TrojanSpy:AndroidOS/Cambot.A - Windows Defender Threat Analysis

TrojanSpy:AndroidOS/Cambot.A is a critical Android spyware designed to infiltrate mobile devices. It functions as a trojan, likely collecting sensitive information, maintaining persistence on the device, and potentially exfiltrating collected data to attacker-controlled servers.

No specific strings found for this threat

rule TrojanSpy_AndroidOS_Cambot_A_2147783395_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "TrojanSpy:AndroidOS/Cambot.A"
        threat_id = "2147783395"
        type = "TrojanSpy"
        platform = "AndroidOS: Android operating system"
        family = "Cambot"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_DEXHSTR_EXT"
        threshold = "4"
        strings_accuracy = "Low"
    strings:
        $x_2_1 = {3a 00 1c 00 6e 20 ?? ?? 14 00 0a 00 d8 03 01 ff df 00 00 0d 8e 00 50 00 02 01 3a 03 0f 00 d8 00 03 ff 6e 20 ?? ?? 34 00 0a 01 df 01 01 66 8e 11 50 01 02 03 01 01 28 e5}  //weight: 2, accuracy: Low
        $x_1_2 = "/private/add_log.php" ascii //weight: 1
        $x_1_3 = "/resiverboot" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the affected Android device from all networks. Identify and uninstall the malicious application; if identification is difficult or removal is incomplete, perform a factory reset of the device. Change passwords for all accounts accessed from the compromised device and ensure the operating system and all applications are fully updated.