alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET RETIRED Android/MMRAT Data Exfiltration Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/system/apps"; http.header; content:"Authorization|3a 20|Bearer"; http.user_agent; content:"okhttp/"; http.request_body; content:"|7b 22|deviceId|22 3a 22|"; startswith; pcre:"/^[a-f0-9]{16}/R"; content:"|22 2c 22|appInfos|22 3a 5b 7b 22|packageName|22 3a 22|"; fast_pattern; reference:url,www.trendmicro.com/en_us/research/23/h/mmrat-carries-out-bank-fraud-via-fake-app-stores.html; reference:md5,5b90ee49ed678379f1a8be9683b3fc99; classtype:trojan-activity; sid:2048084; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2023_09_13, deployment Perimeter, former_category MOBILE_MALWARE, malware_family MMRAT, performance_impact Low, confidence High, signature_severity Major, updated_at 2025_04_17, reviewed_at 2025_04_17; target:src_ip;)