Detect Gamma/FinFisher FinSpy for Android #GovWare

Hunt Hypothesis

Adversaries may use Gamma/FinFisher FinSpy for Android to covertly exfiltrate data and maintain persistence within targeted networks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential government-sponsored cyber espionage activities early.

YARA Rule

rule finspy : cdshide android
{
	
	meta:
		description = "Detect Gamma/FinFisher FinSpy for Android #GovWare"
		date = "2020/01/07"
		author = "Thorsten Schröder - ths @ ccc.de (https://twitter.com/__ths__)"
		reference1 = "https://github.com/devio/FinSpy-Tools"
		reference2 = "https://github.com/Linuzifer/FinSpy-Dokumentation"
		reference3 = "https://www.ccc.de/de/updates/2019/finspy"
		sample = "c2ce202e6e08c41e8f7a0b15e7d0781704e17f8ed52d1b2ad7212ac29926436e"
	
	strings:
		$re = /\x50\x4B\x01\x02[\x00-\xff]{32}[A-Za-z0-9+\/]{6}/
	
	condition:
		$re and (#re > 50)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as adb logcat or logcat -v time, is executed by an admin to monitor system logs.
  Filter/Exclusion: Exclude processes containing logcat or adb in their command line, or filter by user (e.g., user == "root" or user == "admin").

• Scenario: Android Debug Bridge (ADB) Usage by Developers
  Description: A developer uses ADB to debug or analyze Android devices, which may trigger the rule due to similar command-line patterns.
  Filter/Exclusion: Exclude processes containing adb in their command line, or filter by user (e.g., user == "developer" or user == "dev").

• Scenario: Automated Log Collection by SIEM Tools
  Description: A SIEM tool like Splunk or ELK collects logs from Android devices using a script that includes logcat or similar commands.
  Filter/Exclusion: Exclude processes containing splunk or elasticsearch in their command line, or filter by process name (e.g., process.name == "logcat").

• Scenario: Android Device Backup or Sync Job
  Description: A scheduled job runs to back up or sync Android devices, which may involve system commands that resemble malicious activity.
  Filter/Exclusion: Exclude processes related to backup tools (e.g., adb backup, backuptool), or filter by process name (e.g., process.name == "backuptool").

• Scenario: System Integrity Check or Security Scan
  Description: A security tool or integrity check script runs on Android devices, which may use system commands that match the detection logic.
  Filter/Exclusion: Exclude processes containing integrity,