Moskow Droid Development

Hunt Hypothesis

Adversaries may be using custom development tools or techniques to evade detection, indicating potential advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate sophisticated, long-term threats that may not trigger traditional detection rules.

YARA Rule

rule moscow_fake : banker androoid
{
	meta:
	  author = "Fernando Denis"
		reference = "https://koodous.com/ https://twitter.com/fdrg21"
		description = "Moskow Droid Development"
		thread_level = 3
		in_the_wild = true

	strings:
		$string_a = "%ioperator%"
		$string_b = "%imodel%"
		$string_c = "%ideviceid%"
		$string_d = "%ipackname%"
		$string_e = "VILLLLLL"

	condition:
		all of ($string_*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://koodous.com/ https://twitter.com/fdrg21
• Source Rule

False Positive Guidance

• Scenario: Scheduled Build Job Using Android Studio
  Description: A legitimate CI/CD pipeline uses Android Studio to build an application, triggering the rule due to the presence of Android development tools.
  Filter/Exclusion: Check for process.name containing “gradle” or “android_gradle_plugin” and filter out processes initiated by a known CI/CD tool like Jenkins or GitLab CI.

• Scenario: Admin Task to Update Android SDK Components
  Description: A system administrator updates Android SDK components using the SDK Manager, which may trigger the rule due to the presence of Android-related processes.
  Filter/Exclusion: Filter processes where user.name is a known admin account and process.name includes “sdkmanager” or “android-sdk”.

• Scenario: Mobile App Development with Android Studio
  Description: A developer is actively working on a mobile application using Android Studio, which may trigger the rule due to the presence of Android development tools.
  Filter/Exclusion: Filter processes where process.name includes “studio” and the user is a known developer account, or check for the presence of a development environment flag in the process command line.

• Scenario: Automated Testing with Espresso Framework
  Description: An automated test suite using the Espresso framework runs on a development machine, triggering the rule due to Android testing tools.
  Filter/Exclusion: Filter processes where process.name includes “espresso” or “Instrumentation” and check for the presence of a test framework identifier in the command line.

• Scenario: Android Emulator Usage for Testing
  Description: A developer uses an Android emulator for testing, which may trigger the rule due to the presence of Android-related processes.
  Filter/Exclusion: Filter processes where process.name includes “emulator” or “avd” and check for the presence of