Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,23 @@ The companion XML defines how the fake dialog will look like:

---

## Staged permission-onboarding workflows

Recent Android RATs often do **not** request every dangerous capability at once. Instead, they render a benign-looking **WebView** (fake app-store page, update notice, support portal, etc.) and slide **bottom-sheet / card prompts** that walk the victim through one privilege at a time.

Common targets in the chain:

- disable **battery optimization** so the RAT survives background restrictions,
- request the **default SMS role** so incoming OTPs and outgoing SMS can be intercepted/sent,
- open **Notification Listener** settings to harvest OTP/banner content,
- open **overlay**, **usage-stats**, **device-admin**, and finally **accessibility** settings.

The practical value is not only social engineering. Malware usually reports a live **permission bitmap** back to C2, so the panel can decide whether to send commands such as `open_overlay`, `open_default_sms`, `open_device_admin`, `open_battery`, `open_accessibility`, `open_usage_stats`, or `open_notification_listener`, and only queue workflows that the current device can actually execute.

This produces a low-noise, capability-driven RAT: instead of failing blindly, the operator knows whether SMS theft, notification harvesting, overlay phishing, or full Accessibility automation is already available on that handset.

---

## Remote UI automation primitives

<details>
Expand Down Expand Up @@ -134,6 +151,15 @@ ClayRat exposes this capability with the `show_block_screen` / `hide_block_scree

Because TYPE_ACCESSIBILITY_OVERLAY windows never raise the `SYSTEM_ALERT_WINDOW` permission prompt, the victim only sees the decoy UI while the RAT keeps interacting with the real apps underneath.

A common improvement is **C2-pushed WebView injects**: the malware downloads attacker-controlled HTML templates per target package and swaps them at runtime rather than hardcoding every phishing screen inside the APK. Accessibility text harvesting is then used to auto-extract high-value fields from the foreground UI or from the fake form itself, commonly with regexes such as:

- `^\d{4,8}$` → OTPs / PINs / short auth codes
- `^\d{13,19}$` → payment-card PANs
- `^\d{3,4}$` → CVV / CVC
- `^\+?\d{10,15}$` → international phone numbers

Some families also expose an `inject_js`-style command to execute arbitrary JavaScript inside the controlled WebView, turning the phishing overlay into a remotely programmable credential-collection surface.

### 2. On-Device Fraud automation
Malware families such as **PlayPraetor** maintain a persistent WebSocket channel where the operator can issue high-level commands (`init`, `update`, `alert_arr`, `report_list`, …). The service translates those commands into the low-level gestures above, achieving real-time unauthorized transactions that easily bypass multi-factor-authentication tied to that very device.

Expand Down Expand Up @@ -172,8 +198,9 @@ After coercing the user into setting the RAT as the default SMS app, the followi
- `messsms` iterates over the entire contacts database to spam phishing links for worm-like propagation.
- `make_call` initiates voice calls that support social-engineering workflows.
- `get_sms_list` / `get_sms` and `get_call_log` / `get_calls` dump inboxes and call history so MFA codes or call metadata can be abused instantly.
- **USSD / call-forwarding abuse** can redirect voice OTPs and bank callbacks without root. A RAT can open the dialer or invoke telephony flows that submit `*21*<number>#` to enable unconditional forwarding, `##21#` to disable it, and carrier-specific balance / service USSD codes for recon.

Combined with Accessibility-driven UI navigation, ClayRat can receive an OTP via notification/SMS and immediately input it inside the target banking or enterprise app.
Combined with Accessibility-driven UI navigation, ClayRat can receive an OTP via notification/SMS and immediately input it inside the target banking or enterprise app. The same workflow can silently alter **voice** MFA routing before the fraud session starts, then restore the original forwarding state afterwards to reduce user suspicion.

### 7. Discovery, collection & proxying
Additional ClayRat commands map the environment and keep C2 resilient:
Expand Down Expand Up @@ -327,5 +354,6 @@ Background and TTPs: https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-t
* [Android accessibility documentation – Automating UI interaction](https://developer.android.com/guide/topics/ui/accessibility/service)
* [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats)
* [GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay)
* [RedWing: A Mobile Malware-as-a-Service Operation](https://zimperium.com/blog/redwing-a-mobile-malware-as-a-service-operation)

{{#include ../../banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}