alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/CoolPaperLeak Sending Information To CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/geturl.aspx?email="; content:"&lat="; content:"&lon="; content:"&mobile="; content:"&group="; reference:url,www.symantec.com/connect/blogs/androidcoolpaperleak-million-download-baby; classtype:command-and-control; sid:2016209; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_01_15, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_23;)