The SMSFraud Chinese rule detects potential malicious activity involving SMS-based fraud originating from Chinese IP addresses, which may indicate phishing or credential theft attempts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could escalate into data breaches or financial loss.
YARA Rule
rule smsfraud : ganga android
{
meta:
author = "Fernando Denis https://twitter.com/fdrg21"
reference = "https://koodous.com/"
description = "smsfraud chinese"
sample = "e6ef34577a75fc0dc0a1f473304de1fc3a0d7d330bf58448db5f3108ed92741b"
strings:
$string_a_1 = "HHHEEEEEEBBBBBB??????;;;;;;888888444444000000,,,,,,''''''''''''######OOO###"
$string_a_2 = "2e6081a2-a063-45c7-ab90-5db596e42c7c"
condition:
androguard.package_name("com.yr.sx") or
all of ($string_a_*) or
androguard.activity(/com.snowfish.cn.ganga.offline.helper.SFGameSplashActivity/)
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: System Maintenance Task Sending SMS via API
Description: A legitimate system maintenance task, such as a scheduled job using Twilio or Nexmo, sends SMS for notifications or alerts.
Filter/Exclusion: Exclude traffic from known maintenance IP ranges or filter by destination_number matching internal or whitelisted numbers.
Scenario: Admin User Sending SMS for User Verification
Description: An admin user sends SMS for user verification via Google Cloud Messaging (GCM) or Firebase Cloud Messaging (FCM) as part of a legitimate authentication flow.
Filter/Exclusion: Exclude messages sent from admin accounts or filter by sender_id matching known admin credentials.
Scenario: Automated Backup Tool Sending SMS Alerts
Description: A backup tool like Veeam or Commvault sends SMS alerts via an integrated SMS gateway when backups complete or fail.
Filter/Exclusion: Exclude messages with specific alert keywords like “Backup Completed” or “Backup Failed” or filter by source_ip associated with the backup tool.
Scenario: Scheduled Job for SMS Marketing Campaign
Description: A marketing team uses HubSpot or Salesforce Marketing Cloud to send SMS campaigns to customers as part of a scheduled job.
Filter/Exclusion: Exclude messages with known marketing campaign IDs or filter by campaign_name matching approved marketing initiatives.
Scenario: Internal SMS Gateway for Internal Communications
Description: An internal SMS gateway, such as Sinch or Plivo, is used for internal communications between employees or departments.
Filter/Exclusion: Exclude messages with internal domain headers or filter by sender_number matching internal phone numbers or SIP addresses.