Attackers may be using malicious APKs to execute SMS fraud by intercepting or spoofing SMS messages, allowing them to steal user credentials or initiate fraudulent transactions. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential SMS fraud campaigns early.
YARA Rule
rule smsfraud_apk : android
{
meta:
author = "https://twitter.com/plutec_net"
reference = "https://koodous.com/"
description = "This rule detects apks related with sms fraud"
sample = "79b35a99f16de6912d6193f06361ac8bb75ea3a067f3dbc1df055418824f813c"
condition:
androguard.certificate.sha1("9E1B8719D80656E9EADAAB4251B2CFB4C8188835")
}This YARA rule can be deployed in the following contexts:
Scenario: A legitimate system management tool (e.g., Microsoft Intune or Jamf Pro) is distributing an APK that includes SMS-related functionality for device enrollment or policy enforcement.
Filter/Exclusion: Exclude APKs signed by known enterprise management tools or check the package name against a whitelist of approved management apps.
Scenario: A scheduled job (e.g., cron job or Windows Task Scheduler) is using an APK to send automated SMS notifications for system alerts or user notifications.
Filter/Exclusion: Exclude APKs associated with scheduled tasks by checking the com.android.intent.action.SCHEDULED_JOB intent or using a custom field that identifies task-based usage.
Scenario: An admin is using Android Debug Bridge (ADB) to push an APK to a test device for development or testing purposes, which includes SMS-related code for testing.
Filter/Exclusion: Exclude APKs pushed via ADB by checking the presence of ADB-specific metadata or by filtering based on the device’s debuggable flag.
Scenario: A legitimate enterprise app (e.g., Cisco AnyConnect or Microsoft Teams) includes SMS capabilities for two-factor authentication (2FA) or user verification.
Filter/Exclusion: Exclude APKs that are part of known enterprise apps by checking the package name against a predefined list of trusted applications.
Scenario: A mobile device management (MDM) solution (e.g., Microsoft Endpoint Manager or SailPoint) is deploying an APK that includes SMS functionality for user authentication or device configuration.
Filter/Exclusion: Exclude APKs associated with MDM solutions by checking the package name or using a custom field that identifies MDM-related deployments.