Skip to content

GPT Trade Fake Google Play Store Drops BTMob Spyware and UAS... #1582

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
+43 −0
Closed

GPT Trade Fake Google Play Store Drops BTMob Spyware and UAS... #1582

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions src/mobile-pentesting/android-app-pentesting/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,48 @@ java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed
../../linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md
{{#endref}}

### GPT Trade Dropper & UASecurity Payload Chain

#### Fake store delivery & sideloading
- Attackers host lookalike stores such as `playgoogle-gpttrade[.]com` to mimic Google Play/ChatGPT and distribute the GPT Trade APK (`com.jxtfkrsl.bjtgsb`).
- The installer displays a bogus captcha while staging payloads, then opens `chatgpt.com` to blunt suspicion.
- Expect onboarding steps that force "Install unknown apps" because the APK never touched Google Play.

#### Split-APK dropper artifacts
- GPT Trade writes stage folders inside its sandbox (`files/original/*`, `files/processed/*`), rebuilds APKs at runtime, and stores their paths inside `/data/data/<pkg>/shared_prefs/SplitApkInstaller{miner,user}.xml`.
- Once the UI event fires it spawns `dex2oat32` to AOT-compile the generated payloads and uses `PackageInstaller` to sideload them without showing dialogs on the active screen.
- Key artifacts to inspect:
- `ContextWrapper.openFileOutput` storing APKs under `files/processed/`
- `PackageInstaller.SessionParams` usage by untrusted code
- SharedPreferences entries pointing to APK or OAT paths

```bash
adb shell run-as com.jxtfkrsl.bjtgsb ls files
adb shell run-as com.jxtfkrsl.bjtgsb cat shared_prefs/SplitApkInstallerminer.xml
adb shell logcat -s ActivityManager PackageManager | grep -iE "dex2oat32|INSTALL_D"
adb shell pm list packages | grep -E "mooz\.balkcigol\.rotinom|com\.xenlyqw\.jkkcyubcust"
```

#### Packer-as-a-service infrastructure
- The dropper contacts `timeserver[.]uasecurity[.]org:2000`, linking it to the UASecurity Tools packer ecosystem (panel `https://access[.]uasecurity[.]org/`, Telegram `@android_protect_bot`, channel `t.me/protect_bot_official`).
- Templates from this service split assets into original/processed folders, delay payload generation until runtime, and hide the trigger behind trivial UI gestures like captcha taps, so spotting those strings quickly fingerprints UASecurity builds.

#### Persistent loader blueprint (UASecurity Miner)
- Package `com.xenlyqw.jkkcyubcust` registers foreground services, boot-completed receivers, Firebase Cloud Messaging handlers, and alarm-based keep-alives to survive reboots and aggressive power management.
- It keeps encrypted channels to `147[.]93[.]153[.]119` (ports 50904/50912/50916/50920) and `https://aptabase[.]fud2026[.]xyz:8443/api/v0/event`.
- Dump the manifest (`aapt dump xmltree`) to confirm `START_STICKY` foreground services combined with `BIND_JOB_SERVICE` components talking to that infrastructure.

#### Spyware permission stack (BTMob payload)
- Package `mooz.balkcigol.rotinom` enables SMS read/send, contacts, microphone, camera, `SYSTEM_ALERT_WINDOW`, `BIND_ACCESSIBILITY_SERVICE`, media projection, exact alarms, storage R/W, `REQUEST_INSTALL_PACKAGES`, `REQUEST_DELETE_PACKAGES`, and background location.
- Accessibility plus overlays allow credential phishing and auto-clicking prompts, while installer/delete rights let it push extra modules or evict security tooling.

#### Triage & IoCs
- Dropper: GPT Trade (`com.jxtfkrsl.bjtgsb`, SHA256 `0a542751724a432a8448324613e0ce10393e41739a1800cbb7d5a2c648fcdc35`), served from `https://playgoogle-gpttrade[.]com/GPT%20Trade.apk`, beaconing `timeserver[.]uasecurity[.]org`.
- Loader/miner: `com.xenlyqw.jkkcyubcust`, SHA256 `918f002a41f9551d48ece999ccba504fcf7596017d9566c07c5335fe0081effe`, C2 `147[.]93[.]153[.]119` / `aptabase[.]fud2026[.]xyz`.
- Spyware: `mooz.balkcigol.rotinom`, SHA256 `7f005c10f80372311e9c038526d81d931672d15c644fef2a77eefd67c6235917`, C2 `http://95[.]164[.]53[.]100/private/yarsap_80541.php` and `http://95[.]164[.]53[.]100:8080/`.
- A dropper that spawns `dex2oat32` while faking captcha solves and then pivots to the legitimate brand site usually hides an additional payload installer; check for generated splits in its sandbox.


## Static Analysis

First of all, for analysing an APK you should **take a look to the to the Java code** using a decompiler.\
Expand Down Expand Up @@ -874,5 +916,6 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
- [smali-sslpin-patterns](https://github.com/aancw/smali-sslpin-patterns)
- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
- [CoRPhone — Android in-memory JNI execution and packaging pipeline](https://github.com/0xdevil/corphone)
- [GPT Trade fake Google Play dropper campaign analysis (D3Lab)](https://www.d3lab.net/gpt-trade-fake-google-play-store-drops-btmob-spyware-and-uasecurity-miner-on-android-devices/)

{{#include ../../banners/hacktricks-training.md}}