From 3ef570a9aaf30dc54e2708fed02d9a22584a7803 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 8 Jul 2026 08:36:55 +0000 Subject: [PATCH] Add content from: RedWing: A Mobile Malware-as-a-Service Operation --- .../accessibility-services-abuse.md | 32 +++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md b/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md index 6bf2d5a383a..1e5cb292bdd 100644 --- a/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md +++ b/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md @@ -73,6 +73,23 @@ The companion XML defines how the fake dialog will look like: --- +## Staged permission-onboarding workflows + +Recent Android RATs often do **not** request every dangerous capability at once. Instead, they render a benign-looking **WebView** (fake app-store page, update notice, support portal, etc.) and slide **bottom-sheet / card prompts** that walk the victim through one privilege at a time. + +Common targets in the chain: + +- disable **battery optimization** so the RAT survives background restrictions, +- request the **default SMS role** so incoming OTPs and outgoing SMS can be intercepted/sent, +- open **Notification Listener** settings to harvest OTP/banner content, +- open **overlay**, **usage-stats**, **device-admin**, and finally **accessibility** settings. + +The practical value is not only social engineering. Malware usually reports a live **permission bitmap** back to C2, so the panel can decide whether to send commands such as `open_overlay`, `open_default_sms`, `open_device_admin`, `open_battery`, `open_accessibility`, `open_usage_stats`, or `open_notification_listener`, and only queue workflows that the current device can actually execute. + +This produces a low-noise, capability-driven RAT: instead of failing blindly, the operator knows whether SMS theft, notification harvesting, overlay phishing, or full Accessibility automation is already available on that handset. + +--- + ## Remote UI automation primitives
@@ -134,6 +151,15 @@ ClayRat exposes this capability with the `show_block_screen` / `hide_block_scree Because TYPE_ACCESSIBILITY_OVERLAY windows never raise the `SYSTEM_ALERT_WINDOW` permission prompt, the victim only sees the decoy UI while the RAT keeps interacting with the real apps underneath. +A common improvement is **C2-pushed WebView injects**: the malware downloads attacker-controlled HTML templates per target package and swaps them at runtime rather than hardcoding every phishing screen inside the APK. Accessibility text harvesting is then used to auto-extract high-value fields from the foreground UI or from the fake form itself, commonly with regexes such as: + +- `^\d{4,8}$` → OTPs / PINs / short auth codes +- `^\d{13,19}$` → payment-card PANs +- `^\d{3,4}$` → CVV / CVC +- `^\+?\d{10,15}$` → international phone numbers + +Some families also expose an `inject_js`-style command to execute arbitrary JavaScript inside the controlled WebView, turning the phishing overlay into a remotely programmable credential-collection surface. + ### 2. On-Device Fraud automation Malware families such as **PlayPraetor** maintain a persistent WebSocket channel where the operator can issue high-level commands (`init`, `update`, `alert_arr`, `report_list`, …). The service translates those commands into the low-level gestures above, achieving real-time unauthorized transactions that easily bypass multi-factor-authentication tied to that very device. @@ -172,8 +198,9 @@ After coercing the user into setting the RAT as the default SMS app, the followi - `messsms` iterates over the entire contacts database to spam phishing links for worm-like propagation. - `make_call` initiates voice calls that support social-engineering workflows. - `get_sms_list` / `get_sms` and `get_call_log` / `get_calls` dump inboxes and call history so MFA codes or call metadata can be abused instantly. +- **USSD / call-forwarding abuse** can redirect voice OTPs and bank callbacks without root. A RAT can open the dialer or invoke telephony flows that submit `*21*#` to enable unconditional forwarding, `##21#` to disable it, and carrier-specific balance / service USSD codes for recon. -Combined with Accessibility-driven UI navigation, ClayRat can receive an OTP via notification/SMS and immediately input it inside the target banking or enterprise app. +Combined with Accessibility-driven UI navigation, ClayRat can receive an OTP via notification/SMS and immediately input it inside the target banking or enterprise app. The same workflow can silently alter **voice** MFA routing before the fraud session starts, then restore the original forwarding state afterwards to reduce user suspicion. ### 7. Discovery, collection & proxying Additional ClayRat commands map the environment and keep C2 resilient: @@ -327,5 +354,6 @@ Background and TTPs: https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-t * [Android accessibility documentation – Automating UI interaction](https://developer.android.com/guide/topics/ui/accessibility/service) * [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats) * [GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay) +* [RedWing: A Mobile Malware-as-a-Service Operation](https://zimperium.com/blog/redwing-a-mobile-malware-as-a-service-operation) -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}}