From 2c80d3073868366656404ae5642c0e91f17936f2 Mon Sep 17 00:00:00 2001
From: SirBroccoli <carlospolop@gmail.com>
Date: Mon, 29 Sep 2025 23:41:20 +0200
Subject: [PATCH] Update mobile-phishing-malicious-apps.md

---
 .../mobile-phishing-malicious-apps.md         | 20 +------------------
 1 file changed, 1 insertion(+), 19 deletions(-)

diff --git a/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
index 858664fd7..a6c96912e 100644
--- a/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
+++ b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
@@ -264,24 +264,6 @@ See also WebSocket tradecraft and tooling:
 ../../pentesting-web/websocket-attacks.md
 {{#endref}}
 
-### Open-directory APK staging & rotation
-
-Operators often keep multiple bank-themed loaders in browsable indexes for rapid rotation and reuse. This enables:
-- Fast swapping of filenames/brands without code changes in lures.
-- Seed lists for smishing/SEO lures that reference fresh filenames.
-
-Hunting tips:
-- Continuously scrape open indexes for APK filenames + hashes; diff over time to track rotations.
-- Correlate APK families by reused signing certs, package names, hardcoded endpoints, and string kits.
-
-### Infrastructure fingerprints for proactive blocking
-
-Common recurring traits worth risk-scoring when observed together:
-- Hosting: Alibaba, Scloud, Cloudflare fronting; geo often SG/ID; nginx servers.
-- Registrar/NS: Gname.com Pte. Ltd.; nameservers like share-dns[.]net; inexpensive/fast issuance CAs (e.g., R10, R11, WE1).
-- Content: page titles like “Identitas Kependudukan Digital- Apps on Google Play”; short domain-registration→first-DNS resolution deltas (< 12h) indicating quick operationalization.
-
-
 
 ## References
 
@@ -294,4 +276,4 @@ Common recurring traits worth risk-scoring when observed together:
 - [DomainTools SecuritySnacks – ID/VN Banker Trojans (IOCs)](https://github.com/DomainTools/SecuritySnacks/blob/main/2025/BankerTrojan-ID-VN)
 - [Socket.IO](https://socket.io)
 
-{{#include ../../banners/hacktricks-training.md}}
\ No newline at end of file
+{{#include ../../banners/hacktricks-training.md}}