Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,29 @@ Phishing pages and droppers now ship step-by-step UI instructions to allow restr

Triage hint: in a dropper, grep for `PackageInstaller.createSession/openSession` plus code that immediately navigates the victim to `ACTION_ACCESSIBILITY_SETTINGS` or `ACTION_NOTIFICATION_LISTENER_SETTINGS`.


### Staged sideloading pretext and decoy hand-off

A recurring delivery pattern is a **stage-1 lure APK** that looks legitimate enough to justify sideloading, asks the victim to enable **install unknown apps / unknown sources**, and only then installs the real payload. If the victim refuses that prompt, the chain stops before the RAT is deployed.

After install, the payload often displays a **decoy WebView** matching the original phishing lure while the background service starts Accessibility enrollment, C2 registration, and data collection.

Good hunting points:
- `Settings.ACTION_MANAGE_UNKNOWN_APP_SOURCES` or UI text that coaches the victim through the unknown-apps flow
- `REQUEST_INSTALL_PACKAGES` + `PackageInstaller` session code in the same lure APK
- strings for the phishing/decoy URL loaded after install
- a visible rental/banking/government-themed activity that stays benign while services/receivers initialize in the background


### Builder/dropper operationalization

Some Android RAT ecosystems are designed as **rebuildable payload platforms** rather than one-off APKs. The operator panel compiles payloads server-side and exposes knobs such as **app name**, **package name**, **icon**, **foreground notification text**, **decoy WebView URL**, **feature toggles**, **Device Admin enablement**, and alerting hooks such as **Telegram notifications**.

For analysts, this means the same core implant may appear across unrelated brands/lures while only the outer presentation changes. Hunt for:
- config JSON or panel responses that carry branding fields, decoy URLs, or module flags
- Gradle/build artifacts, signing/repacking code, or templates for multiple launcher icons/names
- a dedicated **dropper** mode that wraps the same payload inside a second APK for staged delivery

### Facade UI and Collection

The app may show harmless views such as an SMS viewer or gallery picker while background collection starts:
Expand Down Expand Up @@ -706,6 +729,49 @@ Hunting ideas:
- if Frida hooks arrive too late, inspect `.init_array` and `JNI_OnLoad` first
- treat anti-debug + string decoder + staged install as one cluster, not independent findings

## WebSocket Agent RATs: hidden remote browser, clipboard clipper, and selective file sabotage

Some newer Android RATs model each infected device as an **agent** behind a long-lived **WebSocket** channel instead of short HTTP tasks. A common bootstrap is `hello` + `deviceInfo`, followed by a server `hello_ack`, heartbeat/ping frames, and typed responses such as `command_result`, `screen_frame`, `sms_data`, `file_list`, or `browser_command_result`. This is useful during reversing because the message types often expose the internal module boundaries even when class names are obfuscated.

### Hidden on-device remote browser

A reusable fraud pattern is to open an attacker-supplied URL inside an off-screen `WebView` on the victim device and then drive it remotely. Unlike classic overlay phishing, the traffic originates from the victim handset, so the session inherits the device IP, cookies, and already-authenticated browser state.

Typical operator primitives:
- session start/stop: `remote_browser_start`, `remote_browser_stop`
- navigation/input: `remote_browser_navigate`, `remote_browser_click`, `remote_browser_text`, `remote_browser_swipe`, `remote_browser_key`
- DOM/form helpers: `remote_browser_js_fill`, `remote_browser_clear_field`, `remote_browser_action`
- evasion/tuning: `remote_browser_set_mode` (mobile/desktop), `remote_browser_fps`

Triage ideas:
- Look for secondary/off-screen `WebView` instances, hidden windows, or a visible decoy activity while another `WebView` keeps loading attacker-controlled URLs.
- Grep for `CookieManager.getCookie`, `evaluateJavascript`, `addJavascriptInterface`, and command strings prefixed with `remote_browser_`.
- Dump both the rendered HTML and cookies after each C2-driven navigation, not only the foreground UI.

### Family-aware cryptocurrency clipper via clipboard normalization

Some Android RATs do not just steal seed phrases; they also run a **clipboard clipper** that rewrites copied wallet addresses in place. The robust implementations normalize clipboard text first (strip null bytes, zero-width characters, and odd whitespace), classify the address family, and only then swap it with an attacker-controlled value from the same family via `ClipboardManager.setPrimaryClip()`.

Interesting patterns to hunt:
- `ClipboardManager.addPrimaryClipChangedListener()` or polling loops around `getPrimaryClip()`
- regex/prefix checks for `0x`, `T`, `1`, `3`, `bc1q`, `bc1p`
- URI-style handlers such as `bitcoin:`, `ethereum:`, `erc20:`, `tron:`, `bsc:`, `polygon:`, `arbitrum:`, `optimism:`, `base:`, `ton:`
- telemetry containing **original address**, **replacement address**, and **detected chain/family** sent back to C2

This is worth documenting separately from seed-phrase theft because it targets already-unlocked wallets and browser dApps where users copy/paste recipient addresses.

### Selective file encryption and secure deletion

A RAT file-manager can expose more than exfiltration. Some samples support **operator-selected file encryption** using `AES/GCM/NoPadding`, write a custom `.enc` artifact (for example with an `FMENC1` magic header), and then remove the plaintext. If deletion fails, the malware may fall back to **overwrite with random data -> truncate -> fsync -> delete**.

This pattern is better treated as **selective sabotage / evidence destruction** than full ransomware unless you also find bulk-recursion logic, ransom UX, or payment workflow.

Quick triage:

```bash
rg -n 'hello_ack|deviceInfo|screen_frame|browser_command_result|remote_browser_|ClipboardManager|setPrimaryClip|FMENC1|AES/GCM/NoPadding|FileDescriptor\.sync|truncate' .
```

## Kimwolf Android Botnet Tradecraft

### APK loader & native ELF execution on TV boxes
Expand Down Expand Up @@ -774,6 +840,7 @@ struct Header {
- [DomainTools SecuritySnacks - ID/VN Banker Trojans (IOCs)](https://github.com/DomainTools/SecuritySnacks/blob/main/2025/BankerTrojan-ID-VN)
- [Bypassing Android 13 Restrictions with SecuriDropper (ThreatFabric)](https://www.threatfabric.com/blogs/droppers-bypassing-android-13-restrictions)
- [Analysis of cifrat: could this be an evolution of a mobile RAT?](https://cert.pl/en/posts/2026/04/cifrat-analysis/)
- [Glitch SPY: An Emerging Android RAT Distributed Through a Fake Polish Rental App](https://cyble.com/blog/glitch-spy-rat-distributed-via-fake-polish-app/)
- Kimwolf Android TV Botnet: ENS-Based C2 Evasion, TLS+ECDSA C2 Protocol, and Large-Scale Proxy/DDoS Operations - [blog.xlab.qianxin.com](https://blog.xlab.qianxin.com/kimwolf-botnet-en/)


Expand Down