Frogblight Malware Detection Rules
YARA Rules
Rule 1: Frogblight Core Detection
yara
rule Frogblight_Android_Malware_Core
{
meta:
description = "Detects Frogblight Android banking trojan core components"
author = "SOC Threat Intelligence"
date = "2024-12-23"
severity = "critical"
malware_family = "Frogblight"
target_platform = "Android"
strings:
$pkg1 = "com.davalarim.mobile" ascii wide
$pkg2 = "com.turkey.court" ascii wide
$pkg3 = "com.gov.tr.yardim" ascii wide
$pkg4 = "com.sosyal.yardim" ascii wide
$perm1 = "android.permission.BIND_ACCESSIBILITY_SERVICE" ascii
$perm2 = "android.permission.SYSTEM_ALERT_WINDOW" ascii
$perm3 = "android.permission.READ_SMS" ascii
$perm4 = "android.permission.SEND_SMS" ascii
$perm5 = "android.permission.RECEIVE_SMS" ascii
$overlay1 = "TYPE_APPLICATION_OVERLAY" ascii
$overlay2 = "WindowManager.LayoutParams" ascii
$overlay3 = "addView" ascii
$accessibility1 = "AccessibilityService" ascii
$accessibility2 = "onAccessibilityEvent" ascii
$accessibility3 = "TYPE_VIEW_TEXT_CHANGED" ascii
$turkish1 = "Davaları" wide
$turkish2 = "mahkeme" ascii wide
$turkish3 = "yardım" ascii wide
condition:
uint32(0) == 0x04034b50 and
(
(any of ($pkg*)) or
(3 of ($perm*) and 2 of ($overlay*)) or
(2 of ($accessibility*) and 2 of ($perm*)) or
(any of ($turkish*) and 3 of ($perm*))
)
}Rule 2: Frogblight SMS Interception Module
yara
rule Frogblight_SMS_Interception
{
meta:
description = "Detects SMS interception functionality in Frogblight"
author = "SOC Threat Intelligence"
severity = "high"
strings:
$sms1 = "android.provider.Telephony.SMS_RECEIVED" ascii
$sms2 = "SmsMessage.createFromPdu" ascii
$sms3 = "getMessageBody" ascii
$sms4 = "getOriginatingAddress" ascii
$banking1 = "\\b\\d{4,8}\\b" ascii
$banking2 = "verification code" nocase ascii
$banking3 = "doğrulama kodu" wide
$banking4 = "OTP" ascii
$exfil1 = "sendTextMessage" ascii
$exfil2 = "HttpURLConnection" ascii
$exfil3 = "POST" ascii
condition:
uint32(0) == 0x04034b50 and
3 of ($sms*) and
2 of ($banking*) and
2 of ($exfil*)
}Rule 3: Frogblight Overlay Attack Detection
yara
rule Frogblight_Overlay_Attack
{
meta:
description = "Detects overlay attack components used by Frogblight"
author = "SOC Threat Intelligence"
severity = "critical"
strings:
$overlay1 = "TYPE_SYSTEM_ALERT" ascii
$overlay2 = "TYPE_PHONE" ascii
$overlay3 = "LayoutInflater.inflate" ascii
$target1 = "getRunningTasks" ascii
$target2 = "getPackageName" ascii
$target3 = "ActivityManager" ascii
$banking_app1 = "com.akbank" ascii
$banking_app2 = "com.garanti" ascii
$banking_app3 = "com.ziraat" ascii
$banking_app4 = "com.yapikredi" ascii
$banking_app5 = "com.isbank" ascii
$banking_app6 = "finansbank" ascii
$ui1 = "EditText" ascii
$ui2 = "password" nocase ascii
$ui3 = "username" nocase ascii
condition:
uint32(0) == 0x04034b50 and
2 of ($overlay*) and
2 of ($target*) and
2 of ($banking_app*) and
2 of ($ui*)
}Rule 4: Frogblight C2 Communication
yara
rule Frogblight_C2_Communication
{
meta:
description = "Detects command and control communication patterns"
author = "SOC Threat Intelligence"
severity = "high"
strings:
$http1 = "HttpsURLConnection" ascii
$http2 = "setRequestMethod" ascii
$http3 = "setRequestProperty" ascii
$crypto1 = "Cipher.getInstance" ascii
$crypto2 = "AES/CBC" ascii
$crypto3 = "SecretKeySpec" ascii
$json1 = "JSONObject" ascii
$json2 = "device_id" ascii
$json3 = "credentials" ascii
$json4 = "sms_data" ascii
$domain1 = /[a-z]+-court-[a-z]+\.com/ ascii
$domain2 = /davalar-tr\.[a-z]{2,4}/ ascii
$domain3 = /gov-[a-z]+-tr\.[a-z]{2,6}/ ascii
condition:
uint32(0) == 0x04034b50 and
2 of ($http*) and
2 of ($crypto*) and
2 of ($json*) and
any of ($domain*)
}Rule 5: Frogblight Anti-Analysis
yara
rule Frogblight_Anti_Analysis
{
meta:
description = "Detects anti-analysis and evasion techniques"
author = "SOC Threat Intelligence"
severity = "medium"
strings:
$emulator1 = "generic" nocase ascii
$emulator2 = "goldfish" ascii
$emulator3 = "emulator" ascii
$emulator4 = "android.os.Build.PRODUCT" ascii
$debug1 = "isDebuggerConnected" ascii
$debug2 = "Debug.isDebuggerConnected" ascii
$root1 = "/system/app/Superuser.apk" ascii
$root2 = "/system/xbin/su" ascii
$root3 = "eu.chainfire.supersu" ascii
$obfuscation1 = "DexClassLoader" ascii
$obfuscation2 = "loadClass" ascii
$obfuscation3 = "invoke" ascii
condition:
uint32(0) == 0x04034b50 and
(
(2 of ($emulator*)) or
(any of ($debug*)) or
(2 of ($root*)) or
(2 of ($obfuscation*))
)
}Sigma Rules
Sigma Rule 1: Frogblight Network Communication Detection
yaml
title: Frogblight Malware Network Communication
id: a8f4c2e1-9b7d-4f3a-8c5e-2d6b9a1f8e4c
status: experimental
description: Detects network connections associated with Frogblight Android malware C2 infrastructure
author: SOC Threat Intelligence Team
date: 2024/12/23
modified: 2024/12/23
tags:
- attack.command_and_control
- attack.t1071.001
- attack.exfiltration
- attack.t1041
logsource:
category: firewall
product: any
detection:
selection_domain:
- destination.domain|contains:
- 'turkish-court-service'
- 'davalar-tr'
- 'gov-yardim-tr'
- 'sosyal-destek'
- '-court-service'
- 'mahkeme-'
- 'yardim-basvuru'
selection_pattern:
destination.domain|re: '.*-court-.*\.(com|net|online|xyz)$'
selection_new_domain:
destination.domain_age: '<180'
destination.port: 443
condition: selection_domain or (selection_pattern and selection_new_domain)
fields:
- source.ip
- destination.ip
- destination.domain
- destination.port
- timestamp
falsepositives:
- Legitimate Turkish government services (verify domain registration and SSL certificates)
level: highSigma Rule 2: Mobile Device Excessive Permissions
yaml
title: Android Application Requesting Excessive Permissions Consistent with Frogblight
id: c3d7b9e2-4a8f-11ef-b3d4-0800200c9a66
status: experimental
description: Detects Android applications requesting permission combinations consistent with Frogblight malware
author: SOC Threat Intelligence Team
date: 2024/12/23
tags:
- attack.privilege_escalation
- attack.t1548
- attack.credential_access
- attack.t1556
logsource:
product: mobile_device_management
service: android
detection:
selection_accessibility:
permission: 'android.permission.BIND_ACCESSIBILITY_SERVICE'
selection_sms:
permission:
- 'android.permission.READ_SMS'
- 'android.permission.SEND_SMS'
- 'android.permission.RECEIVE_SMS'
selection_overlay:
permission:
- 'android.permission.SYSTEM_ALERT_WINDOW'
- 'android.permission.DRAW_OVER_APPS'
selection_admin:
permission: 'android.permission.BIND_DEVICE_ADMIN'
timeframe: 5m
condition: selection_accessibility and (2 of selection_sms) and selection_overlay
fields:
- app.package_name
- app.name
- device.id
- user.name
- timestamp
falsepositives:
- Legitimate accessibility applications
- Parental control software
- Enterprise mobile management tools
level: highSigma Rule 3: Suspicious SMS Pattern Exfiltration
yaml
title: Frogblight SMS Interception and Exfiltration Pattern
id: f7a3b1c8-6e2d-4f9a-a1b5-8c3d7e9f2a4b
status: experimental
description: Detects patterns consistent with SMS interception and exfiltration by Frogblight malware
author: SOC Threat Intelligence Team
date: 2024/12/23
tags:
- attack.collection
- attack.t1417
- attack.exfiltration
- attack.t1041
logsource:
product: mobile_threat_defense
service: android
detection:
selection_sms_read:
event_type: 'sms_accessed'
access_count: '>10'
selection_network:
event_type: 'network_connection'
protocol: 'https'
data_sent: '>1024'
selection_app_suspicious:
app.category:
- 'government'
- 'finance'
- 'productivity'
app.verified: false
timeframe: 60s
condition: selection_sms_read and selection_network and selection_app_suspicious
fields:
- app.package_name
- device.id
- destination.ip
- sms.count
- bytes.sent
falsepositives:
- Legitimate SMS backup applications
- Cloud synchronization services
level: criticalSigma Rule 4: Frogblight Overlay Attack Detection
yaml
title: Android Overlay Attack Pattern Detection
id: e9b4c7d2-5f3a-4b8e-9c1d-6a7f8b2e4d3c
status: experimental
description: Detects overlay attack patterns used by Frogblight to capture banking credentials
author: SOC Threat Intelligence Team
date: 2024/12/23
tags:
- attack.credential_access
- attack.t1056.002
- attack.defense_evasion
- attack.t1112
logsource:
product: mobile_threat_defense
service: android_runtime
detection:
selection_overlay_created:
event_type: 'overlay_window_created'
window_type:
- 'TYPE_APPLICATION_OVERLAY'
- 'TYPE_SYSTEM_ALERT'
selection_target_app:
foreground_app|contains:
- 'bank'
- 'wallet'
- 'crypto'
- 'akbank'
- 'garanti'
- 'ziraat'
- 'isbank'
- 'yapikredi'
selection_input_capture:
event_type: 'text_input_detected'
input_type: 'password'
timeframe: 10s
condition: selection_overlay_created and selection_target_app and selection_input_capture
fields:
- overlay.app_name
- target.app_name
- device.id
- user.id
falsepositives:
- Screen recording applications
- Legitimate overlay applications like chat heads
level: criticalSigma Rule 5: Device Administrator Abuse
yaml
title: Suspicious Device Administrator Activation
id: b6d8e4f9-3c7a-4e2b-9f1d-5a8c7b9e3f2a
status: experimental
description: Detects suspicious activation of device administrator privileges by applications mimicking government services
author: SOC Threat Intelligence Team
date: 2024/12/23
tags:
- attack.persistence
- attack.t1098
- attack.defense_evasion
- attack.t1562.001
logsource:
product: mobile_device_management
service: android_admin
detection:
selection_admin_activated:
event_type: 'device_admin_enabled'
selection_suspicious_name:
app.name|contains:
- 'Davaları'
- 'mahkeme'
- 'court'
- 'yardım'
- 'sosyal'
- 'destek'
selection_unverified:
app.playstore_verified: false
app.developer_verified: false
selection_recent_install:
app.install_age: '<24h'
condition: selection_admin_activated and selection_suspicious_name and selection_unverified and selection_recent_install
fields:
- app.package_name
- app.name
- device.id
- user.name
- installation_source
falsepositives:
- Legitimate government applications (verify through official channels)
- Enterprise MDM enrollment
level: high
```
## Snort/Suricata Rules
### Rule 1: Frogblight C2 Traffic Detection
```
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (
msg:"MALWARE Frogblight Android Malware C2 Communication Outbound";
flow:established,to_server;
content:"POST"; http_method;
content:"device_id"; http_client_body;
content:"credentials"; http_client_body;
content:"User-Agent|3a| Dalvik"; http_header;
threshold:type limit, track by_src, count 1, seconds 300;
classtype:trojan-activity;
sid:5000001;
rev:1;
metadata:
malware_family frogblight,
target android,
severity critical;
)
```
### Rule 2: Suspicious Turkish Domain C2 Pattern
```
alert dns $HOME_NET any -> any 53 (
msg:"MALWARE Frogblight Suspicious Turkish-themed Domain Query";
content:"|01 00 00 01|";
pcre:"/davalar-tr|turkish-court|gov-yardim-tr|sosyal-destek/i";
threshold:type both, track by_src, count 3, seconds 60;
classtype:trojan-activity;
sid:5000002;
rev:1;
metadata:
malware_family frogblight,
attack_target turkish_users;
)
```
### Rule 3: Encrypted Data Exfiltration Pattern
```
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (
msg:"MALWARE Frogblight Encrypted Data Exfiltration Pattern";
flow:established,to_server;
dsize:>2048;
content:!"Host|3a| play.google.com"; http_header;
content:!"Host|3a| android.googleapis.com"; http_header;
byte_extract:4,0,payload_size,relative;
ssl_state:client_hello;
threshold:type threshold, track by_src, count 5, seconds 60;
classtype:policy-violation;
sid:5000003;
rev:1;
)
```
### Rule 4: SMS OTP Exfiltration
```
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (
msg:"MALWARE Frogblight SMS OTP Data Exfiltration Attempt";
flow:established,to_server;
content:"POST"; http_method;
content:"sms_data"; http_client_body;
content:"sender"; http_client_body;
content:"message_body"; http_client_body;
pcre:"/\d{4,8}/";
classtype:credential-theft;
sid:5000004;
rev:1;
metadata:
malware_family frogblight,
attack_vector sms_interception;
)
```
### Rule 5: APK Download from Suspicious Source
```
alert http $EXTERNAL_NET any -> $HOME_NET any (
msg:"MALWARE Potential Frogblight APK Download from Suspicious Domain";
flow:established,to_client;
file_data;
content:"PK"; depth:2;
content:"AndroidManifest.xml";
pcre:"/Content-Disposition.*(davalarim|mahkeme|yardim|court|sosyal)/i";
content:!"play.google.com"; http_header;
classtype:trojan-activity;
sid:5000005;
rev:1;
metadata:
malware_family frogblight,
delivery_method smishing;
)Splunk Detection Queries
Query 1: Frogblight Network Activity
spl
index=firewall OR index=proxy
(dest_domain IN ("*davalar-tr*", "*turkish-court*", "*gov-yardim-tr*", "*sosyal-destek*")
OR dest_domain="*-court-*"
OR (dest_domain="*mahkeme*" AND domain_age<180))
dest_port=443
| eval suspicious_pattern=if(like(dest_domain, "%-court-%"), 1, 0)
| eval new_domain=if(domain_age<180, 1, 0)
| where suspicious_pattern=1 OR new_domain=1
| stats count, values(src_ip) as source_ips, values(dest_ip) as destinations,
values(bytes_out) as data_sent by dest_domain, _time
| where count > 3 OR data_sent > 10240
| eval severity="critical"
| eval malware_family="Frogblight"
| table _time, src_ip, dest_domain, dest_ip, data_sent, count, severityQuery 2: Mobile Device Suspicious Permission Pattern
spl
index=mdm sourcetype=android_permissions
(permission="android.permission.BIND_ACCESSIBILITY_SERVICE"
OR permission="android.permission.READ_SMS"
OR permission="android.permission.SEND_SMS"
OR permission="android.permission.SYSTEM_ALERT_WINDOW"
OR permission="android.permission.BIND_DEVICE_ADMIN")
| stats dc(permission) as unique_permissions, values(permission) as permissions_list,
values(app_name) as app_name by device_id, package_name, _time
| where unique_permissions >= 3
| eval risk_score=case(
unique_permissions>=4, "critical",
unique_permissions=3, "high",
true(), "medium")
| search permissions_list="*ACCESSIBILITY*" AND permissions_list="*SMS*"
| table _time, device_id, package_name, app_name, permissions_list, risk_score
| sort -risk_scoreQuery 3: SMS Interception and Exfiltration Correlation
spl
(index=mobile_security sourcetype=android_events event_type="sms_accessed")
OR (index=network sourcetype=firewall action=allowed dest_port=443)
| transaction device_id maxspan=60s
| where eventcount >= 2
| search "sms_accessed" AND dest_port=443
| eval sms_access_count=if(event_type="sms_accessed", 1, 0)
| eval network_transfer=if(isnotnull(dest_port), 1, 0)
| stats sum(sms_access_count) as sms_reads,
sum(bytes_out) as total_bytes_sent,
values(dest_ip) as destination_ips,
values(app_name) as application
by device_id, _time
| where sms_reads > 5 AND total_bytes_sent > 1024
| eval alert_severity="critical"
| eval ioc_type="SMS Interception + Data Exfiltration"
| table _time, device_id, application, sms_reads, total_bytes_sent, destination_ips, alert_severityQuery 4: Overlay Attack Detection
spl
index=mobile_security sourcetype=android_runtime
(event_type="overlay_window_created" OR event_type="foreground_app_changed" OR event_type="text_input_detected")
| transaction device_id maxspan=10s
| where eventcount >= 3
| search overlay_window_created AND foreground_app IN ("*bank*", "*wallet*", "*crypto*", "*akbank*", "*garanti*", "*ziraat*")
| eval overlay_duration=_time - min(_time)
| stats count, values(overlay_app) as overlay_application,
values(foreground_app) as target_application,
values(input_type) as input_captured,
max(overlay_duration) as duration
by device_id, user_id, _time
| where input_captured="password" OR input_captured="pin"
| eval attack_type="Credential Theft via Overlay"
| eval severity="critical"
| table _time, device_id, user_id, overlay_application, target_application, input_captured, duration, severityQuery 5: Frogblight Installation Pattern
spl
index=mobile_security sourcetype=android_app_install
(app_name IN ("*Davaları*", "*mahkeme*", "*yardım*", "*sosyal*", "*court*", "*destek*")
OR package_name IN ("com.davalarim*", "com.turkey.court*", "com.gov.tr*", "com.sosyal*"))
install_source!="com.android.vending"
| eval installation_method=case(
install_source="unknown", "Sideload",
install_source="browser", "Direct Download",
install_source="file_manager", "Manual Install",
true(), install_source)
| join type=left device_id [
search index=mdm sourcetype=android_permissions permission="*ACCESSIBILITY*"
| stats values(permission) as permissions by device_id, package_name
]
| where isnotnull(permissions)
| eval time_to_permission=permission_grant_time - install_time
| eval risk_indicators=mvappend(
if(verified_developer="false", "Unverified Developer", null()),
if(playstore_verified="false", "Not from Play Store", null()),
if(time_to_permission<300, "Rapid Permission Request", null()))
| table _time, device_id, app_name, package_name, installation_method,
permissions, time_to_permission, risk_indicators
| eval severity="critical"
| eval malware_family="Frogblight"Query 6: Device Administrator Abuse Timeline
spl
index=mdm sourcetype=android_admin
| transaction device_id maxspan=1h startswith=(event_type="app_installed") endswith=(event_type="device_admin_enabled")
| where eventcount >= 2
| eval install_to_admin_seconds=duration
| where install_to_admin_seconds < 600
| eval app_verification_status=case(
playstore_verified="true" AND developer_verified="true", "Fully Verified",
playstore_verified="true", "Play Store Only",
developer_verified="true", "Developer Only",
true(), "Unverified")
| search app_verification_status="Unverified"
| search app_name IN ("*Davaları*", "*court*", "*yardım*", "*mahkeme*", "*sosyal*")
| table _time, device_id, user_name, app_name, package_name,
install_source, install_to_admin_seconds, app_verification_status
| eval threat_level="High"
| eval suspected_malware="Frogblight"
| sort -install_to_admin_secondsMicrosoft Sentinel KQL Queries
KQL Query 1: Frogblight Network Communication Pattern
kql
// Frogblight C2 Communication Detection
let SuspiciousDomains = dynamic([
"davalar-tr", "turkish-court", "gov-yardim-tr", "sosyal-destek",
"mahkeme-", "court-service", "yardim-basvuru"
]);
let TimeWindow = 1h;
CommonSecurityLog
| where TimeGenerated > ago(TimeWindow)
| where DeviceVendor == "Firewall" or DeviceVendor == "Proxy"
| where DestinationPort == 443
| where DestinationHostName has_any (SuspiciousDomains)
or DestinationHostName matches regex @"-court-.*\.(com|net|online|xyz)$"
| extend DomainAge = datetime_diff('day', now(), todatetime(DomainRegistrationDate))
| where DomainAge < 180 or isnotnull(DomainAge)
| summarize
ConnectionCount = count(),
TotalBytesSent = sum(SentBytes),
UniqueDestinations = dcount(DestinationIP),
DestinationIPs = make_set(DestinationIP),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SourceIP, DestinationHostName, DeviceHostName
| where ConnectionCount > 3 or TotalBytesSent > 10485760
| extend
Severity = case(
ConnectionCount > 10 and TotalBytesSent > 52428800, "Critical",
ConnectionCount > 5, "High",
"Medium"),
ThreatFamily = "Frogblight",
AlertType = "C2 Communication"
| project
TimeGenerated = LastSeen,
SourceIP,
DeviceHostName,
DestinationHostName,
DestinationIPs,
ConnectionCount,
TotalBytesMB = TotalBytesSent / 1048576,
Severity,
ThreatFamily,
DurationMinutes = datetime_diff('minute', LastSeen, FirstSeen)
| sort by Severity desc, ConnectionCount descKQL Query 2: Mobile Excessive Permissions
kql
// Frogblight Excessive Permission Detection
let DangerousPermissions = dynamic([
"android.permission.BIND_ACCESSIBILITY_SERVICE",
"android.permission.READ_SMS",
"android.permission.SEND_SMS",
"android.permission.RECEIVE_SMS",
"android.permission.SYSTEM_ALERT_WINDOW",
"android.permission.BIND_DEVICE_ADMIN",
"android.permission.DRAW_OVER_APPS"
]);
let SuspiciousPackages = dynamic([
"com.davalarim", "com.turkey.court", "com.gov.tr.yardim", "com.sosyal.yardim"
]);
IntuneDevices
| join kind=inner (
IntuneAuditLogs
| where OperationName == "PermissionGranted"
| where Properties.Permission in (DangerousPermissions)
| extend
DeviceId = tostring(Properties.DeviceId),
PackageName = tostring(Properties.PackageName),
AppName = tostring(Properties.ApplicationName),
Permission = tostring(Properties.Permission)
) on DeviceId
| summarize
PermissionCount = dcount(Permission),
GrantedPermissions = make_set(Permission),
GrantTime = max(TimeGenerated)
by DeviceId, DeviceName, PackageName, AppName, UserPrincipalName
| where PermissionCount >= 3
| extend HasAccessibility = iff(GrantedPermissions has "ACCESSIBILITY", true, false)
| extend HasSMS = iff(GrantedPermissions has "SMS", true, false)
| extend HasOverlay = iff(GrantedPermissions has "ALERT_WINDOW" or GrantedPermissions has "DRAW_OVER", true, false)
| where HasAccessibility and (HasSMS or HasOverlay)
| extend
RiskScore = case(
PermissionCount >= 5, 95,
PermissionCount == 4, 85,
PermissionCount == 3, 75,
60),
Severity = case(
PermissionCount >= 5 and HasAccessibility and HasSMS, "Critical",
PermissionCount >= 4, "High",
"Medium"),
SuspiciousPackage = iff(PackageName has_any (SuspiciousPackages), true, false)
| project
GrantTime,
DeviceName,
UserPrincipalName,
PackageName,
AppName,
PermissionCount,
GrantedPermissions,
RiskScore,
Severity,
SuspiciousPackage
| sort by RiskScore descKQL Query 3: SMS Interception and Exfiltration
kql
// Frogblight SMS Interception + Data Exfiltration Correlation
let TimeFrame = 1h;
let SmsAccessEvents =
MobileSecurityEvents
| where TimeGenerated > ago(TimeFrame)
| where EventType == "SmsAccessed"
| summarize SmsReadCount = count() by DeviceId, AppPackageName, bin(TimeGenerated, 1m)
| where SmsReadCount > 5;
let NetworkEvents =
CommonSecurityLog
| where TimeGenerated > ago(TimeFrame)
| where DestinationPort in (443, 80, 8080)
| where DeviceCustomString1 == "Mobile"
| summarize
BytesSent = sum(SentBytes),
Connections = count(),
Destinations = make_set(DestinationIP)
by SourceIP, DeviceCustomString2, bin(TimeGenerated, 1m)
| where BytesSent > 1024;
SmsAccessEvents
| join kind=inner (NetworkEvents)
on $left.DeviceId == $right.DeviceCustomString2 and $left.TimeGenerated == $right.TimeGenerated
| extend
DataExfiltrationMB = BytesSent / 1048576,
SmsPerMinute = SmsReadCount,
CorrelationStrength = case(
SmsReadCount > 10 and BytesSent > 10485760, "High",
SmsReadCount > 5 and BytesSent > 1048576, "Medium",
"Low")
| where CorrelationStrength in ("High", "Medium")
| project
TimeGenerated,
DeviceId,
AppPackageName,
SmsReadCount,
DataExfiltrationMB,
Connections,
Destinations,
CorrelationStrength,
Severity = "Critical",
ThreatType = "SMS Interception + Exfiltration"
| sort by CorrelationStrength desc, SmsReadCount descKQL Query 4: Overlay Attack Pattern
kql
// Frogblight Overlay Attack Detection
let BankingApps = dynamic([
"akbank", "garanti", "ziraat", "isbank", "yapikredi",
"finansbank", "denizbank", "halkbank", "vakifbank"
]);
let TimeWindow = 10m;
MobileSecurityEvents
| where TimeGenerated > ago(1h)
| where EventType in ("OverlayWindowCreated", "ForegroundAppChanged", "TextInputDetected")
| extend DeviceId = tostring(Properties.DeviceId)
| partition by DeviceId (
order by TimeGenerated asc
| extend
NextEventType = next(EventType),
NextEventTime = next(TimeGenerated),
ForegroundApp = tostring(Properties.ForegroundApp),
OverlayApp = tostring(Properties.OverlayApp),
InputType = tostring(Properties.InputType)
| where EventType == "OverlayWindowCreated"
| where NextEventType in ("ForegroundAppChanged", "TextInputDetected")
| where datetime_diff('second', NextEventTime, TimeGenerated) < 10
)
| where ForegroundApp has_any (BankingApps)
| summarize
OverlayCount = count(),
TargetedApps = make_set(ForegroundApp),
OverlayApps = make_set(OverlayApp),
InputTypes = make_set(InputType),
AttackStart = min(TimeGenerated),
AttackEnd = max(TimeGenerated)
by DeviceId, UserPrincipalName
| extend
AttackDurationSeconds = datetime_diff('second', AttackEnd, AttackStart),
PasswordCaptured = iff(InputTypes has "password" or InputTypes has "pin", true, false)
| where PasswordCaptured == true
| extend
Severity = case(
OverlayCount > 5 and PasswordCaptured, "Critical",
OverlayCount > 2, "High",
"Medium"),
AttackType = "Banking Credential Theft",
ThreatFamily = "Frogblight"
| project
AttackStart,
DeviceId,
UserPrincipalName,
TargetedApps,
OverlayApps,
OverlayCount,
AttackDurationSeconds,
PasswordCaptured,
Severity,
ThreatFamily
| sort by Severity desc, OverlayCount descKQL Query 5: Installation to Admin Privilege Timeline
kql
// Frogblight Rapid Installation to Device Admin Pattern
let SuspiciousAppNames = dynamic([
"Davaları", "mahkeme", "court", "yardım", "sosyal", "destek"
]);
let InstallEvents =
IntuneAuditLogs
| where TimeGenerated > ago(7d)
| where OperationName == "AppInstalled"
| extend
DeviceId = tostring(Properties.DeviceId),
PackageName = tostring(Properties.PackageName),
AppName = tostring(Properties.ApplicationName),
InstallSource = tostring(Properties.InstallSource),
InstallTime = TimeGenerated
| where InstallSource != "com.android.vending"
| where AppName has_any (SuspiciousAppNames) or PackageName has_any (SuspiciousAppNames);
let AdminEvents =
IntuneAuditLogs
| where TimeGenerated > ago(7d)
| where OperationName == "DeviceAdminEnabled"
| extend
DeviceId = tostring(Properties.DeviceId),
PackageName = tostring(Properties.PackageName),
AdminTime = TimeGenerated;
InstallEvents
| join kind=inner (AdminEvents) on DeviceId, PackageName
| extend TimeToAdminSeconds = datetime_diff('second', AdminTime, InstallTime)
| where TimeToAdminSeconds < 600 and TimeToAdminSeconds > 0
| join kind=leftouter (
IntuneDevices
| project DeviceId, DeviceName, UserPrincipalName, OSVersion
) on DeviceId
| extend
RiskLevel = case(
TimeToAdminSeconds < 60, "Critical",
TimeToAdminSeconds < 300, "High",
"Medium"),
Verified = case(
InstallSource == "com.android.vending", "Play Store",
"Unverified Source"),
TimeToAdminMinutes = TimeToAdminSeconds / 60.0
| project
InstallTime,
DeviceName,
UserPrincipalName,
AppName,
PackageName,
InstallSource,
TimeToAdminMinutes,
OSVersion,
RiskLevel,
Verified,
SuspectedMalware = "Frogblight"
| sort by RiskLevel desc, TimeToAdminMinutes ascThese detection rules provide comprehensive coverage for identifying Frogblight malware across multiple security layers including network, endpoint, mobile security platforms, and SIEM systems.
