This rule detects a kind of SMSFraud trojan

Hunt Hypothesis

The hypothesis is that the detected behavior indicates an adversary is attempting to exploit SMS-based fraud by leveraging compromised credentials to send malicious messages. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential SMSFraud trojan activity before it leads to data exfiltration or financial loss.

YARA Rule

rule smsfraud1 : android
{
    meta:
        author = "Antonio Sánchez https://twitter.com/plutec_net"
        reference = "https://koodous.com/"
        description = "This rule detects a kind of SMSFraud trojan"
        sample = "265890c3765d9698091e347f5fcdcf1aba24c605613916820cc62011a5423df2"
        sample2 = "112b61c778d014088b89ace5e561eb75631a35b21c64254e32d506379afc344c"

    strings:
        $a = "E!QQAZXS"
        $b = "__exidx_end"
        $c = "res/layout/notify_apkinstall.xmlPK"

    condition:
    all of them
        
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as a backup or log rotation, may trigger the rule due to process creation or file access patterns similar to malware behavior.
  Filter/Exclusion: Exclude processes associated with known system maintenance tools like vssvc.exe (Volume Shadow Copy Service) or schtasks.exe when running scheduled jobs.

• Scenario: Admin Task Using PowerShell for Configuration Changes
  Description: An administrator may use PowerShell scripts to configure network settings or update policies, which could resemble the behavior of a trojan.
  Filter/Exclusion: Exclude processes initiated by powershell.exe when executed by users with administrative privileges and when the command line includes known administrative tasks (e.g., netsh, ipconfig, Set-ItemProperty).

• Scenario: Antivirus or Endpoint Protection Scan
  Description: Antivirus or endpoint protection tools may perform deep scans that involve file access and process creation, which could be mistaken for malicious activity.
  Filter/Exclusion: Exclude processes associated with known security tools like mpsvc.exe (Microsoft Defender), avgnt.exe, or bitdefender.exe during scheduled or on-demand scans.

• Scenario: User-Initiated File Transfer via SMB
  Description: A user may transfer files via SMB (e.g., using smbclient or net use), which could trigger the rule due to network activity or file access patterns.
  Filter/Exclusion: Exclude network traffic originating from user-initiated file transfers using tools like smbclient, net use, or robocopy during normal business hours.

• Scenario: Log Collection or Monitoring Tool Activity
  Description: Tools like logparser.exe, splunkforwarder, or syslog-ng may perform file access