diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/android-malware-post-exploitation.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/android-malware-post-exploitation.md index a4a8871edd4..570738ccc0e 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/android-malware-post-exploitation.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/android-malware-post-exploitation.md @@ -34,6 +34,29 @@ Phishing pages and droppers now ship step-by-step UI instructions to allow restr Triage hint: in a dropper, grep for `PackageInstaller.createSession/openSession` plus code that immediately navigates the victim to `ACTION_ACCESSIBILITY_SETTINGS` or `ACTION_NOTIFICATION_LISTENER_SETTINGS`. + +### Staged sideloading pretext and decoy hand-off + +A recurring delivery pattern is a **stage-1 lure APK** that looks legitimate enough to justify sideloading, asks the victim to enable **install unknown apps / unknown sources**, and only then installs the real payload. If the victim refuses that prompt, the chain stops before the RAT is deployed. + +After install, the payload often displays a **decoy WebView** matching the original phishing lure while the background service starts Accessibility enrollment, C2 registration, and data collection. + +Good hunting points: +- `Settings.ACTION_MANAGE_UNKNOWN_APP_SOURCES` or UI text that coaches the victim through the unknown-apps flow +- `REQUEST_INSTALL_PACKAGES` + `PackageInstaller` session code in the same lure APK +- strings for the phishing/decoy URL loaded after install +- a visible rental/banking/government-themed activity that stays benign while services/receivers initialize in the background + + +### Builder/dropper operationalization + +Some Android RAT ecosystems are designed as **rebuildable payload platforms** rather than one-off APKs. The operator panel compiles payloads server-side and exposes knobs such as **app name**, **package name**, **icon**, **foreground notification text**, **decoy WebView URL**, **feature toggles**, **Device Admin enablement**, and alerting hooks such as **Telegram notifications**. + +For analysts, this means the same core implant may appear across unrelated brands/lures while only the outer presentation changes. Hunt for: +- config JSON or panel responses that carry branding fields, decoy URLs, or module flags +- Gradle/build artifacts, signing/repacking code, or templates for multiple launcher icons/names +- a dedicated **dropper** mode that wraps the same payload inside a second APK for staged delivery + ### Facade UI and Collection The app may show harmless views such as an SMS viewer or gallery picker while background collection starts: @@ -706,6 +729,49 @@ Hunting ideas: - if Frida hooks arrive too late, inspect `.init_array` and `JNI_OnLoad` first - treat anti-debug + string decoder + staged install as one cluster, not independent findings +## WebSocket Agent RATs: hidden remote browser, clipboard clipper, and selective file sabotage + +Some newer Android RATs model each infected device as an **agent** behind a long-lived **WebSocket** channel instead of short HTTP tasks. A common bootstrap is `hello` + `deviceInfo`, followed by a server `hello_ack`, heartbeat/ping frames, and typed responses such as `command_result`, `screen_frame`, `sms_data`, `file_list`, or `browser_command_result`. This is useful during reversing because the message types often expose the internal module boundaries even when class names are obfuscated. + +### Hidden on-device remote browser + +A reusable fraud pattern is to open an attacker-supplied URL inside an off-screen `WebView` on the victim device and then drive it remotely. Unlike classic overlay phishing, the traffic originates from the victim handset, so the session inherits the device IP, cookies, and already-authenticated browser state. + +Typical operator primitives: +- session start/stop: `remote_browser_start`, `remote_browser_stop` +- navigation/input: `remote_browser_navigate`, `remote_browser_click`, `remote_browser_text`, `remote_browser_swipe`, `remote_browser_key` +- DOM/form helpers: `remote_browser_js_fill`, `remote_browser_clear_field`, `remote_browser_action` +- evasion/tuning: `remote_browser_set_mode` (mobile/desktop), `remote_browser_fps` + +Triage ideas: +- Look for secondary/off-screen `WebView` instances, hidden windows, or a visible decoy activity while another `WebView` keeps loading attacker-controlled URLs. +- Grep for `CookieManager.getCookie`, `evaluateJavascript`, `addJavascriptInterface`, and command strings prefixed with `remote_browser_`. +- Dump both the rendered HTML and cookies after each C2-driven navigation, not only the foreground UI. + +### Family-aware cryptocurrency clipper via clipboard normalization + +Some Android RATs do not just steal seed phrases; they also run a **clipboard clipper** that rewrites copied wallet addresses in place. The robust implementations normalize clipboard text first (strip null bytes, zero-width characters, and odd whitespace), classify the address family, and only then swap it with an attacker-controlled value from the same family via `ClipboardManager.setPrimaryClip()`. + +Interesting patterns to hunt: +- `ClipboardManager.addPrimaryClipChangedListener()` or polling loops around `getPrimaryClip()` +- regex/prefix checks for `0x`, `T`, `1`, `3`, `bc1q`, `bc1p` +- URI-style handlers such as `bitcoin:`, `ethereum:`, `erc20:`, `tron:`, `bsc:`, `polygon:`, `arbitrum:`, `optimism:`, `base:`, `ton:` +- telemetry containing **original address**, **replacement address**, and **detected chain/family** sent back to C2 + +This is worth documenting separately from seed-phrase theft because it targets already-unlocked wallets and browser dApps where users copy/paste recipient addresses. + +### Selective file encryption and secure deletion + +A RAT file-manager can expose more than exfiltration. Some samples support **operator-selected file encryption** using `AES/GCM/NoPadding`, write a custom `.enc` artifact (for example with an `FMENC1` magic header), and then remove the plaintext. If deletion fails, the malware may fall back to **overwrite with random data -> truncate -> fsync -> delete**. + +This pattern is better treated as **selective sabotage / evidence destruction** than full ransomware unless you also find bulk-recursion logic, ransom UX, or payment workflow. + +Quick triage: + +```bash +rg -n 'hello_ack|deviceInfo|screen_frame|browser_command_result|remote_browser_|ClipboardManager|setPrimaryClip|FMENC1|AES/GCM/NoPadding|FileDescriptor\.sync|truncate' . +``` + ## Kimwolf Android Botnet Tradecraft ### APK loader & native ELF execution on TV boxes @@ -774,6 +840,7 @@ struct Header { - [DomainTools SecuritySnacks - ID/VN Banker Trojans (IOCs)](https://github.com/DomainTools/SecuritySnacks/blob/main/2025/BankerTrojan-ID-VN) - [Bypassing Android 13 Restrictions with SecuriDropper (ThreatFabric)](https://www.threatfabric.com/blogs/droppers-bypassing-android-13-restrictions) - [Analysis of cifrat: could this be an evolution of a mobile RAT?](https://cert.pl/en/posts/2026/04/cifrat-analysis/) +- [Glitch SPY: An Emerging Android RAT Distributed Through a Fake Polish Rental App](https://cyble.com/blog/glitch-spy-rat-distributed-via-fake-polish-app/) - Kimwolf Android TV Botnet: ENS-Based C2 Evasion, TLS+ECDSA C2 Protocol, and Large-Scale Proxy/DDoS Operations - [blog.xlab.qianxin.com](https://blog.xlab.qianxin.com/kimwolf-botnet-en/)