alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 1"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"sms|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023500; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2016_11_11, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2019_07_26;)