From be76dc0e34f145091c1dca3efdcaf4b562c649a3 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 10 Jul 2026 14:28:20 +0000 Subject: [PATCH] Add content from: GoldPickaxe Returns: When Your Biometric Information Is as I... --- .../android-malware-post-exploitation.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/android-malware-post-exploitation.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/android-malware-post-exploitation.md index a4a8871edd4..1172a3bfa1b 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/android-malware-post-exploitation.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/android-malware-post-exploitation.md @@ -51,6 +51,12 @@ Payloads are commonly batch-zipped and sent via HTTP endpoints such as `/upload. - **Manifest vs. runtime diff:** compare `aapt dump permissions` with runtime `PackageManager#getRequestedPermissions()`; missing dangerous permissions are a red flag. - **Network canary:** configure `iptables -p tcp --dport 80 -j NFQUEUE` to detect unusual POST bursts after code entry. +Additional anti-analysis patterns seen in recent Android bankers: + +- **Launcher suppression:** omit `android.intent.action.MAIN` and `android.intent.category.LAUNCHER` so the payload has no home-screen icon. This hides the app from casual removal and breaks sandboxes that only start samples through the launcher. If needed, patch the manifest to add a temporary launchable activity for dynamic instrumentation. +- **Manifest corruption against tooling:** deliberately malform binary XML so Android still installs the APK while `jadx` / `apktool` fail to parse permissions, receivers, aliases, or exported services. Validate the manifest with alternate parsers (`aapt2 dump xmltree`, `apkanalyzer manifest print`, runtime `dumpsys package`) instead of trusting one decompiler. +- **Legacy-name indirection with `activity-alias`:** expose old or misleading component names while redirecting execution to the current activity. Treat aliases as executable entry points during triage because they can preserve C2 compatibility and hide the real class layout. +
Frida: auto-bypass invitation code @@ -89,9 +95,12 @@ LubanCompress 1.1.8 # "Luban" string inside classes.dex Some Android droppers embed a native library (`lib*.so`) that **decrypts and writes a second ELF** (e.g., `l.so`) to a temp path, loads it via JNI, and then loads the real logic as DEX **only in memory** using `dalvik.system.InMemoryDexClassLoader`. This reduces static visibility of the payload and avoids writing `classes*.dex` to disk. +Another common variant keeps the stage-2 DEX on disk as an encrypted blob such as `payload_dex.bin`, then decrypts it at runtime with AES material stored elsewhere in the APK (for example `dex_IV.bin` and `dex_key.bin`) before loading it with `DexClassLoader` or `InMemoryDexClassLoader`. When both the dropper and payload reuse the same blob name and loader logic, assume a shared packer and recover the key/IV files before triaging the DEX. + Practical triage points: - Look for native libs that `dlopen` or call `System.loadLibrary` very early, then resolve Java methods via obfuscated stack strings (e.g., XOR decoded on the stack). - Watch for `InMemoryDexClassLoader` in logs/strings or hooks, which indicates fileless DEX execution. +- Search `assets/`, `res/raw/`, and app-private temp paths for `*.bin` blobs plus companion IV/key files; packed loaders often keep the AES material separate from the ciphertext to frustrate static scanning. Quick Frida hook to dump the in‑memory DEX buffer: ```javascript @@ -138,6 +147,14 @@ Instead of custom sockets, some malware uses **Firebase Cloud Messaging (FCM)** Native payloads can be delivered as encrypted ELF blobs and decrypted with `CipherInputStream()`, using a key **derived from SHA‑1 of the downloaded filename**. Each filename/version yields a distinct key, hindering static IOC reuse. +### Native C2 crypto with ephemeral IVs + +Some bankers move C2 encryption into JNI and generate a fresh AES IV from per-request state such as the current timestamp. This removes stable ciphertext patterns and makes passive signatures brittle. When reversing these families, hook the native encrypt/decrypt entry points (or the JNI wrapper that passes plaintext into `lib*.so`) to log the live key, IV, and plaintext before exfiltration. + +### Installed-app profiling and icon reuse for targeted phishing + +A high-value capability is to enumerate installed packages with visible launchable components, exfiltrate each app's `name`, `packageName`, and icon, and then reuse the legitimate icon inside a fake dialog or overlay. This lets the operator choose only banking / MFA / wallet targets already present on the device and makes C2-driven prompts look like first-party app messages instead of generic phishing screens. + ### OEM system-app droppers and `customer.prop` root backdoors Cheap Android TVs/projectors and other OEM devices sometimes ship with **privileged system apps** signed with **AOSP test keys** or an OEM platform key, plus **weak boot-property handling**. Treat these builds as both an Android-app and firmware target: the system app can act as a **dropper**, while insecure OEM partitions can turn **ADB over TCP** into a repeatable root backdoor. @@ -774,6 +791,9 @@ struct Header { - [DomainTools SecuritySnacks - ID/VN Banker Trojans (IOCs)](https://github.com/DomainTools/SecuritySnacks/blob/main/2025/BankerTrojan-ID-VN) - [Bypassing Android 13 Restrictions with SecuriDropper (ThreatFabric)](https://www.threatfabric.com/blogs/droppers-bypassing-android-13-restrictions) - [Analysis of cifrat: could this be an evolution of a mobile RAT?](https://cert.pl/en/posts/2026/04/cifrat-analysis/) +- [GoldPickaxe Returns: When Your Biometric Information Is as Important as Your Money](https://zimperium.com/blog/goldpickaxe-returns-when-your-biometric-information-is-as-important-as-your-money) +- [GoldPickaxe command list](https://github.com/Zimperium/IOC/tree/master/2026-07-GoldPickaxe/commands.md) +- [GoldPickaxe IOCs](https://github.com/Zimperium/IOC/tree/master/2026-07-GoldPickaxe) - Kimwolf Android TV Botnet: ENS-Based C2 Evasion, TLS+ECDSA C2 Protocol, and Large-Scale Proxy/DDoS Operations - [blog.xlab.qianxin.com](https://blog.xlab.qianxin.com/kimwolf-botnet-en/)