Skip to content

OverlayPhantom The Android Banking Trojan Hiding in Plain Si... #2289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

OverlayPhantom The Android Banking Trojan Hiding in Plain Si... #2289

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 29 additions & 1 deletion src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,9 +134,27 @@ ClayRat exposes this capability with the `show_block_screen` / `hide_block_scree

Because TYPE_ACCESSIBILITY_OVERLAY windows never raise the `SYSTEM_ALERT_WINDOW` permission prompt, the victim only sees the decoy UI while the RAT keeps interacting with the real apps underneath.

Some families keep the **phishing kit fully inside the APK** instead of downloading templates on demand. A common pattern is:

1. Watch `TYPE_WINDOW_STATE_CHANGED` / foreground-package changes via Accessibility.
2. Compare the current package name against a **hardcoded target list** (banking / wallet / fintech apps).
3. Load the matching local HTML template from `assets/` or `res/raw/` into a `WebView`.
4. Render it as a `TYPE_ACCESSIBILITY_OVERLAY` and exfiltrate submitted credentials / card data over the existing C2 channel.

This reduces network IOCs, keeps the lure available offline, and lets the operator ship hundreds of bank-specific overlays in one APK.

### 2. On-Device Fraud automation
Malware families such as **PlayPraetor** maintain a persistent WebSocket channel where the operator can issue high-level commands (`init`, `update`, `alert_arr`, `report_list`, …). The service translates those commands into the low-level gestures above, achieving real-time unauthorized transactions that easily bypass multi-factor-authentication tied to that very device.

Common command families exposed by Accessibility RATs include:

- **Gesture/navigation**: `tap`, `doubleTap`, `longPress`, `swipe`, `draw`, `back`, `home`, `openRecents`
- **Fraud enablement**: clipboard injection (`buf`), target-package updates, screen wake/lock, volume/power actions
- **Victim deception**: `blankScreen` / `blankScreenRm` to hide operator actions and `notif` to render fake push notifications with the victim app icon/name
- **Credential capture**: `pinj`-style overlays to collect a PIN, password, or unlock pattern while the operator watches or automates the rest of the flow

A recurring architecture is to **split C2 by function** instead of multiplexing everything over one socket: one channel for commands, another for device status/reporting, and a third dedicated to screen streaming. This keeps latency-sensitive gestures independent from high-volume image transport.

### 3. Screen streaming & monitoring
ClayRat upgrades the usual MediaProjection trick into a remote desktop stack:

Expand All @@ -147,6 +165,15 @@ ClayRat upgrades the usual MediaProjection trick into a remote desktop stack:

The result is a VNC-like feed delivered entirely through sanctioned APIs—no root or kernel exploits—yet it hands the attacker live situational awareness with millisecond latency.

Another implementation seen in the wild uses a plain TCP JPEG stream instead of RTMP/WebSocket video:

1. Start `MediaProjection`, create a `VirtualDisplay` (for example `jpeg-stream`) and back it with an `ImageReader`.
2. Repeatedly call `acquireLatestImage()`, convert the frame into a `Bitmap`, compress it as JPEG, and write the bytes directly to a dedicated socket.
3. Resize frames to a fixed width (for example `540` px) while preserving aspect ratio to reduce bandwidth without making the operator blind.
4. If no frame is available, sleep briefly and retry; if the socket dies, close the projection objects, wait a short interval, reconnect, and stop after a retry threshold.

This gives the operator near-real-time visual feedback while leaving a separate command port free for gesture replay and data exfiltration.

### 4. Lock-screen credential theft & auto-unlock
ClayRat subscribes to `TYPE_WINDOW_CONTENT_CHANGED` / `TYPE_VIEW_TEXT_CHANGED` events emitted by `com.android.systemui` (`Keyguard`). It reconstructs whatever guard is active:

Expand Down Expand Up @@ -327,5 +354,6 @@ Background and TTPs: https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-t
* [Android accessibility documentation – Automating UI interaction](https://developer.android.com/guide/topics/ui/accessibility/service)
* [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats)
* [GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay)
* [OverlayPhantom: The Android Banking Trojan Hiding in Plain Sight](https://cyble.com/blog/overlayphantom-android-banking-trojan/)

{{#include ../../banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}