Concrete signature match: Trojan Spy - Monitors and reports user activity for AndroidOS platform, family Cambot
TrojanSpy:AndroidOS/Cambot.A is a critical Android spyware designed to infiltrate mobile devices. It functions as a trojan, likely collecting sensitive information, maintaining persistence on the device, and potentially exfiltrating collected data to attacker-controlled servers.
No specific strings found for this threat
rule TrojanSpy_AndroidOS_Cambot_A_2147783395_0
{
meta:
author = "threatcheck.sh"
detection_name = "TrojanSpy:AndroidOS/Cambot.A"
threat_id = "2147783395"
type = "TrojanSpy"
platform = "AndroidOS: Android operating system"
family = "Cambot"
severity = "Critical"
signature_type = "SIGNATURE_TYPE_DEXHSTR_EXT"
threshold = "4"
strings_accuracy = "Low"
strings:
$x_2_1 = {3a 00 1c 00 6e 20 ?? ?? 14 00 0a 00 d8 03 01 ff df 00 00 0d 8e 00 50 00 02 01 3a 03 0f 00 d8 00 03 ff 6e 20 ?? ?? 34 00 0a 01 df 01 01 66 8e 11 50 01 02 03 01 01 28 e5} //weight: 2, accuracy: Low
$x_1_2 = "/private/add_log.php" ascii //weight: 1
$x_1_3 = "/resiverboot" ascii //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}bd9e2e06b9816ca1e432f89dab95dde143d27e07d79c959aad13c2415809fbe1Immediately isolate the affected Android device from all networks. Identify and uninstall the malicious application; if identification is difficult or removal is incomplete, perform a factory reset of the device. Change passwords for all accounts accessed from the compromised device and ensure the operating system and all applications are fully updated.