emerging-mobile_malware.rules

# Emerging Threats 
#
# This distribution may contain rules under two different licenses. 
#
#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
#  as follows:
#
#*************************************************************
#  Copyright (c) 2003-2019, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#*************************************************************
#
#
#
#

# This Ruleset is EmergingThreats Open optimized for suricata-4.0-enhanced.

alert http $HOME_NET any -> $EXTERNAL_NET 9033 (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 2"; flow:established,to_server; content:".log"; http_uri; nocase; content:"id="; http_uri; nocase; content:"softid="; http_uri; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A/; classtype:trojan-activity; sid:2012452; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2020_04_19;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 1"; flow:established,to_server; content:"POST"; http_method; content:"request"; http_uri; nocase; content:".php"; http_uri; nocase; content:"<imei>"; content:"<smscenter>"; content:"<installtime>"; metadata: former_category MOBILE_MALWARE; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012454; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 2"; flow:established,to_server; content:"req.php"; nocase; http_uri; content:"pid="; http_uri; nocase; content:"ver="; http_uri; nocase; content:"area="; http_uri; nocase; content:"insttime="; http_uri; nocase; content:"first="; http_uri; nocase; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012455; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2020_04_19;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/getAdXml.do"; http_uri; nocase; content:"params="; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.isc.sans.org/diary.html?storyid=10186; classtype:trojan-activity; sid:2012140; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_01_05, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1"; flow:established,to_server; content:"/push/androidxml/"; http_uri; nocase; content:"sim="; http_uri; nocase; content:"tel="; http_uri; nocase; content:"imsi="; http_uri; content:"pid="; http_uri; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A; classtype:trojan-activity; sid:2029932; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2020_04_19;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; nocase; http_uri; content:"StartUpdata.ini"; nocase; http_uri; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012782; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D BackgroundUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/BackgroundUpdata.ini"; http_uri; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012783; rev:3; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D active.txt Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; http_uri; nocase; content:"active.txt"; nocase; http_uri; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012784; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.B/E CnC Checkin Request"; flow:established,to_server; content:"/Kernel.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012844; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request"; flow:established,to_server; content:"/bs?Version="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012845; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request 2"; flow:established,to_server; content:"/number/?PhoneType="; nocase; http_uri; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012846; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.F CnC Checkin Request 3"; flow:established,to_server; content:".jsp?PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012847; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Flexispy.a Commercial Spying App Sending User Information to Server"; flow:established,to_server; content:"Host|3a| mobile.flexispy.com"; http_header; content:"/service"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_flexispy.a!tr.spy.html; classtype:trojan-activity; sid:2012850; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I NumberFile.jsp CnC Server Communication"; flow:established,to_server; content:"NumberFile.jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; metadata: former_category MOBILE_MALWARE; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012853; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Merogo User Agent"; flow:established,to_server; content:"User-Agent|3A| LiveUpdater 1.0"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_merogo.b!tr.html; classtype:trojan-activity; sid:2012854; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Geographic Location Logs To Remote Server"; flow:established,to_server; content:"/webapi/gpslog.php"; nocase; http_uri; content:"&long="; nocase; http_uri; content:"&lat="; nocase; http_uri; content:"&speed="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012855; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Call Logs to Remote Server"; flow:established,to_server; content:"/webapi/calllog.php"; http_uri; content:"&date="; http_uri; content:"&time="; http_uri; content:"&from="; http_uri; content:"&dur="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012856; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/HiShowServlet/servlet"; http_uri; pcre:"/\x2FHiShowServlet\x2Fservlet.+(InstalNum|UserActivation)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012858; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/cot?ID="; http_uri; content:"&DLType="; http_uri; content:"&SD="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012859; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0"; flow:established,to_server; content:"User-Agent|3A| LARK/"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012861; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"sender="; http_uri; content:"&cpId="; http_uri; content:"&cpServiceId="; http_uri; content:"&channelId="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012864; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I PropertyFile.jsp CnC Server Communication"; flow:established,to_server; content:"/PropertyFile.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; metadata: former_category MOBILE_MALWARE; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012851; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I TipFile.jsp CnC Server Communication"; flow:established,to_server; content:"TipFile.jsp"; http_uri; content:"&LanguageCode="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; metadata: former_category MOBILE_MALWARE; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012852; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/SuperFairy.D Bookmarked Connection to Server"; flow:established,to_server; content:"jiao.com"; http_header; fast_pattern; content:"/?id=book22"; nocase; http_uri; pcre:"/Host\x3A[^\n\r]*jiao.com/Hi"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012904; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smspacem CnC Communication Attempt"; flow:established,to_server; content:"/talktome.asmx"; nocase; http_uri; content:"cell"; http_client_body; nocase; content:"opname"; nocase; distance:0; http_client_body; metadata: former_category MOBILE_MALWARE; reference:url,www.fortiguard.com/encyclopedia/virus/android_smspacem.a!tr.html; classtype:trojan-activity; sid:2012924; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_02, updated_at 2020_04_20;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Iphone iKee.B Checkin"; flow:established,to_server; content:"/xlm.p.php?id="; http_uri; nocase; reference:url,mtc.sri.com/iPhone/; classtype:trojan-activity; sid:2013019; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/search/sayhi.php"; http_uri; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013020; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Post of Infected Mobile Device Location Information"; flow:established,to_server; content:"POST"; http_method; nocase; content:"longitude="; http_uri; nocase; content:"latitude="; http_uri; nocase; classtype:trojan-activity; sid:2013021; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:"search/rpty.php"; http_uri; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013022; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Tonclank JAR File Download"; flow:established,to_server; content:"/ProtocolGW/"; fast_pattern; http_uri; nocase; content:"filename="; http_uri; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013040; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_16, updated_at 2020_04_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Plankton/Tonclank Control Server Responding With JAR Download URL"; flow:established,to_client; content:"|0d 0a|url=http|3A|//"; nocase; content:"ProtocolGW/|3B|filename="; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013044; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_16, updated_at 2016_07_01;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Waplove.cn"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|waplove|02|cn"; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013038; rev:3; metadata:created_at 2011_06_16, updated_at 2011_06_16;)

#alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 3"; flow:established,to_server; content:"POST"; http_method; content:"/search/getty.php"; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; reference:url,blog.fortinet.com/androiddroidkungfu-attacking-from-a-mobile-device/; classtype:trojan-activity; sid:2013063; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms CnC Keepalive Message"; flow:established,to_server; content:"/android/android.dbug.php?action=heart"; http_uri; metadata: former_category MOBILE_MALWARE; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013078; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2020_04_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms URL for Possible File Download"; flow:established,to_server; content:"/ss/attachments/files/URLshorter.apk"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013079; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2020_04_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE XML Style POST Of IMSI International Mobile Subscriber Identity"; flow:established,to_server; content:"POST"; http_method; nocase; content:"<IMSI>"; http_client_body; nocase; content:"<|2F|IMSI"; nocase; distance:0; http_client_body; reference:url,www.learntelecom.com/telephony/gsm/international-mobile-subscriber-identity-imsi; classtype:trojan-activity; sid:2013139; rev:2; metadata:created_at 2011_06_30, updated_at 2020_04_20;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message"; flow:established,to_server; content:"/Jump.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType=";  http_uri; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013142; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes KernelPara.jsp CnC Checkin Message"; flow:established,to_server; content:"/KernelPara.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013143; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Message"; flow:established,to_server; content:".jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"PhoneImsi="; http_uri; content:"&PhoneNumber="; http_uri; content:"&Succeed="; http_uri; content:"&Fail="; http_uri; content:"&Source="; http_uri; content:"&Time="; http_uri; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013140; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Plugucsrv.sisx File Download"; flow:established,to_server; content:"plugucsrv.sisx"; http_uri; fast_pattern:only; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013141; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin XML Configuration File Sent From CnC Server"; flowbits:isset,ET.And.CruseWin; flow:established,from_server; content:"<connect>http|3A|//"; nocase; content:"<send number="; nocase; distance:0; content:"<insms>http|3A|//"; nocase; distance:0; content:"<delete number="; nocase; distance:0; content:"<clean app="; nocase; distance:0; metadata: former_category MOBILE_MALWARE; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:trojan-activity; sid:2013194; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_05, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Walkinwat Sending Data to CnC Server"; flow:established,to_server; content:"/wat.php"; nocase; http_uri; content:"incorporateapps.com"; nocase; http_header; pcre:"/Host\x3A[^\r\n]*incorporateapps\x2Ecom/Hi"; metadata: former_category MOBILE_MALWARE; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-033008-4831-99&tabid=2; reference:url,blog.avast.com/2011/03/21/android-is-calling-walk-and-text-and-be-malicious/; classtype:trojan-activity; sid:2013209; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_06, updated_at 2020_04_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Task Information Retrieval"; flow:established,to_server; content:"/alotWorkTask.aspx?no="; http_uri; content:"&uid="; http_uri; content:"&ti="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013240; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2020_04_20;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/CommDN Downloading Second Stage Malware Binary"; flow:established,to_server; content:"DGOManagerServer/file/TianXiangServer2.sisx"; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_commdn.a!tr.html; classtype:trojan-activity; sid:2013261; rev:2; metadata:created_at 2011_07_13, updated_at 2011_07_13;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam CnC Checkin"; flow:established,to_server; content:"/ddown/getvalid.aspx"; nocase; http_uri; fast_pattern:only; metadata: former_category MOBILE_MALWARE; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:trojan-activity; sid:2013265; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam Receiving SMS Message Template from CnC Server"; flow:established,to_client; content:"<smslist>"; content:"<sms id="; distance:0; content:"upnumber="; distance:0; content:"<|2F|smslist>"; distance:0; metadata: former_category MOBILE_MALWARE; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:trojan-activity; sid:2013266; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"?id="; http_uri; content:"&time="; http_uri; content:"&imei="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012863; rev:3; metadata:created_at 2011_05_25, updated_at 2020_04_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.AdSms Retrieving XML File from CnC Server"; flow:established,to_server; content:"/Submit.aspx?ver="; http_uri; content:"&sys="; http_uri; content:"&imei="; http_uri; content:"&ua="; http_uri; content:"&pro="; http_uri; metadata: former_category MOBILE_MALWARE; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:trojan-activity; sid:2013316; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_26, updated_at 2020_04_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.AdSms XML File From CnC Server"; flow:established,from_server; content:"<cmdsystem>"; content:"<mobile>"; content:"<|2F|mobile>"; within:50; content:"<killprocess>"; distance:0; content:"<killinstall>"; distance:0; content:"<killuninst>"; distance:0; metadata: former_category MOBILE_MALWARE; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:trojan-activity; sid:2013317; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_26, updated_at 2016_07_01;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending SMS Logs to Remote Server"; flow:established,to_server; content:"/webapi/sms.php"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012857; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApp.B Sending Device Information"; flow:established,to_server; content:"/android_notifier/notifier.php?app="; http_uri; content:"&deviceId="; http_uri; content:"&mobile="; http_uri; content:"&country="; http_uri; content:"&carrier="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302891; classtype:trojan-activity; sid:2013965; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2020_04_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ozotshielder.A Checkin"; flow:established,to_server; content:"/AndroidService.aspx?imsi="; http_uri; content:"&mobile="; http_uri; content:"&pid="; http_uri; content:"&ownerid="; http_uri; content:"&testchlid="; http_uri; content:"&androidver="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302951; classtype:trojan-activity; sid:2013966; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2020_04_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApps.SM Sending Information to CnC"; flow:established,to_server; content:"/android_notifier/notifier.php?h="; http_uri; metadata: former_category MOBILE_MALWARE; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_SNDAPPS.SM; classtype:trojan-activity; sid:2014162; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_01_27, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Plankton.P Commands Request to CnC Server"; flow:established,to_server; content:"/ProtocolGW/protocol/commands"; http_uri; metadata: former_category MOBILE_MALWARE; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_PLANKTON.P; classtype:trojan-activity; sid:2014215; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_02_07, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/HippoSms Method Request to CnC"; flow:established,to_server; content:"/clientRequest.htm?method="; http_uri; nocase; content:"&os="; http_uri; content:"&brand="; nocase; http_uri; content:"&sdkVersion="; nocase; http_uri; pcre:"/method\x3D(update|startcharge)/Ui"; metadata: former_category MOBILE_MALWARE; reference:url,www.fortiguard.com/encyclopedia/virus/android_hipposms.a!tr.html; classtype:trojan-activity; sid:2013299; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_23, updated_at 2016_07_01;)

#alert tcp $HOME_NET 8888 -> any any (msg:"ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access"; flow:from_server,established; content:"/><title>Keystrokes - iKeyMonitor</title><style "; reference:url,moreinfo.thebigboss.org/moreinfo/depiction.php?file=ikeymonitorDp; classtype:policy-violation; sid:2014406; rev:2; metadata:created_at 2012_03_20, updated_at 2012_03_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Updtkiller Sending Device Information"; flow:established,to_server; content:"/phone_getinfokou_android.php"; http_uri; reference:url,www.symantec.com/ja/jp/security_response/writeup.jsp?docid=2012-082308-1823-99&tabid=2; classtype:trojan-activity; sid:2016094; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_12_27, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/CoolPaperLeak Sending Information To CnC"; flow:established,to_server; content:"POST"; http_method; content:"/geturl.aspx?email="; http_uri; content:"&lat="; http_uri; content:"&lon="; http_uri; content:"&mobile="; http_uri; content:"&group="; http_uri; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/connect/blogs/androidcoolpaperleak-million-download-baby; classtype:trojan-activity; sid:2016209; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_01_15, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android TrojanFakeLookout.A"; flow:established,to_server; urilen:13; content:"/controls.php"; http_uri; content:"Dalvik/"; http_user_agent; reference:url,blog.trustgo.com/fakelookout/; reference:md5,65baecf1fe1ec7b074a5255dc5014beb; classtype:trojan-activity; sid:2016343; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_02_05, updated_at 2016_07_01;)

#alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Variant"; flow:established,to_server; content:"GET"; http_method; content:"/search/"; http_uri; content:".php?i="; http_uri; distance:0; content:"1.0|0d 0a|User-Agent|3a| unknown|0d 0a 0d 0a|"; metadata: former_category MOBILE_MALWARE; classtype:trojan-activity; sid:2016345; rev:5; metadata:created_at 2013_02_05, updated_at 2013_02_05;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smsilence.A Sending SMS Messages CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/Android_SMS/receiving.php"; http_uri; metadata: former_category MOBILE_MALWARE; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:trojan-activity; sid:2016513; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_03_01, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smsilence.A Successful Install Report"; flow:established,to_server; content:"/Android_SMS/installing.php"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:trojan-activity; sid:2016512; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_03_01, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE signed-unsigned integer mismatch code-verification bypass"; flow:from_server,established; content:"200"; http_stat_code; content:"OK"; http_stat_msg; file_data; content:"PK"; depth:2; content:"|FD FF|"; distance:26; within:2; content:".dex"; nocase; within:128; reference:url,sophos.com/2013/07/17/anatomy-of-another-android-hole-chinese-researchers-claim-new-code-verification-bypass/; classtype:trojan-activity; sid:2017163; rev:2; metadata:created_at 2013_07_17, updated_at 2013_07_17;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeAhnAV.A CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/srev.asp"; http_uri; content:"action="; http_client_body; depth:7; content:"&b_name="; http_client_body; distance:0; content:"&b_conter="; http_client_body; distance:0; metadata: former_category MOBILE_MALWARE; reference:url,blogs.mcafee.com/mcafee-labs/android-fake-av-hosted-in-google-code-targets-south-koreans; classtype:trojan-activity; sid:2017466; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_09_16, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportMessageRequest CnC Beacon"; flow:established,to_server; urilen:14; content:"POST"; http_method; content:"/reportMessage"; depth:14; http_uri; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/H"; metadata: former_category MOBILE_MALWARE; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018004; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy RegisterRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:9; content:"/register"; depth:9; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; metadata: former_category MOBILE_MALWARE; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018000; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy LoginRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:7; content:"/login"; depth:7; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; metadata: former_category MOBILE_MALWARE; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018001; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:7; content:"/report"; depth:7; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; metadata: former_category MOBILE_MALWARE; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018002; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy GetTaskRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:8; content:"/getTask"; depth:8; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/Hm"; metadata: former_category MOBILE_MALWARE; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018003; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 1"; flow:to_server,established; content:"POST"; http_method; content:"androidbugreport.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; content:"&token="; depth:7; http_client_body; content:"&target="; depth:8; http_client_body; content:"&rd="; depth:4; http_client_body; content:"&fo="; depth:4; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018138; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_14, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 2"; flow:to_server,established; content:"POST"; http_method; content:"filter.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018139; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_14, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 3"; flow:to_server,established; content:"POST"; http_method; content:"history.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; content:"&ds="; depth:4; http_client_body; content:"&sg="; depth:4; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018140; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_14, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Successful Fake Banking App Install CnC Server Acknowledgement"; flow:established,to_client; file_data; content:"|7b 22|success|22 3A|1,|22|message|22 3A 22|Product successfully updated.|22|}"; within:55; metadata: former_category MOBILE_MALWARE; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:trojan-activity; sid:2017788; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_11_27, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET 9999 (msg:"ET MOBILE_MALWARE Android Spyware Dowgin Checkin"; flow:established,to_server; urilen:13; content:"POST"; http_method; content:"/webviewAdReq"; nocase; depth:13; http_uri; reference:md5,45bf9f6e19649d3e1642854ecd82623c; classtype:trojan-activity; sid:2018663; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_10, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MOBILE_MALWARE Android/Trogle.A Possible Exfiltration of SMS via SMTP"; flow:established,to_server; content:"MAIL FROM|3a|<a137736513@qq.com>"; nocase; reference:md5,ef819779fc4bee6117c124fb752abf57; classtype:trojan-activity; sid:2018887; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_04, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Kasandra.A Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/path/DeviceManager.php"; nocase; depth:23; http_uri; content:"func="; depth:5; http_client_body; content:"&deviceid="; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header;  reference:md5,6df6553b115d9ed837161a9e67146ecf; classtype:trojan-activity; sid:2018888; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_04, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser Checkin"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/TargetConnect.aspx"; http_uri; content:"&tIMEI="; http_uri; content:"&tIMSI="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019331; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser sending GPS info"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/TargetUploadGps.aspx"; http_uri; content:"tmac="; http_uri; content:"&JZ="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019332; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser sending files"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/TargetUploadFile.aspx"; http_uri; content:"tmac="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019333; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser checking library version"; flow:to_server,established; content:"GET"; http_method; nocase; urilen:18; content:"/CheckLibrary.aspx"; http_uri; content:!"Referer|3a|"; http_header; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019334; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Stealthgenie Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/SGCommand.aspx?sgcommand="; fast_pattern:6,20; http_uri; content:"&uid="; http_uri; distance:0; content:"&sid="; http_uri; distance:0; content:"&value="; http_uri; distance:0; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"|20|Android|20|"; http_user_agent; reference:md5,06947ce839a904d6abcb272ff46e7de1; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99&tabid=2; reference:url,engadget.com/2014/09/30/crackdown-on-spying-apps-leads-to-stealthgenie-ceos-arrest/; classtype:trojan-activity; sid:2019805; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_11_25, updated_at 2016_07_01;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Searchwebmobile.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0F|searchwebmobile|03|com"; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013041; rev:2; metadata:created_at 2011_06_16, updated_at 2011_06_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Code4hk.A Checkin"; flow:established,to_server; content:"ClientInfo"; content:"isWifi"; distance:0; content:"cpuInfo"; distance:0; content:"firstOnlineIp"; distance:0; content:"firstOnlineTime"; distance:0; content:"imei"; distance:0; content:"ipAddr"; distance:0; content:"phoneBrand"; distance:0; content:"phoneNumber"; distance:0; content:"simOperator"; distance:0; fast_pattern; reference:url,malware.lu/articles/2014/09/29/analysis-of-code4hk.html; classtype:trojan-activity; sid:2019318; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_09_30, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"UAC/"; depth:4; http_user_agent; content:"|28|Android|20|"; distance:0; http_user_agent; content:"name=|22|softwareVersion|22|"; nocase; http_client_body; content:"name=|22|isEnc|22|"; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019959; rev:3; metadata:created_at 2014_12_17, updated_at 2014_12_17;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper User-Agent"; flow:established,to_server; content:"UAC/"; depth:4; http_user_agent; fast_pattern; content:"|28|Android|20|"; distance:0; http_user_agent; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019960; rev:3; metadata:created_at 2014_12_17, updated_at 2014_12_17;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Syria-Twitter Checkin"; flow:to_server,established;  content:"POST"; http_method; nocase; content:"/contacts"; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:"contact|25|26="; depth:11; fast_pattern; http_client_body; pcre:"/\/contacts$/U";  reference:md5,b91315805ef1df07bdbfa07d3a467424; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020343; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_02_02, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SMSThief.F Banker CnC Beacon"; flow:established,to_server; content:"/input_data_get_contact.asp?user="; http_uri; content:"&pwd="; http_uri; content:"&addr="; http_uri; metadata: former_category MOBILE_MALWARE; reference:url,research.zscaler.com/2015/02/android-banking-trojan-and-sms-stealer.html; reference:md5,ff081c1400a948f2bcc4952fed2c818b; classtype:trojan-activity; sid:2020353; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_02_03, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Operation Pawn Storm IOS_XAGENT Checkin"; flow:to_server,established; content:"XAgent/1."; depth:9; http_user_agent; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/^(?:(?:sear|wat)ch|results|close|find|open)\/\?[a-zA-Z]{2,8}=/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020363; rev:3; metadata:created_at 2015_02_04, updated_at 2015_02_04;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE IOS_XAGENT UA"; flow:to_server,established; content:"XAgent/1."; http_user_agent; depth:9; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020364; rev:3; metadata:created_at 2015_02_04, updated_at 2015_02_04;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SMSSend.Y"; flow:established,to_server; content:"/api/log.html|3f|"; http_uri; fast_pattern; content:"c="; http_uri; content:"&o="; http_uri; content:"&n="; http_uri; content:"Apache-HttpClient"; depth:18; http_user_agent; reference:md5,ef79985c90675e7abfb6b9a6bc5a6c65; classtype:trojan-activity; sid:2020729; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_03_23, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.m Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:!"User-Agent|3a 20|"; http_header; content:"content=eyJmaW5nZXJwcmludCI"; fast_pattern; depth:27; http_client_body; reference:md5,0aa69ad64e20bb6cbf72f346ce43ff23; reference:url,www.fireeye.com/blog/threat-research/2014/07/the-service-you-cant-refuse-a-secluded-hijackrat.html; classtype:trojan-activity; sid:2021185; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_06_04, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/v1.jsp?e="; http_uri; fast_pattern; depth:10; content:"&s="; http_uri; distance:0; content:"&g="; http_uri; distance:0; content:"&versionCode="; http_uri; distance:0; content:"&osVersion="; http_uri; distance:0; content:"&countryCode="; http_uri; distance:0; content:!"Referer|3a|"; http_header; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021929; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_10_07, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Cloudsota HTTP Host"; flow:to_server,established; content:"Host|3a| download.cloudsota.com"; http_header; reference:url,www.cmcm.com/blog/en/security/2015-11-09/842.html; classtype:trojan-activity; sid:2022081; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_11_12, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.EP HTTP Host"; flow:to_server,established; content:"Host|3a 20|jackdojacksgot.ru"; http_header; nocase; reference:url,b0n1.blogspot.com.br/2015/11/android-malware-drops-banker-from-png.html?m=1; classtype:trojan-activity; sid:2022144; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_11_24, updated_at 2016_07_01;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI"; flow:established,to_server; content:"POST"; http_method; content:"imei="; nocase; http_uri; pcre:"/imei=\d{2}-?\d{6}-?\d{6,}-?\d{1,}/Ui"; content:!"Host|3a 20|iphone-wu.apple.com"; http_header; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2012848; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Sending Credit Card Info"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cards_json.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"bot_id="; depth:7; fast_pattern; http_client_body; content:"&info="; http_client_body; content:"cardNum"; http_client_body; pcre:"/^bot_id=[a-f0-9]{32}&/P"; pcre:"/\.php$/U"; reference:md5,78c2444fe15a8e58c629076781d9442a; reference:url,blog.fortinet.com/2016/11/01/android-banking-malware-masquerades-as-flash-player-targeting-large-banks-and-popular-social-media-apps; classtype:trojan-activity; sid:2023483; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_03, performance_impact Low, updated_at 2016_11_03;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 1"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"sms|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023500; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, created_at 2016_11_11, updated_at 2016_11_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 2"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"itms-apps|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023501; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, created_at 2016_11_11, updated_at 2016_11_11;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/RequestActionsToExecute"; fast_pattern; http_uri; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"{|22|CommandLine|22 3a|"; depth:15; http_client_body; content:",|22|CurrentDirectory|22 3a|"; http_client_body; pcre:"/\/RequestActionsToExecute$/U"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023507; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)

#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU SSL CnC Cert"; flow:established,from_server; content:"|02|IT"; content:"|03|AAA"; distance:0; content:"|02|BB"; distance:0; content:"|03|EEE"; distance:0; content:"|0d|IT Department"; distance:0; content:"|0a|SASDS_Srv0"; fast_pattern; distance:0; metadata: former_category MOBILE_MALWARE; reference:md5,cbd1c2db9ffc6b67cea46d271594c2ae; classtype:trojan-activity; sid:2023509; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Unknown Redirector Nov 17 2016"; flow:from_server,established; file_data; content:"<script>"; content:".indexOf(|22|_mauthtoken|22|)=="; distance:0; content:"|22|ooglebot|22|"; content:"|7c|fennec|7c|"; content:"|22|_mauthtoken=1|3b| path=/|3b|expires=|22|"; fast_pattern; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023531; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_18, updated_at 2016_11_18;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Unknown Landing URI Nov 17 2016"; flow:to_server,established; content:"/kt/JpNx9n"; http_uri; pcre:"/\/kt\/JpNx9n$/U"; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023532; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_18, updated_at 2016_11_18;)

#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert"; flow:established,from_server; content:"|00 dd 45 ec 3f 08 74 58 6a|"; content:"|0a|Department"; distance:0; content:"|55 04 03|"; distance:0; content:"|0f|www.example.com"; distance:1; within:16; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023708; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2017_01_09;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Comll.Banker RAT CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/n/"; http_uri; content:!"Referer|3a 20|"; http_header; content:"content=eyJ"; http_client_body; depth:11; fast_pattern; content:!"Accept|3a|"; http_header; pcre:"/\/n\/\d{15}$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,a78e904a05d4a9e6a15b6f56b261eab9; classtype:trojan-activity; sid:2018630; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_03, updated_at 2017_03_09;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"/billwebsvr.dll?Buy?user="; http_uri; content:"&key="; http_uri; content:"&channel="; http_uri; content:"&corp="; http_uri; content:"&product="; http_uri; content:"&phone="; http_uri; content:"&private="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012862; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Response"; flow:from_server,established; file_data; content:"[{|22|id|22 3a 22|0|22|,|22|command|22 3a 22|OK|22|}"; depth:26; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024202; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_04_11, malware_family Android_Ewind, updated_at 2017_04_11;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Dropper.Abd Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/ad-"; http_uri; content:"|3b 20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"RgQ7"; depth:4; fast_pattern; http_client_body; pcre:"/\/ad-(?:strat|devi)\/$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,66a1dda748d073f5e659b700339c3343; reference:url,www.zscaler.com/blogs/research/malicious-android-ads-leading-drive-downloads; classtype:trojan-activity; sid:2024411; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android_07012016, signature_severity Major, created_at 2017_06_19, updated_at 2017_06_19;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Mobile Device Posting Phone Number"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&Phone"; fast_pattern; nocase; http_uri; content:"Number="; nocase; http_uri; pcre:"/\x26Phone(Number\x3D|\x5FNumber\x3D|\x2DNumber\x3D)/Ui"; metadata: former_category MOBILE_MALWARE; classtype:trojan-activity; sid:2013208; rev:3; metadata:created_at 2011_07_06, updated_at 2017_07_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android JadeRAT CnC Beacon 2"; flow:to_server,established; dsize:22; content:"@!hi|3a|"; depth:5; fast_pattern; pcre:"/^\d{15}\r\n$/R"; metadata: former_category MOBILE_MALWARE; reference:md5,9027f111377598362972745478e40311; reference:url,blog.lookout.com/mobile-threat-jaderat; classtype:trojan-activity; sid:2024896; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_10_23, malware_family Android_JadeRAT, updated_at 2017_10_23;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Marcher Trojan Download - Raiffeisen Bank Targeting (set)"; flow:to_server,established; content:"GET"; http_method; content:"banking.raiffeisen.at."; http_host; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/WR"; flowbits:set,ET.marcherphish; flowbits:noalert; metadata: former_category MOBILE_MALWARE; classtype:trojan-activity; sid:2024950; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Minor, created_at 2017_11_03, updated_at 2017_11_03;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Marcher Trojan Download - Sparkasse Bank Targeting (set)"; flow:to_server,established; content:"GET"; http_method; content:"netbanking.sparkasse.at."; http_host; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/WR"; flowbits:set,ET.marcherphish; flowbits:noalert; metadata: former_category MOBILE_MALWARE; classtype:trojan-activity; sid:2024951; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Minor, created_at 2017_11_03, updated_at 2017_11_03;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Marcher Trojan Download - BankAustria Targeting (set)"; flow:to_server,established; content:"GET"; http_method; content:"online.bankaustria.at."; http_host; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/WR"; flowbits:set,ET.marcherphish; flowbits:noalert; metadata: former_category MOBILE_MALWARE; classtype:trojan-activity; sid:2024952; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Minor, created_at 2017_11_03, updated_at 2017_11_03;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android Marcher Trojan Download - Austrian Bank Targeting"; flow:to_client,established; flowbits:isset,ET.marcherphish; content:"200"; http_stat_code; content:"application/vnd.android.package-archive"; http_header; fast_pattern; content:"Content-Description|3a 20|File Transfer"; http_header; file_data; content:"PK"; depth:2; metadata: former_category MOBILE_MALWARE; classtype:trojan-activity; sid:2024953; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_11_03, updated_at 2017_11_03;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 1"; dns_query; content:"loaderclientarea24.ru"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025014; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, created_at 2017_11_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 2"; dns_query; content:"loaderclientarea22.ru"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025015; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, created_at 2017_11_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 3"; dns_query; content:"loaderclientarea20.ru"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025016; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, created_at 2017_11_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 4"; dns_query; content:"loaderclientarea15.ru"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025017; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, created_at 2017_11_22, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE XML Style POST Of IMEI International Mobile Equipment Identity"; flow:established,to_server; content:"POST"; http_method; nocase; content:"<IMEI>"; http_client_body; nocase; content:"<|2F|IMEI>"; fast_pattern; nocase; http_client_body; distance:0; content:!".blackberry.com"; http_host; content:!".nokia.com"; http_host; content:!".sonyericsson.com"; http_host; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2013138; rev:9; metadata:created_at 2011_06_30, updated_at 2011_06_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Adware.Adwo.A"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?m="; http_uri; content:"&a="; http_uri; content:"&os="; http_uri; content:!"&ComPut="; http_uri; http_header_names; content:!"User-Agent"; reference:md5,bbb0aa6c9f84963dacec55345fe4c47e; classtype:trojan-activity; sid:2023475; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_01, performance_impact Low, updated_at 2016_11_01;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Marcher.U DNS Lookup"; dns_query; content:"sagdzusghcsh.top"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,ccefe18d7b9bc31a8673b9bf82104f48; classtype:trojan-activity; sid:2025273; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2018_01_30, malware_family Android_Marcher, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 1"; dns_query; content:"goldncup.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025639; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2018_07_05, malware_family Android_Glancelove, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 2"; dns_query; content:"glancelove.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025640; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2018_07_05, malware_family Android_Glancelove, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 3"; dns_query; content:"autoandroidup.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025641; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2018_07_05, malware_family Android_Glancelove, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 4"; dns_query; content:"mobilestoreupdat.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025642; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2018_07_05, malware_family Android_Glancelove, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 5"; dns_query; content:"updatemobapp.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025643; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2018_07_05, malware_family Android_Glancelove, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup"; dns_query; content:"ios-certificate-update.com"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025727; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, tag iOS, signature_severity Critical, created_at 2018_07_17, malware_family iOS_Bahamut, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 2"; dns_query; content:"al-enayah.com"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025728; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, tag iOS, signature_severity Critical, created_at 2018_07_17, malware_family iOS_Bahamut, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 3"; dns_query; content:"voguextra.com"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025729; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_17, malware_family iOS_Bahamut, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 4"; dns_query; content:"techwach.com"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025730; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, tag iOS, signature_severity Critical, created_at 2018_07_17, malware_family iOS_Bahamut, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 5"; dns_query; content:"wpitcher.com"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025731; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, tag iOS, signature_severity Critical, created_at 2018_07_17, malware_family iOS_Bahamut, updated_at 2019_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Golden Rat Checkin"; flow:to_server,established; content:"<HmzaPacket>|3e 0a 20 20|<Command>"; depth:25; fast_pattern; content:"<MSG>"; within:40; content:"</MSG>|3e 0a 20 20|"; distance:0; content:"</HmzaPacket></HAMZA_DELIMITER_STOP>"; distance:0; metadata: former_category MOBILE_MALWARE; reference:url,csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf; reference:md5,6296586cf9a59b25d1b8ab3eeb0c2a33; classtype:trojan-activity; sid:2025895; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2018_07_25, malware_family Android_GoldenRat, updated_at 2018_07_25;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 6"; dns_query; content:"ios-certificate-whatsapp.com"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025896; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 7"; dns_query; content:"hytechmart.com"; nocase; isdataat:!1,relative; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025897; rev:2; metadata:created_at 2018_07_25, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 8"; dns_query; content:"appswonder.info"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025898; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 9"; dns_query; content:"referfile.com"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025899; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 10"; dns_query; content:"hiltrox.com"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025900; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 11"; dns_query; content:"scrollayer.com"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025901; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 12"; dns_query; content:"twitck.com"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025902; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 14"; dns_query; content:"nfinx.info"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025904; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 15"; dns_query; content:"metclix.com"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025905; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 16"; dns_query; content:"capsnit.com"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025906; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 1"; dns_query; content:"banca-movil.com"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025933; rev:2; metadata:affected_product Android, affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 2"; dns_query; content:"pine-sales.com"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025934; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 3"; dns_query; content:"ecommerce-ads.org"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025935; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 4"; dns_query; content:"bytlo.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025936; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 5"; dns_query; content:"ticket-selections.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025937; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 6"; dns_query; content:"onlineshopzm.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025938; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 7"; dns_query; content:"zednewszm.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025939; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 8"; dns_query; content:"zm-banks.com"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025940; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 9"; dns_query; content:"zm-weather.com"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025941; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 10"; dns_query; content:"znothernkivu.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025942; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 11"; dns_query; content:"afriquenouvelle.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025943; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 12"; dns_query; content:"allafricaninfo.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025944; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 13"; dns_query; content:"centrasia-news.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025945; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 14"; dns_query; content:"mystulchik.com"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025946; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 15"; dns_query; content:"odnoklass-profile.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025947; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 16"; dns_query; content:"sputnik-news.com"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025948; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 17"; dns_query; content:"tengrinews.co"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025949; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 18"; dns_query; content:"sergek.info"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025950; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 19"; dns_query; content:"egov-sergek.info"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025951; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 20"; dns_query; content:"egov-segek.info"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025952; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 21"; dns_query; content:"mykaspi.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025953; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 22"; dns_query; content:"kaspi-payment.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025954; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 24"; dns_query; content:"e-sveiciens.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025955; rev:2; metadata:created_at 2018_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 25"; dns_query; content:"klientuserviss.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025956; rev:2; metadata:created_at 2018_08_03, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 26"; dns_query; content:"kurjerserviss.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025957; rev:2; metadata:created_at 2018_08_03, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 27"; dns_query; content:"reklamas.info"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025958; rev:2; metadata:created_at 2018_08_03, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 28"; dns_query; content:"legyelvodas.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025959; rev:2; metadata:created_at 2018_08_03, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 29"; dns_query; content:"theastafrican.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025960; rev:2; metadata:created_at 2018_08_03, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 30"; dns_query; content:"ajelnews.net"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025961; rev:2; metadata:created_at 2018_08_03, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 31"; dns_query; content:"akhbara-aalawsat.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025962; rev:2; metadata:created_at 2018_08_03, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 32"; dns_query; content:"akhbar-arabia.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025963; rev:2; metadata:created_at 2018_08_03, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 33"; dns_query; content:"gulf-news.info"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025964; rev:2; metadata:created_at 2018_08_03, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 34"; dns_query; content:"eltiempo-news.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025965; rev:2; metadata:created_at 2018_08_03, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 35"; dns_query; content:"arabnews365.com"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025966; rev:2; metadata:created_at 2018_08_03, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 36"; dns_query; content:"arabworldnews.info"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025967; rev:2; metadata:created_at 2018_08_03, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 37"; dns_query; content:"breaking-extranews.online"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025968; rev:2; metadata:created_at 2018_08_03, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 38"; dns_query; content:"breaking-news.co"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025969; rev:2; metadata:created_at 2018_08_03, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 39"; dns_query; content:"breakingnewsasia.com"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025970; rev:2; metadata:created_at 2018_08_03, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 40"; dns_query; content:"breakthenews.net"; nocase; isdataat:!1,relative; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025971; rev:2; metadata:created_at 2018_08_03, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/admin/data/collectdata-new.php"; http_uri; fast_pattern; isdataat:!1,relative; content:"okhttp/"; depth:7; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"{|22|a|22 3a|"; depth:5; http_client_body; content:"|22|b|22 3a|[{|22|"; http_client_body; metadata: former_category MOBILE_MALWARE; reference:md5,cc56d261cbf0ecddcdc70de85af138d1; reference:url,drive.google.com/file/d/1WJCXG2SIkVwPEw5dlAE5U__OfDB88zD0/view; classtype:trojan-activity; sid:2025987; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2018_08_13, malware_family ANdroid_CrazyMango, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a CnC Beacon"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/admin/newuser.php"; http_uri; fast_pattern; isdataat:!1,relative; content:"okhttp/"; depth:7; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"{|22|imei|22 3a|"; depth:8; http_client_body; content:"|22|tag|22 3a|"; http_client_body; metadata: former_category MOBILE_MALWARE; reference:md5,cc56d261cbf0ecddcdc70de85af138d1; reference:url,drive.google.com/file/d/1WJCXG2SIkVwPEw5dlAE5U__OfDB88zD0/view; classtype:trojan-activity; sid:2025988; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2018_08_13, malware_family ANdroid_CrazyMango, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/admin/data/fcollectdata.php"; http_uri; fast_pattern; isdataat:!1,relative; content:"okhttp/"; depth:7; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"{|22|category|22 3a|"; http_client_body; metadata: former_category MOBILE_MALWARE; reference:md5,b603017bbcee17a76f5b0ee478d2d935; reference:url,drive.google.com/file/d/1WJCXG2SIkVwPEw5dlAE5U__OfDB88zD0/view; classtype:trojan-activity; sid:2025989; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2018_08_13, malware_family ANdroid_CrazyMango, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (1jve .com in DNS Lookup)"; dns_query; content:"1jve.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026115; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (1jve .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"1jve.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026116; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (clarke-taylor .life in DNS Lookup)"; dns_query; content:"clarke-taylor.life"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026117; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (clarke-taylor .life in TLS SNI)"; flow:established,to_server; tls_sni; content:"clarke-taylor.life"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026118; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hcttmail .com in DNS Lookup)"; dns_query; content:"hcttmail.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026119; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hcttmail .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"hcttmail.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026120; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-presidency .com in DNS Lookup)"; dns_query; content:"mail-presidency.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026121; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-presidency .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"mail-presidency.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026122; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aamir-khan .site in DNS Lookup)"; dns_query; content:"aamir-khan.site"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026123; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aamir-khan .site in TLS SNI)"; flow:established,to_server; tls_sni; content:"aamir-khan.site"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026124; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (daario-naharis .info in DNS Lookup)"; dns_query; content:"daario-naharis.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026125; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (daario-naharis .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"daario-naharis.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026126; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-live .club in DNS Lookup)"; dns_query; content:"help-live.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026127; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-live .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"help-live.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026128; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (margaery-tyrell .info in DNS Lookup)"; dns_query; content:"margaery-tyrell.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026129; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (margaery-tyrell .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"margaery-tyrell.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026130; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accaunts-googlc .com in DNS Lookup)"; dns_query; content:"accaunts-googlc.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026131; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accaunts-googlc .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"accaunts-googlc.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026132; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .club in DNS Lookup)"; dns_query; content:"dachfunny.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026133; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"dachfunny.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026134; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-sec .club in DNS Lookup)"; dns_query; content:"help-sec.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026135; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-sec .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"help-sec.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026136; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maria-bouchard .website in DNS Lookup)"; dns_query; content:"maria-bouchard.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026137; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maria-bouchard .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"maria-bouchard.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026138; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-gocgle .com in DNS Lookup)"; dns_query; content:"account-gocgle.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026139; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-gocgle .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"account-gocgle.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026140; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .us in DNS Lookup)"; dns_query; content:"dachfunny.us"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026141; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .us in TLS SNI)"; flow:established,to_server; tls_sni; content:"dachfunny.us"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026142; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (heyapp .website in DNS Lookup)"; dns_query; content:"heyapp.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026143; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (heyapp .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"heyapp.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026144; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (marklavi .com in DNS Lookup)"; dns_query; content:"marklavi.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026145; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (marklavi .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"marklavi.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026146; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-googlc .com in DNS Lookup)"; dns_query; content:"account-googlc.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026147; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-googlc .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"account-googlc.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026148; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .club in DNS Lookup)"; dns_query; content:"dardash.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026149; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"dardash.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026150; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hitmesanjjoy .pro in DNS Lookup)"; dns_query; content:"hitmesanjjoy.pro"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026151; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hitmesanjjoy .pro in TLS SNI)"; flow:established,to_server; tls_sni; content:"hitmesanjjoy.pro"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026152; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mary-crawley .com in DNS Lookup)"; dns_query; content:"mary-crawley.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026153; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mary-crawley .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"mary-crawley.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026154; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforuser .website in DNS Lookup)"; dns_query; content:"accountforuser.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026155; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforuser .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"accountforuser.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026156; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .fun in DNS Lookup)"; dns_query; content:"dardash.fun"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026157; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .fun in TLS SNI)"; flow:established,to_server; tls_sni; content:"dardash.fun"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026158; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hoopoechat .com in DNS Lookup)"; dns_query; content:"hoopoechat.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026159; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hoopoechat .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"hoopoechat.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026160; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (masuka .club in DNS Lookup)"; dns_query; content:"masuka.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026161; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (masuka .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"masuka.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026162; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforusers .website in DNS Lookup)"; dns_query; content:"accountforusers.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026163; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforusers .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"accountforusers.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026164; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .info in DNS Lookup)"; dns_query; content:"dardash.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026165; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"dardash.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026166; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotimael .com in DNS Lookup)"; dns_query; content:"hotimael.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026167; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotimael .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"hotimael.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026168; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (matthew-stevens .club in DNS Lookup)"; dns_query; content:"matthew-stevens.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026169; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (matthew-stevens .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"matthew-stevens.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026170; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-gocgle .com in DNS Lookup)"; dns_query; content:"accounts-gocgle.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026171; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-gocgle .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"accounts-gocgle.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026172; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .live in DNS Lookup)"; dns_query; content:"dardash.live"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026173; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .live in TLS SNI)"; flow:established,to_server; tls_sni; content:"dardash.live"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026174; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotmailme .website in DNS Lookup)"; dns_query; content:"hotmailme.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026175; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotmailme .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"hotmailme.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026176; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mauricefischer .club in DNS Lookup)"; dns_query; content:"mauricefischer.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026177; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mauricefischer .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"mauricefischer.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026178; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-googlc .com in DNS Lookup)"; dns_query; content:"accounts-googlc.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026179; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-googlc .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"accounts-googlc.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026180; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-mclean .club in DNS Lookup)"; dns_query; content:"david-mclean.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026181; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-mclean .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"david-mclean.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026182; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .com in DNS Lookup)"; dns_query; content:"italk-chat.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026183; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"italk-chat.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026184; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-eleanor .info in DNS Lookup)"; dns_query; content:"max-eleanor.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026185; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-eleanor .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"max-eleanor.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026186; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountusers .website in DNS Lookup)"; dns_query; content:"accountusers.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026187; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountusers .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"accountusers.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026188; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-moris .website in DNS Lookup)"; dns_query; content:"david-moris.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026189; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-moris .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"david-moris.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026190; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .info in DNS Lookup)"; dns_query; content:"italk-chat.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026191; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"italk-chat.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026192; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-mayfield .com in DNS Lookup)"; dns_query; content:"max-mayfield.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026193; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-mayfield .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"max-mayfield.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026194; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accuant-googlc .com in DNS Lookup)"; dns_query; content:"accuant-googlc.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026195; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accuant-googlc .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"accuant-googlc.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026196; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davina-claire .xyz in DNS Lookup)"; dns_query; content:"davina-claire.xyz"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026197; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davina-claire .xyz in TLS SNI)"; flow:established,to_server; tls_sni; content:"davina-claire.xyz"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026198; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jack-wagner .website in DNS Lookup)"; dns_query; content:"jack-wagner.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026199; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jack-wagner .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"jack-wagner.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026200; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maxlight .us in DNS Lookup)"; dns_query; content:"maxlight.us"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026201; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maxlight .us in TLS SNI)"; flow:established,to_server; tls_sni; content:"maxlight.us"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026202; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (activedardash .club in DNS Lookup)"; dns_query; content:"activedardash.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026203; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (activedardash .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"activedardash.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026204; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davos-seaworth .info in DNS Lookup)"; dns_query; content:"davos-seaworth.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026205; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davos-seaworth .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"davos-seaworth.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026206; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (james-charles .club in DNS Lookup)"; dns_query; content:"james-charles.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026207; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (james-charles .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"james-charles.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026208; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mediauploader .info in DNS Lookup)"; dns_query; content:"mediauploader.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026209; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mediauploader .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"mediauploader.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026210; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alain .ps in DNS Lookup)"; dns_query; content:"alain.ps"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026211; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alain .ps in TLS SNI)"; flow:established,to_server; tls_sni; content:"alain.ps"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026212; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (debra-morgan .com in DNS Lookup)"; dns_query; content:"debra-morgan.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026213; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (debra-morgan .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"debra-morgan.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026214; rev:2; metadata:created_at 2018_09_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jimmykudo .online in DNS Lookup)"; dns_query; content:"jimmykudo.online"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026217; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jimmykudo .online in TLS SNI)"; flow:established,to_server; tls_sni; content:"jimmykudo.online"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026218; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (meet-me .chat in DNS Lookup)"; dns_query; content:"meet-me.chat"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026219; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (meet-me .chat in TLS SNI)"; flow:established,to_server; tls_sni; content:"meet-me.chat"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026220; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alisonparker .club in DNS Lookup)"; dns_query; content:"alisonparker.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026221; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alisonparker .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"alisonparker.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026222; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (donna-paulsen .info in DNS Lookup)"; dns_query; content:"donna-paulsen.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026223; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (donna-paulsen .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"donna-paulsen.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026224; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (android-settings .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"android-settings.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026225; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (android-settings .info in DNS Lookup)"; dns_query; content:"android-settings.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026226; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (easyshow .fun in DNS Lookup)"; dns_query; content:"easyshow.fun"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026227; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (easyshow .fun in TLS SNI)"; flow:established,to_server; tls_sni; content:"easyshow.fun"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026228; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jon-snow .pro in DNS Lookup)"; dns_query; content:"jon-snow.pro"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026229; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jon-snow .pro in TLS SNI)"; flow:established,to_server; tls_sni; content:"jon-snow.pro"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026230; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (men-ana .fun in DNS Lookup)"; dns_query; content:"men-ana.fun"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026231; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (men-ana .fun in TLS SNI)"; flow:established,to_server; tls_sni; content:"men-ana.fun"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026232; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .pro in DNS Lookup)"; dns_query; content:"apkapps.pro"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026233; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .pro in TLS SNI)"; flow:established,to_server; tls_sni; content:"apkapps.pro"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026234; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanor-guthrie .info in DNS Lookup)"; dns_query; content:"eleanor-guthrie.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026235; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanor-guthrie .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"eleanor-guthrie.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026236; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jorah-mormont .info in DNS Lookup)"; dns_query; content:"jorah-mormont.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026237; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jorah-mormont .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"jorah-mormont.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026238; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (michael-keaton .info in DNS Lookup)"; dns_query; content:"michael-keaton.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026239; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (michael-keaton .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"michael-keaton.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026240; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .site in DNS Lookup)"; dns_query; content:"apkapps.site"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026241; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .site in TLS SNI)"; flow:established,to_server; tls_sni; content:"apkapps.site"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026242; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanorguthrie .site in DNS Lookup)"; dns_query; content:"eleanorguthrie.site"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026243; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanorguthrie .site in TLS SNI)"; flow:established,to_server; tls_sni; content:"eleanorguthrie.site"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026244; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (joycebyers .club in DNS Lookup)"; dns_query; content:"joycebyers.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026245; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (joycebyers .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"joycebyers.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026246; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miranda-barlow .website in DNS Lookup)"; dns_query; content:"miranda-barlow.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026247; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miranda-barlow .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"miranda-barlow.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026248; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appchecker .us in DNS Lookup)"; dns_query; content:"appchecker.us"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026249; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appchecker .us in TLS SNI)"; flow:established,to_server; tls_sni; content:"appchecker.us"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026250; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (engin-altan .website in DNS Lookup)"; dns_query; content:"engin-altan.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026251; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (engin-altan .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"engin-altan.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026252; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (juana .fun in DNS Lookup)"; dns_query; content:"juana.fun"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026253; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (juana .fun in TLS SNI)"; flow:established,to_server; tls_sni; content:"juana.fun"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026254; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miwakosato .club in DNS Lookup)"; dns_query; content:"miwakosato.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026255; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miwakosato .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"miwakosato.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026256; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appuree .info in DNS Lookup)"; dns_query; content:"appuree.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026257; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appuree .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"appuree.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026258; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (esofiezo .website in DNS Lookup)"; dns_query; content:"esofiezo.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026259; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (esofiezo .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"esofiezo.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026260; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kaniel-outis .info in DNS Lookup)"; dns_query; content:"kaniel-outis.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026261; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kaniel-outis .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"kaniel-outis.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026262; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mofa-help .site in DNS Lookup)"; dns_query; content:"mofa-help.site"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026263; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mofa-help .site in TLS SNI)"; flow:established,to_server; tls_sni; content:"mofa-help.site"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026264; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (arthursaito .club in DNS Lookup)"; dns_query; content:"arthursaito.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026265; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (arthursaito .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"arthursaito.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026266; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (everyservices .space in DNS Lookup)"; dns_query; content:"everyservices.space"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026267; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (everyservices .space in TLS SNI)"; flow:established,to_server; tls_sni; content:"everyservices.space"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026268; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (karenwheeler .club in DNS Lookup)"; dns_query; content:"karenwheeler.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026269; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (karenwheeler .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"karenwheeler.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026270; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (moneymotion .club in DNS Lookup)"; dns_query; content:"moneymotion.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026271; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (moneymotion .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"moneymotion.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026272; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aryastark .info in DNS Lookup)"; dns_query; content:"aryastark.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026273; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aryastark .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"aryastark.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026274; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (exvsnomy .club in DNS Lookup)"; dns_query; content:"exvsnomy.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026275; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (exvsnomy .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"exvsnomy.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026276; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kate-austen .info in DNS Lookup)"; dns_query; content:"kate-austen.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026277; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kate-austen .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"kate-austen.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026278; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (myboon .website in DNS Lookup)"; dns_query; content:"myboon.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026279; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (myboon .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"myboon.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026280; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aslaug-sigurd .info in DNS Lookup)"; dns_query; content:"aslaug-sigurd.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026281; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aslaug-sigurd .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"aslaug-sigurd.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026282; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ezofiezo .website in DNS Lookup)"; dns_query; content:"ezofiezo.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026283; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ezofiezo .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"ezofiezo.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026284; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katesacker .club in DNS Lookup)"; dns_query; content:"katesacker.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026285; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katesacker .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"katesacker.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026286; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .site in DNS Lookup)"; dns_query; content:"mygift.site"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026287; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .site in TLS SNI)"; flow:established,to_server; tls_sni; content:"mygift.site"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026288; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (assets-acc .club in DNS Lookup)"; dns_query; content:"assets-acc.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026289; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (assets-acc .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"assets-acc.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026290; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (face-book-support .email in DNS Lookup)"; dns_query; content:"face-book-support.email"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026291; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (face-book-support .email in TLS SNI)"; flow:established,to_server; tls_sni; content:"face-book-support.email"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026292; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katie .party in DNS Lookup)"; dns_query; content:"katie.party"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026293; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katie .party in TLS SNI)"; flow:established,to_server; tls_sni; content:"katie.party"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026294; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .website in DNS Lookup)"; dns_query; content:"mygift.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026295; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"mygift.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026296; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bbc-learning .com in DNS Lookup)"; dns_query; content:"bbc-learning.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026297; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bbc-learning .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"bbc-learning.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026298; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebcck .com in DNS Lookup)"; dns_query; content:"fasebcck.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026299; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebcck .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"fasebcck.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026300; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kik-com .com in DNS Lookup)"; dns_query; content:"kik-com.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026301; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kik-com .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"kik-com.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026302; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namybotter .info in DNS Lookup)"; dns_query; content:"namybotter.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026303; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namybotter .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"namybotter.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026304; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bellamy-bob .life in DNS Lookup)"; dns_query; content:"bellamy-bob.life"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026305; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bellamy-bob .life in TLS SNI)"; flow:established,to_server; tls_sni; content:"bellamy-bob.life"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026306; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebock .info in DNS Lookup)"; dns_query; content:"fasebock.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026307; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebock .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"fasebock.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026308; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kristy-milligan .website in DNS Lookup)"; dns_query; content:"kristy-milligan.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026309; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kristy-milligan .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"kristy-milligan.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026310; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namyyeatop .club in DNS Lookup)"; dns_query; content:"namyyeatop.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026311; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namyyeatop .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"namyyeatop.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026312; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bestbitloly .website in DNS Lookup)"; dns_query; content:"bestbitloly.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026313; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bestbitloly .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"bestbitloly.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026314; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebook .cam in DNS Lookup)"; dns_query; content:"fasebook.cam"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026315; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebook .cam in TLS SNI)"; flow:established,to_server; tls_sni; content:"fasebook.cam"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026316; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lagertha-lothbrok .info in DNS Lookup)"; dns_query; content:"lagertha-lothbrok.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026317; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lagertha-lothbrok .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"lagertha-lothbrok.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026318; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (natemunson .com in DNS Lookup)"; dns_query; content:"natemunson.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026319; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (natemunson .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"natemunson.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026320; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (billy-bones .info in DNS Lookup)"; dns_query; content:"billy-bones.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026321; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (billy-bones .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"billy-bones.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026322; rev:2; metadata:created_at 2018_09_20, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebookvideo .com in DNS Lookup)"; dns_query; content:"fasebookvideo.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026339; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebookvideo .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"fasebookvideo.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026340; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leonard-kim .website in DNS Lookup)"; dns_query; content:"leonard-kim.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026341; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leonard-kim .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"leonard-kim.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026342; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (new .filetea .me in DNS Lookup)"; dns_query; content:"new.filetea.me"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026343; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (new .filetea .me in TLS SNI)"; flow:established,to_server; tls_sni; content:"new.filetea.me"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026344; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bitgames .world in DNS Lookup)"; dns_query; content:"bitgames.world"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026345; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bitgames .world in TLS SNI)"; flow:established,to_server; tls_sni; content:"bitgames.world"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026346; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fatehmedia .site in DNS Lookup)"; dns_query; content:"fatehmedia.site"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026347; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fatehmedia .site in TLS SNI)"; flow:established,to_server; tls_sni; content:"fatehmedia.site"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026348; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leslie-barnes .website in DNS Lookup)"; dns_query; content:"leslie-barnes.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026349; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leslie-barnes .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"leslie-barnes.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026350; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .fun in DNS Lookup)"; dns_query; content:"nightchat.fun"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026351; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .fun in TLS SNI)"; flow:established,to_server; tls_sni; content:"nightchat.fun"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026352; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (black-honey .club in DNS Lookup)"; dns_query; content:"black-honey.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026353; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (black-honey .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"black-honey.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026354; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (firesky .site in DNS Lookup)"; dns_query; content:"firesky.site"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026355; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (firesky .site in TLS SNI)"; flow:established,to_server; tls_sni; content:"firesky.site"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026356; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lets-see .site in DNS Lookup)"; dns_query; content:"lets-see.site"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026357; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lets-see .site in TLS SNI)"; flow:established,to_server; tls_sni; content:"lets-see.site"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026358; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .live in DNS Lookup)"; dns_query; content:"nightchat.live"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026359; rev:2; metadata:created_at 2018_09_21, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .live in TLS SNI)"; flow:established,to_server; tls_sni; content:"nightchat.live"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026364; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bob-turco .website in DNS Lookup)"; dns_query; content:"bob-turco.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026365; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bob-turco .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"bob-turco.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026366; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (flirtymania .fun in DNS Lookup)"; dns_query; content:"flirtymania.fun"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026367; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (flirtymania .fun in TLS SNI)"; flow:established,to_server; tls_sni; content:"flirtymania.fun"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026368; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lexi-branson .website in DNS Lookup)"; dns_query; content:"lexi-branson.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026369; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lexi-branson .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"lexi-branson.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026370; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nissour-beton .com in DNS Lookup)"; dns_query; content:"nissour-beton.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026371; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nissour-beton .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"nissour-beton.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026372; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (buymicrosft .com in DNS Lookup)"; dns_query; content:"buymicrosft.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026373; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (buymicrosft .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"buymicrosft.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026374; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (freya .miranda-barlow .website in DNS Lookup)"; dns_query; content:"freya.miranda-barlow.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026375; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (freya .miranda-barlow .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"freya.miranda-barlow.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026376; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lincoln-blake .website in DNS Lookup)"; dns_query; content:"lincoln-blake.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026377; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lincoln-blake .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"lincoln-blake.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026378; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (octavia-blake .world in DNS Lookup)"; dns_query; content:"octavia-blake.world"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026379; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (octavia-blake .world in TLS SNI)"; flow:established,to_server; tls_sni; content:"octavia-blake.world"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026380; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (camilleoconnell .website in DNS Lookup)"; dns_query; content:"camilleoconnell.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026381; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (camilleoconnell .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"camilleoconnell.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026382; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (geny-wise .com in DNS Lookup)"; dns_query; content:"geny-wise.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026383; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (geny-wise .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"geny-wise.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026384; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lindamullins .info in DNS Lookup)"; dns_query; content:"lindamullins.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026385; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lindamullins .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"lindamullins.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026386; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (olivia-hartman .info in DNS Lookup)"; dns_query; content:"olivia-hartman.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026387; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (olivia-hartman .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"olivia-hartman.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026388; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (caroline-nina .com in DNS Lookup)"; dns_query; content:"caroline-nina.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026389; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (caroline-nina .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"caroline-nina.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026390; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (gmailservice .us in DNS Lookup)"; dns_query; content:"gmailservice.us"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026391; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (gmailservice .us in TLS SNI)"; flow:established,to_server; tls_sni; content:"gmailservice.us"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026392; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (liz-keen .website in DNS Lookup)"; dns_query; content:"liz-keen.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026393; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (liz-keen .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"liz-keen.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026394; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (oriential .website in DNS Lookup)"; dns_query; content:"oriential.website"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026395; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (oriential .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"oriential.website"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026396; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cassy-gray .club in DNS Lookup)"; dns_query; content:"cassy-gray.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026397; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cassy-gray .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"cassy-gray.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026398; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (graceygretchen .info in DNS Lookup)"; dns_query; content:"graceygretchen.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026399; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (graceygretchen .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"graceygretchen.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026400; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (login-yohoo .com in DNS Lookup)"; dns_query; content:"login-yohoo.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026401; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (login-yohoo .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"login-yohoo.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026402; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .club in DNS Lookup)"; dns_query; content:"ososezo.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026403; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"ososezo.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026404; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-dobrev .com in DNS Lookup)"; dns_query; content:"cecilia-dobrev.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026405; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-dobrev .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"cecilia-dobrev.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026406; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hareyupnow .club in DNS Lookup)"; dns_query; content:"hareyupnow.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026407; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hareyupnow .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"hareyupnow.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026408; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lord-varys .info in DNS Lookup)"; dns_query; content:"lord-varys.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026409; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lord-varys .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"lord-varys.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026410; rev:2; metadata:created_at 2018_09_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .site in DNS Lookup)"; dns_query; content:"ososezo.site"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026442; rev:2; metadata:created_at 2018_10_08, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .site in TLS SNI)"; flow:established,to_server; tls_sni; content:"ososezo.site"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026443; rev:2; metadata:created_at 2018_10_08, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-gilbert .com in DNS Lookup)"; dns_query; content:"cecilia-gilbert.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026444; rev:2; metadata:created_at 2018_10_08, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-gilbert .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"cecilia-gilbert.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026445; rev:2; metadata:created_at 2018_10_08, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harper-monty .site in DNS Lookup)"; dns_query; content:"harper-monty.site"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026446; rev:2; metadata:created_at 2018_10_08, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harper-monty .site in TLS SNI)"; flow:established,to_server; tls_sni; content:"harper-monty.site"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026447; rev:2; metadata:created_at 2018_10_08, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lyanna-stark .info in DNS Lookup)"; dns_query; content:"lyanna-stark.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026448; rev:2; metadata:created_at 2018_10_08, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lyanna-stark .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"lyanna-stark.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026449; rev:2; metadata:created_at 2018_10_08, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (parrotchat .co in DNS Lookup)"; dns_query; content:"parrotchat.co"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026450; rev:2; metadata:created_at 2018_10_08, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (parrotchat .co in TLS SNI)"; flow:established,to_server; tls_sni; content:"parrotchat.co"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026451; rev:2; metadata:created_at 2018_10_08, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cerseilannister .info in DNS Lookup)"; dns_query; content:"cerseilannister.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026452; rev:2; metadata:created_at 2018_10_08, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cerseilannister .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"cerseilannister.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026453; rev:2; metadata:created_at 2018_10_08, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harrykane .online in DNS Lookup)"; dns_query; content:"harrykane.online"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026454; rev:2; metadata:created_at 2018_10_08, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harrykane .online in TLS SNI)"; flow:established,to_server; tls_sni; content:"harrykane.online"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026455; rev:2; metadata:created_at 2018_10_08, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-accout .club in DNS Lookup)"; dns_query; content:"mail-accout.club"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026456; rev:2; metadata:created_at 2018_10_08, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-accout .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"mail-accout.club"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026457; rev:2; metadata:created_at 2018_10_08, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pmi-pna .com in DNS Lookup)"; dns_query; content:"pmi-pna.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026458; rev:2; metadata:created_at 2018_10_08, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pmi-pna .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"pmi-pna.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026459; rev:2; metadata:created_at 2018_10_08, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (chat-often .com in DNS Lookup)"; dns_query; content:"chat-often.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026476; rev:2; metadata:created_at 2018_10_15, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (chat-often .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"chat-often.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026477; rev:2; metadata:created_at 2018_10_15, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harvey-ross .info in DNS Lookup)"; dns_query; content:"harvey-ross.info"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026478; rev:2; metadata:created_at 2018_10_15, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harvey-ross .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"harvey-ross.info"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026479; rev:2; metadata:created_at 2018_10_15, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-goog1e .com in DNS Lookup)"; dns_query; content:"mail-goog1e.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026480; rev:2; metadata:created_at 2018_10_15, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-goog1e .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"mail-goog1e.com"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026481; rev:2; metadata:created_at 2018_10_15, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pml-help .site in DNS Lookup)"; dns_query; content:"pml-help.site"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026482; rev:2; metadata:created_at 2018_10_15, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pml-help .site in TLS SNI)"; flow:established,to_server; tls_sni; content:"pml-help.site"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026483; rev:2; metadata:created_at 2018_10_15, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (christopher .fun in DNS Lookup)"; dns_query; content:"christopher.fun"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026484; rev:2; metadata:created_at 2018_10_15, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (christopher .fun in TLS SNI)"; flow:established,to_server; tls_sni; content:"christopher.fun"; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:trojan-activity; sid:2026485; rev:2; metadata:created_at 2018_10_15, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/GPlayed (sub1 .tdsworker .ru in DNS Lookup)"; dns_query; content:"sub1.tdsworker.ru"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/10/gplayerbanker.html; classtype:trojan-activity; sid:2026566; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2018_11_01, malware_family Android_GPlayed, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (areadozemode .space in DNS Lookup)"; dns_query; content:"areadozemode.space"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026828; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2019_01_22, malware_family Android_Anubis, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (selectnew25mode .space in DNS Lookup)"; dns_query; content:"selectnew25mode.space"; isdataat:!1,relative; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026829; rev:2; metadata:created_at 2019_01_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (twethujsnu .cc in DNS Lookup)"; dns_query; content:"twethujsnu.cc"; isdataat:!1,relative; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026830; rev:2; metadata:created_at 2019_01_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (project2anub .xyz in DNS Lookup)"; dns_query; content:"project2anub.xyz"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026831; rev:2; metadata:created_at 2019_01_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (taiprotectsq .xyz in DNS Lookup)"; dns_query; content:"taiprotectsq.xyz"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026832; rev:2; metadata:created_at 2019_01_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (uwannaplaygame .space in DNS Lookup)"; dns_query; content:"uwannaplaygame.space"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026833; rev:2; metadata:created_at 2019_01_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (projectpredator .space in DNS Lookup)"; dns_query; content:"projectpredator.space"; isdataat:!1,relative; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026834; rev:2; metadata:created_at 2019_01_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (nihaobrazzzahit .top in DNS Lookup)"; dns_query; content:"nihaobrazzzahit.top"; isdataat:!1,relative; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026835; rev:2; metadata:created_at 2019_01_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (aserogeege .space in DNS Lookup)"; dns_query; content:"aserogeege.space"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026836; rev:2; metadata:created_at 2019_01_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (hdfuckedin18 .top in DNS Lookup)"; dns_query; content:"hdfuckedin18.top"; isdataat:!1,relative; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026837; rev:2; metadata:created_at 2019_01_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (dingpsounda .space in DNS Lookup)"; dns_query; content:"dingpsounda.space"; isdataat:!1,relative; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026838; rev:2; metadata:created_at 2019_01_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (wantddantiprot .space in DNS Lookup)"; dns_query; content:"wantddantiprot.space"; isdataat:!1,relative; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026839; rev:2; metadata:created_at 2019_01_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (privateanbshouse .space in DNS Lookup)"; dns_query; content:"privateanbshouse.space"; isdataat:!1,relative; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026840; rev:2; metadata:created_at 2019_01_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (seconddoxed .space in DNS Lookup)"; dns_query; content:"seconddoxed.space"; isdataat:!1,relative; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026841; rev:2; metadata:created_at 2019_01_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (firstdoxed .space in DNS Lookup)"; dns_query; content:"firstdoxed.space"; isdataat:!1,relative; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026842; rev:2; metadata:created_at 2019_01_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (oauth3 .html5100 .com in DNS Lookup)"; dns_query; content:"oauth3.html5100.com"; isdataat:!1,relative; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026843; rev:2; metadata:created_at 2019_01_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (dosandiq .space in DNS Lookup)"; dns_query; content:"dosandiq.space"; isdataat:!1,relative; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026844; rev:2; metadata:created_at 2019_01_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (protect4juls .space in DNS Lookup)"; dns_query; content:"protect4juls.space"; isdataat:!1,relative; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026845; rev:2; metadata:created_at 2019_01_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (wijariief .space in DNS Lookup)"; dns_query; content:"wijariief.space"; isdataat:!1,relative; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026846; rev:2; metadata:created_at 2019_01_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (scradm .in in DNS Lookup)"; dns_query; content:"scradm.in"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026847; rev:2; metadata:created_at 2019_01_22, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Xnore Fake Facebook Login Credentials Collected"; flow:established,to_server; content:"POST"; http_method; content:"xnore.com"; http_header; content:"|20|Android|20|"; http_user_agent; content:"app_id="; http_client_body; depth:7; fast_pattern; content:"&cemail="; http_client_body; distance:0; content:"&cpass="; http_client_body; distance:0; http_header_names; content:"Origin"; content:"Referer"; metadata: former_category MOBILE_MALWARE; classtype:trojan-activity; sid:2026907; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Spyware, signature_severity Major, created_at 2019_02_13, malware_family Xnore, performance_impact Low, updated_at 2019_02_13;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 13"; dns_query; content:"32player.com"; depth:12; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025903; rev:3; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/BasBanke CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"data=NewClient"; http_client_body; depth:14; fast_pattern; http_content_type; content:"application|2f|x-www-form-urlencoded"; http_header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; metadata: former_category MOBILE_MALWARE; reference:md5,79cf391a3ae2477cd804c68850dba80d; reference:url,securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/; classtype:trojan-activity; sid:2027154; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Banker, signature_severity Major, created_at 2019_04_04, malware_family BasBanke, performance_impact Low, updated_at 2019_04_04;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (DonotGroup Android CnC)"; flow:from_server,established; tls_cert_subject; content:"CN=justin.drinkeatgood.space"; nocase; isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; metadata: former_category MOBILE_MALWARE; classtype:trojan-activity; sid:2027195; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag APT, tag DonotGroup, signature_severity Major, created_at 2019_04_12, performance_impact Low, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Windows Phone PUA.Redpher (myservicessapps .com in DNS Lookup)"; dns_query; content:"myservicessapps.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/threat-intelligence/pua-microsoft-store-porn-gambling; classtype:trojan-activity; sid:2027220; rev:2; metadata:attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2019_04_18, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (androidsmedia .com in DNS Lookup)"; dns_query; content:"androidsmedia.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027490; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2019_06_19, malware_family Android_SpyAgent, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (androidssystem .com in DNS Lookup)"; dns_query; content:"androidssystem.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027491; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2019_06_19, malware_family Android_SpyAgent, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (secandroid .com in DNS Lookup)"; dns_query; content:"secandroid.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027492; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2019_06_19, malware_family Android_SpyAgent, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (mediadownload .space in DNS Lookup)"; dns_query; content:"mediadownload.space"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027493; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2019_06_19, malware_family Android_SpyAgent, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (mediamobilereg .com in DNS Lookup)"; dns_query; content:"mediamobilereg.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027494; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2019_06_19, malware_family Android_SpyAgent, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (sharpion .org in DNS Lookup)"; dns_query; content:"sharpion.org"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027495; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2019_06_19, malware_family Android_SpyAgent, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (shileyfetwell .com in DNS Lookup)"; dns_query; content:"shileyfetwell.com"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027496; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2019_06_19, malware_family Android_SpyAgent, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor Module Download Request"; flow:to_server,established; content:"/?uuid="; http_uri; content:"&ptype="; http_uri; content:"&cacheFrom="; http_uri; fast_pattern; content:"|3b 20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; metadata: former_category MOBILE_MALWARE; reference:md5,5faad53df0fa1f4d5c199b49c77025eb; classtype:trojan-activity; sid:2027803; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2019_08_06, malware_family Android_TimpDoor, updated_at 2019_08_06;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor (purple .itraffic .click in DNS Lookup)"; dns_query; content:"purple.itraffic.click"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,f626bbe0720323635f75ba08b1e7e8e4; reference:md5,5faad53df0fa1f4d5c199b49c77025eb; classtype:trojan-activity; sid:2027804; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2019_08_06, malware_family Android_TimpDoor, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor (purple .m-ads .net in DNS Lookup)"; dns_query; content:"purple.m-ads.net"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,f626bbe0720323635f75ba08b1e7e8e4; reference:md5,5faad53df0fa1f4d5c199b49c77025eb; classtype:trojan-activity; sid:2027805; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2019_08_06, malware_family Android_TimpDoor, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor (drproxy .pro in DNS Lookup)"; dns_query; content:"drproxy.pro"; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,f626bbe0720323635f75ba08b1e7e8e4; reference:md5,5faad53df0fa1f4d5c199b49c77025eb; classtype:trojan-activity; sid:2027806; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2019_08_06, malware_family Android_TimpDoor, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access takeCameraPicture"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:".takeCameraPicture"; nocase; metadata: former_category CURRENT_EVENTS; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017777; rev:3; metadata:created_at 2013_11_27, updated_at 2013_11_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access sendSMS"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"sendSMS"; nocase; metadata: former_category CURRENT_EVENTS; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017782; rev:3; metadata:created_at 2013_11_27, updated_at 2013_11_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access registerMicListener"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"registerMicListener"; nocase; metadata: former_category CURRENT_EVENTS; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017783; rev:3; metadata:created_at 2013_11_27, updated_at 2013_11_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access sendMail"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"sendMail"; nocase; metadata: former_category CURRENT_EVENTS; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017781; rev:3; metadata:created_at 2013_11_27, updated_at 2013_11_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access postToSocial"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"postToSocial"; nocase; metadata: former_category CURRENT_EVENTS; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017780; rev:3; metadata:created_at 2013_11_27, updated_at 2013_11_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access getGalleryImage"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"getGalleryImage"; nocase; metadata: former_category CURRENT_EVENTS; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017778; rev:4; metadata:created_at 2013_11_27, updated_at 2013_11_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u001"; fast_pattern; pcre:"/^[a-f0-9]/Ri"; content:"javascript|3a|"; nocase; within:11; metadata: former_category CURRENT_EVENTS; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020397; rev:4; metadata:created_at 2015_02_11, updated_at 2015_02_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u000"; fast_pattern; pcre:"/^[a-f0-9]/Ri"; content:"javascript|3a|"; nocase; within:11; metadata: former_category CURRENT_EVENTS; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:trojan-activity; sid:2019181; rev:9; metadata:created_at 2014_09_16, updated_at 2014_09_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Bgserv POST of Data to CnC Server"; flow:established,to_server; content:"POST"; http_method; content:"/Coop/request"; http_uri; metadata: former_category MOBILE_MALWARE; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-031005-2918-99&tabid=2; classtype:trojan-activity; sid:2013210; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_06, updated_at 2019_08_22;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AOX Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/ReadAllTracks.php"; http_uri; fast_pattern; content:"|3b 20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"{|22|contacts|22 3a|"; depth:12; http_client_body; metadata: former_category MOBILE_MALWARE; reference:url,www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/; classtype:trojan-activity; sid:2027920; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2019_08_27, updated_at 2019_08_27;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Unknown Apple iPhone Implant - Boundary Observed"; flow:established,to_server; content:"multipart/form-data|3b 20|charset=utf-8|3b|boundary=9ff7172192b7"; nocase; http_header; fast_pattern:36,20; metadata: former_category MOBILE_MALWARE; reference:url,googleprojectzero.blogspot.com/2019/08/implant-teardown.html; classtype:trojan-activity; sid:2027931; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2019_08_30, updated_at 2019_08_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Unknown Apple iPhone Implant - Upload Files"; flow:established,to_server; content:"POST"; http_method; content:"/upload/info"; nocase; http_uri; depth:12; content:"Content-disposition|3a 20|form-data|3b 20|name="; http_client_body; content:"--9ff7172192b7--"; http_client_body; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,googleprojectzero.blogspot.com/2019/08/implant-teardown.html; classtype:trojan-activity; sid:2027932; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2019_08_30, updated_at 2019_08_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Unknown Apple iPhone Implant - Command Executed"; flow:established,to_server; content:"GET"; http_method; content:"/list/suc?name="; http_uri; nocase; depth:15; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,googleprojectzero.blogspot.com/2019/08/implant-teardown.html; classtype:trojan-activity; sid:2027933; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2019_08_30, updated_at 2019_08_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Evil Eye Android Malware Beacon"; flow:established,to_server; content:"POST"; http_method; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|rv:65.0) Gecko/20100101 Firefox/65.0"; depth:78; http_user_agent; content:"{|22|device_id|22 3a 22|"; depth:14; http_client_body; fast_pattern; http_accept_lang; content:"zh-CN"; depth:5; isdataat:!1,relative; metadata: former_category MALWARE; reference:url,www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/; classtype:trojan-activity; sid:2027940; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_09_03, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Query for gongfu-android.com DroidKungFu CnC Server"; dns_query; content:"gongfu-android.com"; depth:18; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013023; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_13, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Android/Spy.Feabme.A Query"; dns_query; content:"tinduongpho.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:md5,3ae3cb09c8f54210cb4faf7aa76741ee; reference:url,blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/; classtype:trojan-activity; sid:2021412; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_14, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Kemoge DNS Lookup"; dns_query; content:"aps.kemoge.net"; depth:14; fast_pattern; nocase; isdataat:!1,relative; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021927; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_10_07, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Fakeinst.KD .onion Proxy Domain"; dns_query; content:"pc35hiptpcwqezgs"; depth:16; nocase; fast_pattern; reference:url,www.csis.dk/da/csis/blog/4818/; reference:md5,111b71c120167b5b571ee5501ffef65e; classtype:trojan-activity; sid:2022517; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_12, updated_at 2019_09_03;)

#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain"; dns_query; content:"yuwurw46taaep6ip"; depth:16; nocase; fast_pattern; reference:md5,58fed8b5b549be7ecbfbc6c63b84a728; classtype:trojan-activity; sid:2022562; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_23, updated_at 2019_09_03;)

#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain 2"; dns_query; content:"voooxrrw2wxnoyew"; depth:16; nocase; fast_pattern; reference:md5,8d260ab2bb36aeaf5b033b80b6bc1e6a; classtype:trojan-activity; sid:2022563; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_23, updated_at 2019_09_03;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Trojan-Banker.AndroidOS.Marcher.i Query"; dns_query; content:"tmdxiawceahpbhmb.com"; depth:20; nocase; isdataat:!1,relative; fast_pattern; reference:md5,3c52de547353d94e95cde7d4c219ccac; classtype:trojan-activity; sid:2022975; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_07_18, performance_impact Low, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE AndroRAT Bitter DNS Lookup (info2t .com)"; dns_query; content:"info2t.com"; depth:10; nocase; isdataat:!1,relative; fast_pattern; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; classtype:trojan-activity; sid:2023398; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_10_24, malware_family AndroRAT, performance_impact Low, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; dns_query; content:"rockybalboa.at"; depth:14; nocase; isdataat:!1,relative; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023709; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; dns_query; content:"storegoogle.at"; depth:14; nocase; isdataat:!1,relative; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023710; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns_query; content:"androidbak.com"; depth:14; nocase; isdataat:!1,relative; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023935; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns_query; content:"droidback.com"; depth:13; nocase; isdataat:!1,relative; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023936; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns_query; content:"endpointup.com"; depth:14; nocase; isdataat:!1,relative; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023937; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns_query; content:"siteanalysto.com"; depth:16; nocase; isdataat:!1,relative; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023938; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns_query; content:"goodydaddy.com"; depth:14; nocase; isdataat:!1,relative; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023939; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE ANDROIDOS_LEAKERLOCKER.HRX DNS Lookup"; dns_query; content:"updatmaster.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,reference:url,blog.trendmicro.com/trendlabs-security-intelligence/leakerlocker-mobile-ransomware-threatens-expose-user-information/; classtype:trojan-activity; sid:2024509; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_08_02, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE WireX Botnet DNS Lookup"; dns_query; content:"axclick.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:md5,6af299a2ac9b59f7d551b6e235e0d200; reference:url,blog.cloudflare.com/the-wirex-botnet/; classtype:trojan-activity; sid:2024615; rev:4; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_08_28, malware_family Android_WireX, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup"; dns_query; content:"b1k51.gdn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024735; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 2"; dns_query; content:"b1j3aas.life"; depth:12; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024736; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 3"; dns_query; content:"wechaatt.gdn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024737; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 4"; dns_query; content:"10as05.gdn"; depth:10; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024738; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 5"; dns_query; content:"ch0ck4.life"; depth:11; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024739; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 6"; dns_query; content:"fatur1s.life"; depth:12; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024740; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 7"; dns_query; content:"b5k31.gdn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024741; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 8"; dns_query; content:"erd0.gdn"; depth:8; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024742; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 9"; dns_query; content:"b1v2a5.gdn"; depth:10; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024743; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 10"; dns_query; content:"b1502b.gdn"; depth:10; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024744; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 11"; dns_query; content:"elsssee.gdn"; depth:11; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024745; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 12"; dns_query; content:"kvp41.life"; depth:10; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024746; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 13"; dns_query; content:"servertestapi.ltd"; depth:17; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024747; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 14"; dns_query; content:"taxii.gdn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024748; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 15"; dns_query; content:"p0w3r.gdn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024749; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 16"; dns_query; content:"4r3a.gdn"; depth:8; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024750; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Query Targeted Tibetan Android Malware C2 Domain"; dns_query; content:"android.uyghur.dnsd.me"; depth:22; nocase; fast_pattern; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:url,citizenlab.org/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/; classtype:trojan-activity; sid:2016711; rev:5; metadata:created_at 2013_04_03, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 1"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"method=counter&app_key="; depth:23; http_client_body; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018945; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_18, updated_at 2019_09_03;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Joker Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/api/report"; http_uri; fast_pattern; content:"|3b 20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"eyJ"; depth:3; http_client_body; metadata: former_category MOBILE_MALWARE; reference:md5,058865332bfae541e82b55e4a7e63aaf; reference:url,medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451; classtype:trojan-activity; sid:2027965; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2019_09_09, malware_family Android_Joker, updated_at 2019_09_09;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE MOONSHINE payload C2 activity"; flow:established,to_server; content:"/ws?whisky_id|3d|"; http_uri; fast_pattern; content:"hots|20|scot"; depth:9; http_user_agent; content:"Upgrade|3a 20|websocket"; http_header; metadata: former_category MOBILE_MALWARE; reference:url,citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits; classtype:trojan-activity; sid:2028622; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2019_09_25, malware_family Android_Moonshine, updated_at 2019_09_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access makeCall"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"makeCall"; nocase; metadata: former_category CURRENT_EVENTS; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017779; rev:4; metadata:created_at 2013_11_27, updated_at 2019_09_27;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Uploading Watch Files"; flow:established,to_server; content:"/upload/UploadFiles.aspx?askId="; http_uri; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013241; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ksapp.A Checkin"; flow:to_server,established; content:"/kspp/do?imei="; fast_pattern; http_uri; content:"&wid="; http_uri; content:"&type="; http_uri; content:"&step="; http_uri;  reference:md5,e6d9776113b29680aec73ac2d1445946; reference:md5,13e6ce4aac7e60b10bfde091c09b9d88; reference:url,anubis.iseclab.org/?action=result&task_id=16b7814b794cd728435e122ca2c2fcdd3; reference:url,www.fortiguard.com/latest/mobile/4158213; reference:url,symantec.com/connect/blogs/mdk-largest-mobile-botnet-china; classtype:trojan-activity; sid:2016318; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_12_12, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeTimer.A Reporting to CnC"; flow:to_server,established; content:"/send.php?a_id="; http_uri; content:"&telno="; fast_pattern; http_uri; content:"&m_addr="; http_uri; content:"Android"; http_user_agent; metadata: former_category MOBILE_MALWARE; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_FAKETIMER.A; reference:url,anubis.iseclab.org/?action=result&task_id=1ba82b938005acea4ddefc8eff1f4db06; reference:md5,cf9ba4996531d40402efe268c7efda91; reference:md5,537f190d3d469ad1f178024940affcb5; classtype:trojan-activity; sid:2014161; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_01_27, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Infected Device Registration"; flow:established,to_server; content:"/RegistUid.asp"; fast_pattern; http_uri; nocase; content:"?pid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&imei="; nocase; http_uri; content:"&sim="; nocase; http_uri; content:"&imsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013238; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SMSSend Fake flappy bird APK"; flow:to_server,established; content:"GET"; http_method; content:"/bookmark/getServiceCode?price="; http_uri; fast_pattern; content:"Dalvik"; depth:6; http_user_agent; content:!"Referer|3a 20|"; http_header; reference:url,securehoney.net/blog/how-to-dissect-android-flappy-bird-malware.html; reference:md5,6c357ac34d061c97e6237ce9bd1fe003; classtype:trojan-activity; sid:2018306; rev:4; metadata:created_at 2014_03_24, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS/Lotoor.Q"; flow:established, to_server; content: "device_id="; http_uri; pcre:"/^\d{10,20}&imsi=\d{10,15}&device_name=/URi"; content:"&app_id="; http_uri; pcre:"/^[a-f0-9]{30,35}&app_package_name=/URi"; content: "screen_density="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; reference:md5,92608e6ff795862f83d891ad8337b387; classtype:trojan-activity; sid:2018520; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_06_04, updated_at 2019_10_07;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Adware.Wapsx.A"; flow:established, to_server; content:"/fengmian/"; fast_pattern; content:"meinv6.4.0 qiu shou gou, zhi mai 503 wan ren min bi"; http_user_agent; depth:51; content:!"Referer|3a|"; http_header; metadata: former_category MOBILE_MALWARE; reference:md5,37e36531e6dbc3ad0954fd9bb4588fad; classtype:trojan-activity; sid:2018533; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_06_05, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Netisend.A Posting Information to CnC"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/netsend/nmsm_json.jsp"; fast_pattern; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; metadata: former_category MOBILE_MALWARE; reference:url,www.fortiguard.com/latest/mobile/2959807; classtype:trojan-activity; sid:2013694; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_09_23, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Andr/com.sdwiurse"; flow:established,to_server; content:"POST"; http_method; content:"/youxi_up.php"; fast_pattern; http_uri; content:"--*****|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|npki|22|"; depth:52; http_client_body; reference:url,fireeye.com/blog/technical/2014/06/what-are-you-doing-dsencrypt-malware.html; reference:md5,04d24eb45d3278400b5fee5c1b06226c; classtype:trojan-activity; sid:2018584; rev:4; metadata:created_at 2014_06_19, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin"; flow:established,to_server; content:"POST"; http_method; content:"/flash/api.php?id="; http_uri; fast_pattern; pcre:"/^\/flash\/api\.php\?id=\d/U"; content:"method="; depth:7; http_client_body; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018769; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_24, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin 2"; flow:established,to_server; content:"POST"; http_method; urilen:14; content:"/api33/api.php"; http_uri; fast_pattern; content:"method="; depth:7; http_client_body; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018774; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_24, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS.Simplocker Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:5; content:"/1/?1"; http_uri; fast_pattern; content:"{|22|n|22 3a 22|"; depth:6; http_client_body; content:"|22 2c 22|d|22 3a 22|"; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,welivesecurity.com/2014/07/22/androidsimplocker/; reference:md5,b98cac8f1ce9284f9882ba007878caf1; classtype:trojan-activity; sid:2018781; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_25, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Worm.AndroidOS.Selfmite.a Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:12; content:"/message.php"; http_uri; fast_pattern; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a|"; http_header; reference:md5,54b715f6608d4457a9d22cfdd8bddbe6; reference:url,adaptivemobile.com/blog/selfmite-worm; reference:url,computerworld.com/s/article/9249430/Self_propagating_SMS_worm_Selfmite_targets_Android_devices; classtype:trojan-activity; sid:2018792; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_28, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Youmi.Adware Install Report CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:15; content:"/report/install"; http_uri; fast_pattern; content:"data="; http_client_body; depth:5; content:"os="; http_client_body; distance:0; content:"mac="; http_client_body; distance:0; content:"sign="; http_client_body; distance:0; metadata: former_category MOBILE_MALWARE; reference:md5,6096ace9002792e625a0cdb6aec3f379; classtype:trojan-activity; sid:2019125; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_09_05, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 1"; flow:established,to_server; content:"/updatesrv.aspx?f=1"; http_uri; fast_pattern; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019174; rev:3; metadata:created_at 2014_09_15, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 2"; flow:established,to_server; content:"/updatesrv.aspx?f=2&uuid="; http_uri; fast_pattern; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019175; rev:3; metadata:created_at 2014_09_15, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 1"; flow:established,to_server; content:"/dmp/api/"; http_uri; fast_pattern; content:"UAC/"; depth:4; http_user_agent; content:"|28|Android|20|"; distance:0; http_user_agent; content:"dmp."; http_header; pcre:"/\/dmp\/api\/[a-z]+$/U"; pcre:"/^Host\x3a[^\r\n]+?dmp\.[^\r\n]+?\r?$/Hmi"; metadata: former_category MOBILE_MALWARE; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019958; rev:5; metadata:created_at 2014_12_17, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin"; flow:to_server,established; content:"/pha?android_version="; fast_pattern; http_uri; content:"&id="; http_uri; content:"&phone_number="; http_uri; content:"&client_version="; http_uri; content:"&imei="; http_uri; content:"&name="; http_uri; reference:url,securityblog.s21sec.com/2015/05/new-ransomware-in-mobile-environment.html; classtype:trojan-activity; sid:2021174; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_06_01, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 5.2|29 20|"; http_header; content:"appid="; depth:6; http_client_body; content:"&model="; http_client_body; content:"&imei="; fast_pattern; http_client_body; content:"&connect="; http_client_body; content:"&dpi="; http_client_body; content:"&width="; http_client_body; content:"&cpu="; http_client_body; content:"&phoneno="; http_client_body; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021386; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_06, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Gunpoder Checkin"; flow:to_server,established; content:"/landing?c="; fast_pattern; http_uri; content:"&g="; http_uri; content:"&a="; http_uri; content:"&s1="; http_uri; content:"&s2="; http_uri; content:"&s3="; http_uri; content:"&s4="; http_uri; content:"&s5="; http_uri; content:"&s6="; http_uri; content:"&s7="; http_uri; content:"&s8="; http_uri; content:"&s9="; http_uri; content:"&s10="; http_uri; content:"&s11="; http_uri; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; reference:url,researchcenter.paloaltonetworks.com/2015/07/new-android-malware-family-evades-antivirus-detection-by-using-popular-ad-libraries/; reference:md5,b0b2cd71b4d15bb5f07b8315d7b27822; classtype:trojan-activity; sid:2021392; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_07, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"uuid="; http_client_body; content:"language="; http_client_body; content:"appkey"; http_client_body; content:"model="; http_client_body; content:"operatorsname="; fast_pattern; http_client_body; content:"networkname="; http_client_body; content:"networktype="; http_client_body; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021387; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_06, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin 2"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/gac/"; fast_pattern; http_uri; content:"|20|Android|20|"; http_user_agent; content:"|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Accept-Encoding|3a 20|gzip|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^\/gac\/[a-f0-9]{15}$/U"; reference:url,blog.fortinet.com/post/locker-an-android-ransomware-full-of-surprises; classtype:trojan-activity; sid:2021617; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_08_12, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin"; flow:to_server,established; content:"/data.php?table="; fast_pattern; http_uri; content:"&game="; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/&game=[a-f0-9]{40}$/U"; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021737; rev:3; metadata:created_at 2015_08_31, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cert.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"id="; depth:3; http_client_body; content:"&cert="; http_client_body; content:"&priv="; fast_pattern; http_client_body; content:"&flag="; http_client_body; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021738; rev:3; metadata:created_at 2015_08_31, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Koler.C Checkin"; flow:to_server,established; content:".php?v="; http_uri; content:"&brok="; fast_pattern; http_uri; content:"&u="; http_uri; content:"&id="; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/&id=\d{15}$/U"; reference:md5,6ae7b0d04e2fd64a50703910d0eff9cc; classtype:trojan-activity; sid:2019510; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_10_27, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE YiSpecter Activity M2"; flow:established,to_server; content:"GET"; http_method; content:"/itms-services|3a|"; http_uri; content:"bb800.com|0d 0a|"; http_header; fast_pattern; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/Hm"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021901; rev:4; metadata:created_at 2015_10_05, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE YiSpecter Activity M1"; flow:established,to_server; content:"GET"; http_method; content:".plist"; http_uri; content:"bb800.com|0d 0a|"; http_header; fast_pattern; pcre:"/\.plist$/U"; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/Hm"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021900; rev:4; metadata:created_at 2015_10_05, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:25; content:"/getInstalledPackages.jsp"; http_uri; fast_pattern; content:"sdCardFree="; http_client_body; depth:11; content:"&imei="; http_client_body; distance:0; content:"&hasSd="; http_client_body; distance:0; content:!"Referer|3a|"; http_header; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021928; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_10_07, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Acecard.c  Checkin"; flow:to_server,established; urilen:1; content:"POST"; http_method; nocase; content:!"Referer|3a 20|"; http_header; content:"{|22|type|22 3a|"; depth:8; http_client_body; content:",|22|text|22 3a|"; http_client_body; content:",|22|code|22 3a|"; fast_pattern; http_client_body; content:",|22|from|22 3a|"; http_client_body; content:"|22|}"; http_client_body; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:url,b0n1.blogspot.com.br/2015/11/android-malware-drops-banker-from-png.html?m=1; reference:url,fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022137; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_11_24, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin Retriving XML File from Hard Coded CnC"; flow:established,to_server; content:"/flash/test.xml"; http_uri; fast_pattern; flowbits:set,ET.And.CruseWin; flowbits:noalert; metadata: former_category MOBILE_MALWARE; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:trojan-activity; sid:2013193; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_05, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw/SlemBunk/SLocker Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:!"Referer|3a 20|"; http_header; content:",|22|model|22 3a|"; http_client_body; content:",|22|apps|22 3a 5b 22|"; http_client_body; content:",|22|imei|22 3a|"; fast_pattern; http_client_body; pcre:"/^\{\x22(?:os|type)\x22\x3a/P";   reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:md5,a83ce290469654002bcc64062c39387c; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022288; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_12_21, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Opfake.A Country CnC Beacon"; flow:established,to_server; content:".php?"; http_uri; content:"co"; http_uri; content:"untry="; http_uri; content:"phone="; http_uri; content:"&op="; http_uri; content:"imei="; fast_pattern; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:!"Referer|3a 20|"; http_header; metadata: former_category MOBILE_MALWARE; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:trojan-activity; sid:2017588; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_10_13, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/NotifyLog"; fast_pattern; http_uri; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"{|22|ClientId|22 3a|"; depth:12; http_client_body; content:",|22|Date|22 3a|"; http_client_body; pcre:"/\/NotifyLog$/U"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023508; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin"; flow:to_server,established; content:"lm="; http_uri; content:"/watch/?"; fast_pattern; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023680; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 3"; flow:to_server,established; content:"lm="; http_uri; content:"/find/?"; fast_pattern; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023682; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 4"; flow:to_server,established; content:"lm="; http_uri; content:"/results/?"; fast_pattern; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023683; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 5"; flow:to_server,established; content:"lm="; http_uri; content:"/open/?"; fast_pattern; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023684; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 6"; flow:to_server,established; content:"lm="; http_uri; content:"/close/?"; fast_pattern; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023685; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b CnC Beacon"; flow:to_server,established; content:"POST"; http_method; nocase; content:".php"; http_uri; content:"|3b 20|Android|20|"; http_user_agent; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Language|3a 20|en-US|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; depth:98; http_header; content:!"Referer|3a 20|"; http_header; content:"&method="; fast_pattern; http_client_body; pcre:"/^d(?:id|ei)=[A-F0-9]{10,100}&method=IS[A-Z]{1,10}$/P"; pcre:"/\.php$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,d6ef9b0cdb49b56c53da3433e30f3fd6; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023933; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, performance_impact Low, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b Apps List Exfil"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/functions.php"; fast_pattern; http_uri; content:"|3b 20|Android|20|"; http_user_agent; content:"apslst="; depth:7; http_client_body; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023934; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, performance_impact Low, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS DualToy Checkin"; flow:to_server,established; content:"/i_info_proxy.php?cmd="; fast_pattern; http_uri; content:"&data="; http_uri; content:"|3b 20|iPhone|20|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/&data=(?:([A-Za-z0-9]|%2[FB]){4})*(?:([A-Za-z0-9]|%2[FB]){2}==|([A-Za-z0-9]|%2[FB]){3}=|([A-Za-z0-9]|%2[FB]){4})$/I"; metadata: former_category MOBILE_MALWARE; reference:url,researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/; classtype:trojan-activity; sid:2023240; rev:3; metadata:affected_product iOS, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_15, performance_impact Low, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Opfake.A GetTask CnC Beacon"; flow:established,to_server; content:"/getTask.php?"; fast_pattern; nocase; http_uri; content:"imei="; http_uri; content:"balance="; http_uri; content:!"Referer|3a 20|"; http_header; metadata: former_category MOBILE_MALWARE; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:trojan-activity; sid:2017587; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_10_13, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon M2"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/adinfo?gi="; fast_pattern; http_uri; content:"&bf="; http_uri; pcre:"/^Host\x3a[^\n\r]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[\r\n]+$/Hm"; metadata: former_category MOBILE_MALWARE; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:trojan-activity; sid:2024172; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2017_04_04, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/sdk_api.php?id="; fast_pattern; http_uri; content:"&type="; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:!"Referer|3a 20|"; http_header; pcre:"/\.php\?id=[a-f0-9]{8}(?:-[a-f0-9]{4}){4}[a-f0-9]{8}&type=/U"; metadata: former_category MOBILE_MALWARE; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024201; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_04_11, malware_family Android_Ewind, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a CnC Beacon"; flow:to_server,established; content:"/inj/injek-1.php?id="; fast_pattern; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/\?id=(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,e9542a8bd9f0ab57e40bb8519ac443a2; classtype:trojan-activity; sid:2024426; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_06_26, malware_family Android_Marcher, updated_at 2019_10_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android JadeRAT CnC Beacon"; flow:to_server,established; dsize:<500; content:"@!MyID|3a|"; depth:7; content:"IMEI|3a|"; distance:0; content:"Mobile|20|ID|3a|"; content:"SIM|3a|"; content:"IMSI|3a|"; content:"Android|20|version|3a|"; content:"Model|3a|"; content:"All|20|SD|20|Size|3a|"; fast_pattern; content:"Free|20|SD|20|Size|3a|"; content:"Network|20|type|3a|"; metadata: former_category MOBILE_MALWARE; reference:md5,9027f111377598362972745478e40311; reference:url,blog.lookout.com/mobile-threat-jaderat; classtype:trojan-activity; sid:2024895; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_10_23, malware_family Android_JadeRAT, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 2"; flow:to_server,established; content:"POST"; http_method; content:"lm="; http_uri; content:"/search/?"; fast_pattern; http_uri; content:!"&clid="; http_uri; content:!"&banerid="; http_uri; content:!"&win="; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; metadata: former_category MOBILE_MALWARE; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023681; rev:4; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u0020javascript|3a|"; nocase; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020398; rev:5; metadata:created_at 2015_02_11, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"method=devicestatus"; http_client_body; fast_pattern; content:"&app_key="; offset:19; http_client_body; content:"&imei="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018946; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_18, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Geost CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/geost.php?bid="; http_uri; fast_pattern; metadata: former_category MOBILE_MALWARE; classtype:trojan-activity; sid:2028661; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2019_10_08, malware_family Geost, performance_impact Low, updated_at 2019_10_08;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Fakelash.A!tr.spy Checkin"; flow:to_server,established; content:"/data.php?action="; nocase; http_uri; content:"&online="; distance:0; http_uri; content:"&m="; distance:0; http_uri; content:"&ver="; distance:0; http_uri; content:"Dalvik/"; http_user_agent; depth:7; reference:md5,7dec1c9174d0f688667f6c34c0fa66c2; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:2016344; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_02_05, updated_at 2019_10_11;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan DroidDream Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/GMServer/GMServlet"; nocase; http_uri; fast_pattern; content:"Dalvik"; depth:6; http_user_agent; reference:url,blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/; classtype:trojan-activity; sid:2012453; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2019_10_11;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.HongTouTou Checkin"; flow:established,to_server; content:"POST"; http_method; content:".aspx?im="; http_uri; content:"J2ME/UCWEB"; http_user_agent; depth:10; reference:url,www.fortiguard.com/encyclopedia/virus/android_hongtoutou.a!tr.html; classtype:trojan-activity; sid:2013072; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2020_04_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/KungFu Package Delete Command"; flow:established,to_server; content:"/search/isavailable"; http_uri; content:".php?imei="; http_uri; content:"&ch="; http_uri; content:"&ver="; http_uri; content:"adlib/"; http_user_agent; depth:6; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013968; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2020_04_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/DwnlAPK-A Configuration File Request"; flow:established,to_server; content:"/iconfig.txt"; fast_pattern; http_uri; content:"Mozilla/4.0 (compatible)"; http_user_agent; depth:24; isdataat:!1,relative; reference:url,nakedsecurity.sophos.com/2014/01/31/android-banking-malware-with-a-twist-in-the-delivery/; classtype:trojan-activity; sid:2018071; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_05, updated_at 2019_10_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SlemBunk.Banker Phished Credentials Upload"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"/"; http_uri; depth:1; content:"Apache-HttpClient/UNAVAILABLE"; http_user_agent; depth:29; content:"{|22|data|22 3A|"; http_client_body; depth:8; content:"|22|password old|22 3A|"; fast_pattern; http_client_body; distance:0; content:"|22|login|22 3A|"; http_client_body; content:"|22|type|22 3A|"; http_client_body; distance:0; content:"|22|login old|22 3A|"; http_client_body; distance:0; content:"|22|password|22 3A|"; http_client_body; distance:0; content:"|22|name|22 3A|"; http_client_body; distance:0; content:"|22|code|22 3A|"; http_client_body; distance:0; content:!"Referer|3a|"; http_header; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022289; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_12_21, updated_at 2019_10_23;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE [PTsecurity] Spyware.BondPath (PathCall/Dingwe) Check-in"; flow:established,to_server; content:"POST"; http_method; content:"backup.php"; http_uri; content:"Content-Length|3a 20|"; http_header; depth:20; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; distance:0; content:"Apache-HttpClient"; http_user_agent; depth:17; content:"type="; http_client_body; depth:5; fast_pattern; content:"data="; http_client_body; content:"hash="; http_client_body; metadata: former_category MOBILE_MALWARE; reference:url,www.fortinet.com/blog/threat-research/android-bondpath--a-mature-spyware.html; classtype:trojan-activity; sid:2026039; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_08_28, malware_family BondPath, updated_at 2019_10_24;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to CnC Server"; flow:established,to_server; content:"POST"; http_method; content:"/security.jsp"; nocase; fast_pattern; http_uri; content:"f0="; http_client_body; depth:3; content:"&b0="; distance:0; http_client_body; content:"&pid="; distance:0; http_client_body; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:trojan-activity; sid:2013327; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_27, updated_at 2020_02_05;)

alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy getLastVersion CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:15; content:"/getLastVersion"; depth:15; http_uri; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; metadata: former_category MOBILE_MALWARE; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2017999; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2020_02_06;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Fake Banking App Install CnC Beacon"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/send_sim_no.php"; http_uri; fast_pattern; isdataat:!1,relative; content:"_no="; http_client_body; depth:16; http_header_names; content:!"Referer|0d 0a|"; metadata: former_category MOBILE_MALWARE; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:trojan-activity; sid:2017787; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_11_27, updated_at 2020_02_10;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin"; flow:to_server,established; content:"POST"; http_method; content:"info"; http_client_body; pcre:"/(?:^|&|\x22|\{\x22)id(?:=|\x22\x3a\x22)(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})(?:&|\x22|$)/P"; http_request_line; content:"/get.php|20|HTTP/1."; fast_pattern; http_header_names; content:!"Referer|0d 0a|"; metadata: former_category MOBILE_MALWARE; reference:md5,a85990f79268a18329f4040a2ec85591; reference:md5,f48cd0c0e5362142c0c15316fa2635dd; classtype:trojan-activity; sid:2023553; rev:9; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_04_17, malware_family Android_Hqwar, updated_at 2020_02_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.C2P.Qd!c Ransomware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:"type="; http_client_body; depth:5; content:"&version="; http_client_body; content:"&lid="; http_client_body; content:"&c="; http_client_body; content:"&i="; http_client_body; http_request_line; content:"/stat/locker|20|HTTP/1."; fast_pattern; http_header_names; content:!"Referer|0d 0a|"; metadata: former_category MOBILE_MALWARE; reference:url,www.zscaler.com/blogs/research/new-android-ransomware-bypasses-all-antivirus-programs; classtype:trojan-activity; sid:2024123; rev:4; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2017_03_31, updated_at 2020_03_04;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.RedAlert CnC Beacon"; flow:to_server,established; content:"POST"; http_method; content:"|3b 20|Android|20|"; http_user_agent; http_request_line; content:"/gt|20|HTTP/1."; fast_pattern; http_header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Connection|0d 0a|Content-Type|0d 0a|"; http_connection; content:"keep-alive"; depth:10; isdataat:!1,relative; http_content_type; content:"application/json"; depth:16; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,b66010a9c91b17f4d26dc973a97419ac; reference:url,info.phishlabs.com/blog/redalert2-mobile-banking-trojan-actively-updating-its-techniques; classtype:trojan-activity; sid:2024765; rev:4; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_25, malware_family Android_RedAlert, updated_at 2020_03_04;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/support.aspx"; http_uri; isdataat:!1,relative; content:"SessionId1|3a 20|"; http_header; content:"SessionId2|3a 20|"; fast_pattern; http_header; content:"|3b 20|Android|20|"; http_user_agent; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|header|22 3b 20|filename=|22|header|22 0d 0a|"; http_client_body; http_header_names; content:!"Referer|0d 0a|"; metadata: former_category MOBILE_MALWARE; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:trojan-activity; sid:2024171; rev:4; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2017_04_04, updated_at 2020_03_05;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Suspected SandCat Related CnC"; flow:established,to_server; content:"POST"; http_method; content:"/socket.io/?EIO="; depth:16; http_uri; content:"&transport=polling"; distance:0; isdataat:!1,relative; http_uri; content:"|5b 22|add|20|user|22|,|22|ID_"; fast_pattern; offset:5; http_client_body; http_header_names; content:!"Referer|0d 0a|"; metadata: former_category MOBILE_MALWARE; reference:md5,eeecfa2999aea400deb8029d27db125e; classtype:trojan-activity; sid:2029619; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_03_12, performance_impact Low, updated_at 2020_03_12;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Suspected Android Youzicheng Proxy Activity"; flow:established,to_server; urilen:17; content:"POST"; http_method; content:"/api/socksLog/add"; http_uri; content:"|20|Android|20|"; http_user_agent; content:"|7b 22|channelid|22 3a 22|"; depth:14; nocase; fast_pattern; http_client_body; content:"|2c 22|content|22 3a 22|"; distance:0; http_client_body; content:"|2c 22|deviceid|22 3a 22|"; distance:0; nocase; http_client_body; http_header_names; content:!"Referer|0d 0a|"; metadata: former_category MOBILE_MALWARE; reference:md5,c907d74ace51cec7cb53b0c8720063e1; classtype:trojan-activity; sid:2029635; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_03_13, performance_impact Low, updated_at 2020_03_13;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Lightspy Implant CnC"; flow:established,to_server; content:"|0d 0a 0d 0a|udid="; fast_pattern;content:"POST"; http_method; content:"/update_device"; isdataat:!1,relative; http_uri; content:"|20|Android|20|"; http_user_agent; content:"udid="; depth:5; http_client_body; content:"&brand="; distance:0; http_client_body; content:"&model="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&osversion="; nocase; distance:0; http_client_body; content:"&x="; distance:0; http_client_body; content:"&y="; distance:0; http_client_body; content:"&sdcard="; distance:0; http_client_body; content:"&cid="; distance:0; http_client_body; http_content_type; content:"application/x-www-form-urlencoded"; depth:33; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,fadff5b601f6fca588007660934129eb; reference:url,https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/; classtype:trojan-activity; sid:2029765; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_03_30, performance_impact Low, updated_at 2020_03_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.EQO Variant CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:"/_ping.php"; http_uri; isdataat:!1,relative; content:"|7b 22|DATA|22 3a 7b 22|DEVICE_ID|22 3a 22|"; http_client_body; depth:22; fast_pattern; content:"|22 2c 22|TAG|22 3a 22|"; http_client_body; within:25; content:"|22|CC_GRABBER|22 3a|"; distance:0; metadata: former_category MOBILE_MALWARE; reference:md5,849796248bfe2560039f6986c83f43d6; reference:md5,a8dd3cd7860f3fd2d34a33b0c87bd615; reference:url,twitter.com/PAsinovsky/status/1245790690946285569; classtype:trojan-activity; sid:2029811; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2020_04_03, performance_impact Low, updated_at 2020_04_03;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android PHONEMONITOR RAT CnC (getsettings)"; flow:established,to_server; content:"POST"; http_method; content:"PhoneMonitor"; http_user_agent; depth:12; isdataat:!1,relative; fast_pattern; content:"/webpanel/getsettings.php"; http_uri; depth:25; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,09aa3bb05a55b0df864d1e1709c29960; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/; classtype:trojan-activity; sid:2029979; rev:2; metadata:attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2020_04_20, performance_impact Low, updated_at 2020_04_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Suspected PROJECTSPY CnC (video)"; flow:established,to_server; content:"POST"; http_method; content:"/api/index.php?p=showMyAllVideos"; http_uri; fast_pattern; depth:32; isdataat:!1,relative; content:"Dalvik"; http_user_agent; metadata: former_category MOBILE_MALWARE; reference:md5,30a2f5b9c9cf01b16aaa4d3f40323faf; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/; classtype:trojan-activity; sid:2029981; rev:2; metadata:attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2020_04_20, performance_impact Low, updated_at 2020_04_20;)