sensitive data access.
YARA Rule
rule assd_developer : official android
{
meta:
author = "Fernando Denis Ramirez https://twitter.com/fdrg21"
reference = "https://koodous.com/"
description = "This rule detects apks fom ASSD developer"
sample = "cb9721c524f155478e9402d213e240b9f99eaba86fcbce0571cd7da4e258a79e"
condition:
androguard.certificate.sha1("ED9A1CE1F18A1097DCCC5C0CB005E3861DA9C34A")
}This YARA rule can be deployed in the following contexts:
Scenario: Android Debug Bridge (ADB) package installation
Description: A system administrator uses ADB to install a debug APK from the ASSD developer for testing purposes.
Filter/Exclusion: process.name != "adb" or process.parent.name != "adb"
Scenario: Scheduled job for app updates
Description: A scheduled job runs nightly to update apps, including one from the ASSD developer, using a CI/CD pipeline.
Filter/Exclusion: process.name != "gradle" or process.name != "maven"
Scenario: Internal tool for device management
Description: An internal tool like Mobile Device Management (MDM) deploys a legitimate APK from the ASSD developer to company devices.
Filter/Exclusion: process.name != "MDM_Client" or process.parent.name != "MDM_Service"
Scenario: Developer testing on a staging environment
Description: A developer tests an APK from the ASSD developer on a staging environment using Android Studio.
Filter/Exclusion: process.name != "studio" or process.parent.name != "studio"
Scenario: Automated build and signing process
Description: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) signs and packages an APK from the ASSD developer as part of a release build.
Filter/Exclusion: process.name != "gradle" or process.name != "jfrog"