The SMSFraud2 rule detects potential SMS-based fraud by identifying suspicious SMS traffic patterns that may indicate malicious activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage phishing or fraud attempts before they escalate.
YARA Rule
rule smsfraud2 : android {
meta:
author = "Antonio Sánchez https://twitter.com/plutec_net"
reference = "https://koodous.com/"
sample = "0200a454f0de2574db0b58421ea83f0f340bc6e0b0a051fe943fdfc55fea305b"
sample2 = "bff3881a8096398b2ded8717b6ce1b86a823e307c919916ab792a13f2f5333b6"
strings:
$a = "pluginSMS_decrypt"
$b = "pluginSMS_encrypt"
$c = "__dso_handle"
$d = "lib/armeabi/libmylib.soUT"
$e = "]Diok\"3|"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: A system administrator is using smsfraud2 to test the detection rule by manually sending a sample malicious SMS for analysis.
Filter/Exclusion: Check for the presence of the admin’s user ID or IP address in the event log, or filter out traffic originating from a known test environment.
Scenario: A scheduled job (e.g., cron or Task Scheduler) is configured to send automated SMS notifications for system health checks or alerts.
Filter/Exclusion: Exclude traffic from known job scheduling tools or filter based on the source IP or hostname associated with the scheduled task.
Scenario: A mobile device management (MDM) tool (e.g., Microsoft Intune, Jamf, or AirWatch) is sending SMS-based policy updates or device enrollment messages.
Filter/Exclusion: Exclude traffic from known MDM server IP ranges or domain names, or filter based on the message content containing known MDM keywords.
Scenario: A security team is performing a penetration test or red team exercise that includes sending SMS payloads to test network defenses.
Filter/Exclusion: Exclude traffic from known internal test environments or filter based on the presence of test-specific headers or metadata.
Scenario: A cloud service provider (e.g., Twilio, Nexmo, or Plivo) is sending SMS messages as part of a legitimate customer support or notification service.
Filter/Exclusion: Exclude traffic from known SMS gateway IP ranges or domain names, or filter based on the presence of service-specific headers or API keys.