mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Update mobile-phishing-malicious-apps.md
This commit is contained in:
parent
d45fb38c30
commit
2c80d30738
@ -264,24 +264,6 @@ See also WebSocket tradecraft and tooling:
|
||||
../../pentesting-web/websocket-attacks.md
|
||||
{{#endref}}
|
||||
|
||||
### Open-directory APK staging & rotation
|
||||
|
||||
Operators often keep multiple bank-themed loaders in browsable indexes for rapid rotation and reuse. This enables:
|
||||
- Fast swapping of filenames/brands without code changes in lures.
|
||||
- Seed lists for smishing/SEO lures that reference fresh filenames.
|
||||
|
||||
Hunting tips:
|
||||
- Continuously scrape open indexes for APK filenames + hashes; diff over time to track rotations.
|
||||
- Correlate APK families by reused signing certs, package names, hardcoded endpoints, and string kits.
|
||||
|
||||
### Infrastructure fingerprints for proactive blocking
|
||||
|
||||
Common recurring traits worth risk-scoring when observed together:
|
||||
- Hosting: Alibaba, Scloud, Cloudflare fronting; geo often SG/ID; nginx servers.
|
||||
- Registrar/NS: Gname.com Pte. Ltd.; nameservers like share-dns[.]net; inexpensive/fast issuance CAs (e.g., R10, R11, WE1).
|
||||
- Content: page titles like “Identitas Kependudukan Digital- Apps on Google Play”; short domain-registration→first-DNS resolution deltas (< 12h) indicating quick operationalization.
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
@ -294,4 +276,4 @@ Common recurring traits worth risk-scoring when observed together:
|
||||
- [DomainTools SecuritySnacks – ID/VN Banker Trojans (IOCs)](https://github.com/DomainTools/SecuritySnacks/blob/main/2025/BankerTrojan-ID-VN)
|
||||
- [Socket.IO](https://socket.io)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
Loading…
x
Reference in New Issue
Block a user