From c178eb5f7b6013b070ba95764e088f46de1d37d5 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Mon, 17 Nov 2025 06:43:50 +0000 Subject: [PATCH] Add content from: GPT Trade: Fake Google Play Store Drops BTMob Spyware and UA... --- .../android-app-pentesting/README.md | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md index 7e55967ef9f..68fa4fbb398 100644 --- a/src/mobile-pentesting/android-app-pentesting/README.md +++ b/src/mobile-pentesting/android-app-pentesting/README.md @@ -66,6 +66,48 @@ java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed ../../linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md {{#endref}} +### GPT Trade Dropper & UASecurity Payload Chain + +#### Fake store delivery & sideloading +- Attackers host lookalike stores such as `playgoogle-gpttrade[.]com` to mimic Google Play/ChatGPT and distribute the GPT Trade APK (`com.jxtfkrsl.bjtgsb`). +- The installer displays a bogus captcha while staging payloads, then opens `chatgpt.com` to blunt suspicion. +- Expect onboarding steps that force "Install unknown apps" because the APK never touched Google Play. + +#### Split-APK dropper artifacts +- GPT Trade writes stage folders inside its sandbox (`files/original/*`, `files/processed/*`), rebuilds APKs at runtime, and stores their paths inside `/data/data//shared_prefs/SplitApkInstaller{miner,user}.xml`. +- Once the UI event fires it spawns `dex2oat32` to AOT-compile the generated payloads and uses `PackageInstaller` to sideload them without showing dialogs on the active screen. +- Key artifacts to inspect: + - `ContextWrapper.openFileOutput` storing APKs under `files/processed/` + - `PackageInstaller.SessionParams` usage by untrusted code + - SharedPreferences entries pointing to APK or OAT paths + +```bash +adb shell run-as com.jxtfkrsl.bjtgsb ls files +adb shell run-as com.jxtfkrsl.bjtgsb cat shared_prefs/SplitApkInstallerminer.xml +adb shell logcat -s ActivityManager PackageManager | grep -iE "dex2oat32|INSTALL_D" +adb shell pm list packages | grep -E "mooz\.balkcigol\.rotinom|com\.xenlyqw\.jkkcyubcust" +``` + +#### Packer-as-a-service infrastructure +- The dropper contacts `timeserver[.]uasecurity[.]org:2000`, linking it to the UASecurity Tools packer ecosystem (panel `https://access[.]uasecurity[.]org/`, Telegram `@android_protect_bot`, channel `t.me/protect_bot_official`). +- Templates from this service split assets into original/processed folders, delay payload generation until runtime, and hide the trigger behind trivial UI gestures like captcha taps, so spotting those strings quickly fingerprints UASecurity builds. + +#### Persistent loader blueprint (UASecurity Miner) +- Package `com.xenlyqw.jkkcyubcust` registers foreground services, boot-completed receivers, Firebase Cloud Messaging handlers, and alarm-based keep-alives to survive reboots and aggressive power management. +- It keeps encrypted channels to `147[.]93[.]153[.]119` (ports 50904/50912/50916/50920) and `https://aptabase[.]fud2026[.]xyz:8443/api/v0/event`. +- Dump the manifest (`aapt dump xmltree`) to confirm `START_STICKY` foreground services combined with `BIND_JOB_SERVICE` components talking to that infrastructure. + +#### Spyware permission stack (BTMob payload) +- Package `mooz.balkcigol.rotinom` enables SMS read/send, contacts, microphone, camera, `SYSTEM_ALERT_WINDOW`, `BIND_ACCESSIBILITY_SERVICE`, media projection, exact alarms, storage R/W, `REQUEST_INSTALL_PACKAGES`, `REQUEST_DELETE_PACKAGES`, and background location. +- Accessibility plus overlays allow credential phishing and auto-clicking prompts, while installer/delete rights let it push extra modules or evict security tooling. + +#### Triage & IoCs +- Dropper: GPT Trade (`com.jxtfkrsl.bjtgsb`, SHA256 `0a542751724a432a8448324613e0ce10393e41739a1800cbb7d5a2c648fcdc35`), served from `https://playgoogle-gpttrade[.]com/GPT%20Trade.apk`, beaconing `timeserver[.]uasecurity[.]org`. +- Loader/miner: `com.xenlyqw.jkkcyubcust`, SHA256 `918f002a41f9551d48ece999ccba504fcf7596017d9566c07c5335fe0081effe`, C2 `147[.]93[.]153[.]119` / `aptabase[.]fud2026[.]xyz`. +- Spyware: `mooz.balkcigol.rotinom`, SHA256 `7f005c10f80372311e9c038526d81d931672d15c644fef2a77eefd67c6235917`, C2 `http://95[.]164[.]53[.]100/private/yarsap_80541.php` and `http://95[.]164[.]53[.]100:8080/`. +- A dropper that spawns `dex2oat32` while faking captcha solves and then pivots to the legitimate brand site usually hides an additional payload installer; check for generated splits in its sandbox. + + ## Static Analysis First of all, for analysing an APK you should **take a look to the to the Java code** using a decompiler.\ @@ -874,5 +916,6 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th - [smali-sslpin-patterns](https://github.com/aancw/smali-sslpin-patterns) - [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools) - [CoRPhone — Android in-memory JNI execution and packaging pipeline](https://github.com/0xdevil/corphone) +- [GPT Trade fake Google Play dropper campaign analysis (D3Lab)](https://www.d3lab.net/gpt-trade-fake-google-play-store-drops-btmob-spyware-and-uasecurity-miner-on-android-devices/) {{#include ../../banners/hacktricks-training.md}} \ No newline at end of file