Add content from: Datzbro: RAT Hiding Behind Senior Travel Scams

This commit is contained in:
HackTricks News Bot 2025-10-01 13:03:43 +00:00
parent cd60902021
commit a3662938c3
3 changed files with 98 additions and 2 deletions

View File

@ -429,6 +429,64 @@ Background: [NFSkate NFC relay](https://www.threatfabric.com/blogs/ghost-tap-new
- Detect installation/launch of an external NFC-relay app triggered by another app.
- For banking: enforce out-of-band confirmations, biometrics-binding, and transaction-limits resistant to on-device automation.
### Droppers bypassing Android 13 Restricted Settings (SecuriDropper/Zombinder)
Android 13 introduced “Restricted Settings” to block sideloaded apps from directly requesting highrisk capabilities like Accessibility Services and Notification Listener. Modern droppers bypass this by installing the payload via the sessionbased Package Installer API, mimicking marketplace installs so the OS does not treat the payload as a classic sideloaded app.
Key traits to look for
- Firststage APK presents a benign facade and a “Reinstall/Update” button that triggers a sessionbased install of an embedded or downloaded payload.
- Requests storage and install permissions (WRITE/READ_EXTERNAL_STORAGE, REQUEST_INSTALL_PACKAGES) and then launches the payload, immediately shepherding the user to enable Accessibility.
- Zombinder “binds” a dropper into a legitimate app so the app works but also silently delivers the malware; variants also ship a pure dropper builder.
Static/dynamic triage
- Strings/imports for PackageInstaller.Session/commit and asset payloads (e.g., assets/app.apk).
- UI text like “Reinstall” followed by requests to enable Accessibility despite Restricted Settings.
- Network fetch of secondary APKs hosted on CDNs/social platforms, then sessionbased install.
Defence ideas
- EDR/MDM: flag nonstore apps using PackageInstaller.Session APIs; alert on Accessibility enablement following a nonPlay install flow.
- Block installs from unknown sources; enforce Play Protect; monitor for REQUEST_INSTALL_PACKAGES in nonenterprise apps.
### Android Accessibility Abuse & OverlayBased Remote Control Datzbro patterns
Datzbro exemplifies a full devicetakeover flow powered by Accessibility plus remoteops UX that works even with poor video or when the victim is blinded.
Remote control primitives
- Screen streaming: start/stop MediaProjection based cast or recording for operator awareness.
- Interactive control: dispatch gestures and GLOBAL_ACTION_* to drive any app.
- Black overlay cloaking: draw a semitransparent fullscreen overlay (with optional text) to hide live fraud from the victim while the operator still sees and controls the UI.
- “Schematic” mode: periodically serialize Accessibility node metadata (class/role, bounds, text/ids) so the operator interacts with a logical UI map instead of a pixel stream, enabling precise clicks even under black overlay or low bandwidth.
Minimal blackoverlay sketch
```java
View v = new TextView(getApplicationContext());
((TextView)v).setText(overlayText); v.setBackgroundColor(0xAA000000); // alpha black
WindowManager.LayoutParams lp = new WindowManager.LayoutParams(
MATCH_PARENT, MATCH_PARENT,
WindowManager.LayoutParams.TYPE_ACCESSIBILITY_OVERLAY,
WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE | WindowManager.LayoutParams.FLAG_NOT_TOUCH_MODAL,
PixelFormat.TRANSLUCENT);
((WindowManager)getSystemService(WINDOW_SERVICE)).addView(v, lp);
```
Financefocused Accessibility log filtering
```java
static final String[] PKG = {"bank","pay","alipay","wechat","wallet","finance"};
static final String[] TXT = {"password","密码验证","pin","验证码","code","验证"};
public void onAccessibilityEvent(AccessibilityEvent e){
String p = String.valueOf(e.getPackageName());
String t = e.getText()==null? "" : TextUtils.join(" ", e.getText());
if (containsAny(p, PKG) && containsAny(t.toLowerCase(Locale.ROOT), TXT)) {
// persist sensitive event, trigger capture/stream, raise operator task
}
}
```
Operator command surface commonly includes: toggle screen stream/schematic mode/overlay; perform gestures; wake/unlock; manage SMS/contacts/apps/files; device info; passwordstealer activities; toggle Accessibility processing; camera/mic control; update C2; retrieve crash logs; search/delete Accessibility logs; photo exfiltration.
Hunting and defence
- Telemetry bursts of Accessibility events plus frequent gesture dispatches; toggling overlays from a nonPlay app.
- TYPE_ACCESSIBILITY_OVERLAY windows created by untrusted apps; MediaProjection prompts followed by steady frame uploads.
- Banking/crypto text/package keyword logging in Accessibility services (incl. Chinese strings) and credential prompts for Alipay/WeChat or device PIN.
## References
- [The Dark Side of Romance: SarangTrap Extortion Campaign](https://zimperium.com/blog/the-dark-side-of-romance-sarangtrap-extortion-campaign)
@ -440,5 +498,8 @@ Background: [NFSkate NFC relay](https://www.threatfabric.com/blogs/ghost-tap-new
- [Banker Trojan Targeting Indonesian and Vietnamese Android Users (DomainTools)](https://dti.domaintools.com/banker-trojan-targeting-indonesian-and-vietnamese-android-users/)
- [DomainTools SecuritySnacks ID/VN Banker Trojans (IOCs)](https://github.com/DomainTools/SecuritySnacks/blob/main/2025/BankerTrojan-ID-VN)
- [Socket.IO](https://socket.io)
- [Datzbro: RAT Hiding Behind Senior Travel Scams](https://www.threatfabric.com/blogs/datzbro-rat-hiding-behind-senior-travel-scams)
- [Bypassing Android 13 Restrictions with SecuriDropper](https://www.threatfabric.com/blogs/droppers-bypassing-android-13-restrictions)
- [Zombinder: new obfuscation service used by Ermac, now distributed next to desktop stealers](https://www.threatfabric.com/blogs/zombinder-ermac-and-desktop-stealers)
{{#include ../../banners/hacktricks-training.md}}

View File

@ -202,6 +202,40 @@ private void dumpTree(AccessibilityNodeInfo n, String indent, StringBuilder sb){
This is the basis for commands like `txt_screen` (one-shot) and `screen_live` (continuous).
## Black overlay fraud cloaking
A RAT can hide live fraudulent navigation from the victim by drawing a semitransparent fullscreen view on top of any app using TYPE_ACCESSIBILITY_OVERLAY. The operator still sees/controls the underlying UI (screencast or schematic mode), while the victim sees a “busy/idle/locked” screen text.
```java
TextView overlay = new TextView(getApplicationContext());
overlay.setText("System update… Please wait");
overlay.setGravity(Gravity.CENTER); overlay.setTextColor(Color.WHITE);
overlay.setBackgroundColor(0xAA000000); // semitransparent black
WindowManager.LayoutParams p = new WindowManager.LayoutParams(
MATCH_PARENT, MATCH_PARENT,
WindowManager.LayoutParams.TYPE_ACCESSIBILITY_OVERLAY,
WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE | WindowManager.LayoutParams.FLAG_NOT_TOUCH_MODAL,
PixelFormat.TRANSLUCENT);
((WindowManager)getSystemService(WINDOW_SERVICE)).addView(overlay, p);
```
## Schematic UI reconstruction (logical remote control)
Instead of relying on highbandwidth video, periodically serialize the visible node tree (class, role, bounds, text, viewIdResourceName). The C2 reconstructs a clickable wireframe and returns elementtargeted actions (by id/coords) that the service translates into `ACTION_CLICK`/`dispatchGesture`. This works even while a black overlay blinds the victim.
## Financefocused Accessibility log filtering
Banking Trojans selectively persist Accessibility events when package/text hints indicate sensitive flows (bank/wallet apps; password/PIN/OTP keywords including Chinese locales):
```java
static final String[] PKG = {"bank","pay","alipay","wechat","wallet","finance"};
static final String[] TXT = {"password","密码验证","pin","验证码","code","验证"};
public void onAccessibilityEvent(AccessibilityEvent e){
String p = String.valueOf(e.getPackageName());
String t = e.getText()==null? "" : TextUtils.join(" ", e.getText());
if (containsAny(p, PKG) && containsAny(t.toLowerCase(Locale.ROOT), TXT)) {
// snapshot tree, keylog, start screencast, raise operator task, etc.
}
}
```
## Device Admin coercion primitives
Once a Device Admin receiver is activated, these calls increase opportunities to capture credentials and maintain control:
@ -242,5 +276,7 @@ Background and TTPs: https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-t
* [Android accessibility documentation Automating UI interaction](https://developer.android.com/guide/topics/ui/accessibility/service)
* [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats)
* [GhostTap/NFSkate NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay)
* [Datzbro: RAT Hiding Behind Senior Travel Scams (ThreatFabric)](https://www.threatfabric.com/blogs/datzbro-rat-hiding-behind-senior-travel-scams)
* [Bypassing Android 13 Restricted Settings with SecuriDropper (ThreatFabric)](https://www.threatfabric.com/blogs/droppers-bypassing-android-13-restrictions)
{{#include ../../banners/hacktricks-training.md}}

View File

@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con
> [!TIP]
>
> - **How can I cite a page of HackTricks?**
> - **How can I a page of HackTricks?**
As long as the link **of** the page(s) where you took the information from appears it's enough.\
If you need a bibtex you can use something like:
@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the
{{#include ../banners/hacktricks-training.md}}