BTMOB Android RAT: Detection and Mitigation of Custom Malware-as-a-Service

---
title: Suspicious Android Package Installation
id: 550d9a23-0f72-4e3a-a8c5-1d2f3b4c5d6e
status: experimental
description: Detects installation of Android packages from unknown sources, characteristic of BTMOB distribution
references:
  - https://attack.mitre.org/techniques/T1566/
author: Security Arsenal
date: 2023/11/28
tags:
  - attack.initial_access
  - attack.t1566
logsource:
  category: application
  product: android
detection:
  selection:
    EventID: 1001
    PackageSource|contains: 
      - 'unknown'
      - 'third-party'
    PackageInstaller|contains:
      - 'com.android.packageinstaller'
  condition: selection
falsepositives:
  - Legitimate application installation from authorized sources
level: high
---
title: Android RAT Network Communication Pattern
id: 7a3f1c82-9e4b-4d67-bc12-3e5a8f901234
status: experimental
description: Detects network communication patterns consistent with Android RAT activity like BTMOB
references:
  - https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2023/11/28
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: android
detection:
  selection:
    DestinationPort|between:
      - 4444
      - 9000
    Initiated: 'true'
    Protocol|contains: 'tcp'
  condition: selection
falsepositives:
  - Legitimate applications using non-standard ports
level: medium
---
title: Android Device Admin Privilege Abuse
id: 9b4e2d93-0f5c-4e7b-a9d6-2e3a9c012345
status: experimental
description: Detects Android applications requesting Device Admin privileges, common in BTMOB and other RATs
references:
  - https://attack.mitre.org/techniques/T1548/
author: Security Arsenal
date: 2023/11/28
tags:
  - attack.privilege_escalation
  - attack.t1548
logsource:
  category: application
  product: android
detection:
  selection:
    EventID: 1004
    PermissionRequested|contains:
      - 'android.permission.BIND_DEVICE_ADMIN'
      - 'android.permission.DEVICE_POWER'
  condition: selection
falsepositives:
  - Legitimate MDM solutions requesting device admin privileges
level: high

// Hunt for suspicious Android device activities associated with BTMOB
let SuspiciousApps = dynamic(["com.android.unknown", "com.system.update", "com.service.security"]);
// Query for installation of suspicious packages
DeviceProcessEvents
| where DeviceType == "Android"
| where ActionType == "PackageInstalled"
| where FileName in~ SuspiciousApps
| project Timestamp, DeviceName, AccountName, FileName, ActionType, InitiatingProcessAccountName
| order by Timestamp desc
// Query for network connections from Android devices to non-standard ports
union
DeviceNetworkEvents
| where DeviceType == "Android"
| where RemotePort between (4444 .. 9000)
| where InitiatingProcessFileName !in~ ("com.android.chrome", "com.google.android.gm")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName
| order by Timestamp desc
// Query for suspicious permission requests
union
DeviceEvents
| where DeviceType == "Android"
| where ActionType == "PermissionRequest"
| where AdditionalFields contains "BIND_DEVICE_ADMIN" or AdditionalFields contains "DEVICE_POWER"
| project Timestamp, DeviceName, ActionType, AdditionalFields, InitiatingProcessAccountName
| order by Timestamp desc

-- Hunt for Android package files and suspicious process activity
LET SuspiciousAPKs = glob(globs="**/*.apk")
SELECT FullPath, Size, Mtime, Atime
FROM SuspiciousAPKs
WHERE FullPath =~ "/data/app/" OR FullPath =~ "/sdcard/Download/"

-- Check for suspicious process executions
LET SuspiciousProcesses = pslist()
SELECT Name, Pid, Ppid, CommandLine, Exe, Username, CreateTime
FROM SuspiciousProcesses
WHERE Name =~ "sh" AND CommandLine =~ ".*\s.*" OR Exe =~ ".*tmp.*"

-- Network connections to suspicious ports
LET SuspiciousConnections = netstat()
SELECT LocalAddress, LocalPort, RemoteAddress, RemotePort, State, Pid, Family
FROM SuspiciousConnections
WHERE RemotePort >= 4444 AND RemotePort <= 9000 AND State =~ "ESTABLISHED"

#!/bin/bash
# Android BTMOB Detection and Remediation Script
# Check for suspicious applications
echo "Checking for suspicious applications..."
adb shell pm list packages -f | grep -E "(unknown|update|security)" | grep -v "com.google" | grep -v "com.android"

# Check for applications with device admin privileges
echo "Checking for applications with device admin privileges..."
adb shell dumpsys device_policy | grep -A 5 "Policies:"

# Check for unusual network connections
echo "Checking for unusual network connections..."
adb shell netstat -tuln | grep -E ":(4444|9000|5555|6666)"

# Check for running processes from non-system apps
echo "Checking for running processes from non-system apps..."
adb shell ps -A | grep -v "system" | grep -v "root" | head -n 20

# Check for recently installed applications
echo "Checking for recently installed applications..."
adb shell dumpsys package | grep -E "Package \[" | tail -n 20

# Uninstall suspicious applications (requires manual review)
echo "To uninstall suspicious applications, use the following command:"
echo "adb shell pm uninstall <package_name>"

# Enable Google Play Protect
echo "Enabling Google Play Protect..."
adb shell pm enable com.google.android.gms/com.google.android.gms.security.VerifyAppsActivity

# Disable installation from unknown sources
echo "Disabling installation from unknown sources..."
adb shell settings put secure install_non_market_apps 0

echo "Android hardening against BTMOB complete. Please review suspicious applications manually before removal."