Skip to content

Albiriox Exposed A New RAT Mobile Malware Targeting Global F... #1618

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
carlospolop wants to merge 1 commit into from
Closed

Albiriox Exposed A New RAT Mobile Malware Targeting Global F... #1618

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 35 additions & 1 deletion src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,9 @@ The companion XML defines how the fake dialog will look like:

## Remote UI automation primitives

<details>
<summary>Minimal AccessibilityService automation helpers</summary>

```java
public class EvilService extends AccessibilityService {
@Override
Expand All @@ -74,6 +77,8 @@ public class EvilService extends AccessibilityService {
}
```

</details>

With only these two APIs an attacker can:
* Unlock the screen, open the banking app, navigate its UI tree and submit a transfer form.
* Accept every permission dialog that pops up.
Expand Down Expand Up @@ -123,6 +128,29 @@ By combining the **MediaProjection API** with an RTMP client library, the RAT ca

The **AccessibilityService** is the local engine that turns those cloud commands into physical interactions.

## Case Study – Albiriox Accessibility RAT

### Geo-targeted staging & JSONPacker droppers
- Campaigns start from fraudulent Google Play clones that push a PENNY-branded dropper (`com.example.myapplication`). A more recent flow validates Austrian MSISDNs client-side via routines such as `isValidAustrianNumber()` and ships the malicious link through Telegram/WhatsApp bots, allowing precise geographic targeting and delayed delivery.
- The stage-1 APK is protected with **JSONPacker**, so most malicious logic only exists after runtime unpacking. On first launch it renders a fake **System Update** UI to coerce the user into granting **Install Unknown Apps**, then silently sideloads the payload APK (`com.nmz.nmz`).
- Separating trust-building (dropper) from the real RAT lets actors iterate on lures without touching the core binary. Once installed, the payload’s `AppInfos` class keeps a hard-coded list of 400+ banking/crypto packages that drive overlay triggers and monitoring logic.

### Accessibility-backed AC VNC vs classic VNC
- The MaaS panel exposes **AC VNC** (Accessibility-node streaming) and traditional VNC tabs. AC VNC walks the `AccessibilityNodeInfo` tree to recover text, labels, focusable fields and bounds, so operators still “see” sensitive screens even when the target app enforces `FLAG_SECURE` and blocks framebuffer captures.
- Node-level telemetry also gives element-centric interaction: instead of sending blind coordinates, the bot can click specific nodes, populate precise input fields, and maintain context even if the UI scales or rotates. Operators fall back to classic VNC only when a raw visual feed is needed.

### JSON-over-TCP command channel enabling ODF
- Albiriox keeps an unencrypted TCP socket (e.g. `194.32.79.94:5555`) and performs a `sendHandShake` that registers HWID, model and OS via JSON.
- Commands are short JSON blobs mapped to accessibility actions: `get_phone_password` / `clear_phone_password` for lockscreen harvesting or removal, `control`, `live_key`, `set_vnc_mode` for remote driving, UI automation primitives (`click`, `swipe`, `text`, `back`, `home`, `recent`, `power`, `volume_*`), reconnaissance/maintenance (`get_apps`, `launch_app`, `uninstall_app`) and `blank_screen` / `black_blank_screen` for stealth. `ping`/`pong` maintain operator awareness.
- A full ODF kill-chain therefore looks like: register → steal/clear the lock credential → enumerate banking apps → select AC VNC → script transfers via Accessibility gestures → hide the session with an overlay → optionally remove security tooling and leave persistence.

### Overlay-driven concealment & user suppression
- The RAT already ships three template overlays: *System Update* (decoy for permissions/install prompts), *black/blank* screens (rendered while remote actions continue) and a generic *target-app* overlay that triggers whenever an `AppInfos` package surfaces. Operators can freeze the victim’s display, keep them passive, or evolve the templates into phishing collectors for credentials/seed phrases.
- Because the overlays are driven by Accessibility state transitions they can be toggled programmatically mid-session, e.g., blank the screen right before issuing `click`/`text` commands in a banking app, or block interaction whenever the victim returns to a protected wallet UI.

### Builder-driven evasion
- The MaaS builder integrates the **Golden Crypt** packing service so every customer build mutates the payload/overlay resources. Combined with the JSONPacker dropper chain, this yields unique APK hashes per campaign and complicates static detection while the accessibility module remains functionally identical.

---

## Detecting malicious accessibility services
Expand All @@ -149,6 +177,9 @@ The **AccessibilityService** is the local engine that turns those cloud commands
## ATS automation cheat-sheet (Accessibility-driven)
Malware can fully automate a bank app with only Accessibility APIs. Generic primitives:

<details>
<summary>Helper methods for ATS automation</summary>

```java
// Helpers inside your AccessibilityService
private List<AccessibilityNodeInfo> byText(String t){
Expand All @@ -174,6 +205,8 @@ private void tap(float x, float y){
}
```

</details>

Example flow (Czech → English labels):
- "Nová platba" (New payment) → click
- "Zadat platbu" (Enter payment) → click
Expand Down Expand Up @@ -233,7 +266,7 @@ Observed flows for MetaMask, Trust Wallet, Blockchain.com and Phantom:
## NFC-relay orchestration
Accessibility/RAT modules can install and launch a dedicated NFC-relay app (e.g., NFSkate) as a third stage and even inject an overlay guide to shepherd the victim through card-present relay steps.

Background and TTPs: https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay
Background and TTPs: [GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay)

---

Expand All @@ -242,5 +275,6 @@ Background and TTPs: https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-t
* [Android accessibility documentation – Automating UI interaction](https://developer.android.com/guide/topics/ui/accessibility/service)
* [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats)
* [GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay)
* [Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets](https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets)

{{#include ../../banners/hacktricks-training.md}}