diff --git a/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md b/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md index 6bf2d5a383a..8084d490cff 100644 --- a/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md +++ b/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md @@ -134,9 +134,27 @@ ClayRat exposes this capability with the `show_block_screen` / `hide_block_scree Because TYPE_ACCESSIBILITY_OVERLAY windows never raise the `SYSTEM_ALERT_WINDOW` permission prompt, the victim only sees the decoy UI while the RAT keeps interacting with the real apps underneath. +Some families keep the **phishing kit fully inside the APK** instead of downloading templates on demand. A common pattern is: + +1. Watch `TYPE_WINDOW_STATE_CHANGED` / foreground-package changes via Accessibility. +2. Compare the current package name against a **hardcoded target list** (banking / wallet / fintech apps). +3. Load the matching local HTML template from `assets/` or `res/raw/` into a `WebView`. +4. Render it as a `TYPE_ACCESSIBILITY_OVERLAY` and exfiltrate submitted credentials / card data over the existing C2 channel. + +This reduces network IOCs, keeps the lure available offline, and lets the operator ship hundreds of bank-specific overlays in one APK. + ### 2. On-Device Fraud automation Malware families such as **PlayPraetor** maintain a persistent WebSocket channel where the operator can issue high-level commands (`init`, `update`, `alert_arr`, `report_list`, …). The service translates those commands into the low-level gestures above, achieving real-time unauthorized transactions that easily bypass multi-factor-authentication tied to that very device. +Common command families exposed by Accessibility RATs include: + +- **Gesture/navigation**: `tap`, `doubleTap`, `longPress`, `swipe`, `draw`, `back`, `home`, `openRecents` +- **Fraud enablement**: clipboard injection (`buf`), target-package updates, screen wake/lock, volume/power actions +- **Victim deception**: `blankScreen` / `blankScreenRm` to hide operator actions and `notif` to render fake push notifications with the victim app icon/name +- **Credential capture**: `pinj`-style overlays to collect a PIN, password, or unlock pattern while the operator watches or automates the rest of the flow + +A recurring architecture is to **split C2 by function** instead of multiplexing everything over one socket: one channel for commands, another for device status/reporting, and a third dedicated to screen streaming. This keeps latency-sensitive gestures independent from high-volume image transport. + ### 3. Screen streaming & monitoring ClayRat upgrades the usual MediaProjection trick into a remote desktop stack: @@ -147,6 +165,15 @@ ClayRat upgrades the usual MediaProjection trick into a remote desktop stack: The result is a VNC-like feed delivered entirely through sanctioned APIs—no root or kernel exploits—yet it hands the attacker live situational awareness with millisecond latency. +Another implementation seen in the wild uses a plain TCP JPEG stream instead of RTMP/WebSocket video: + +1. Start `MediaProjection`, create a `VirtualDisplay` (for example `jpeg-stream`) and back it with an `ImageReader`. +2. Repeatedly call `acquireLatestImage()`, convert the frame into a `Bitmap`, compress it as JPEG, and write the bytes directly to a dedicated socket. +3. Resize frames to a fixed width (for example `540` px) while preserving aspect ratio to reduce bandwidth without making the operator blind. +4. If no frame is available, sleep briefly and retry; if the socket dies, close the projection objects, wait a short interval, reconnect, and stop after a retry threshold. + +This gives the operator near-real-time visual feedback while leaving a separate command port free for gesture replay and data exfiltration. + ### 4. Lock-screen credential theft & auto-unlock ClayRat subscribes to `TYPE_WINDOW_CONTENT_CHANGED` / `TYPE_VIEW_TEXT_CHANGED` events emitted by `com.android.systemui` (`Keyguard`). It reconstructs whatever guard is active: @@ -327,5 +354,6 @@ Background and TTPs: https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-t * [Android accessibility documentation – Automating UI interaction](https://developer.android.com/guide/topics/ui/accessibility/service) * [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats) * [GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay) +* [OverlayPhantom: The Android Banking Trojan Hiding in Plain Sight](https://cyble.com/blog/overlayphantom-android-banking-trojan/) -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}}