Add content from: PlayPraetor’s evolving threat: How Chinese-speaking actors g...

src/SUMMARY.md

@@ -322,6 +322,7 @@
 
 - [Android APK Checklist](mobile-pentesting/android-checklist.md)
 - [Android Applications Pentesting](mobile-pentesting/android-app-pentesting/README.md)
+  - [Accessibility Services Abuse](mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md)
   - [Android Applications Basics](mobile-pentesting/android-app-pentesting/android-applications-basics.md)
   - [Android Task Hijacking](mobile-pentesting/android-app-pentesting/android-task-hijacking.md)
   - [ADB Commands](mobile-pentesting/android-app-pentesting/adb-commands.md)

src/mobile-pentesting/android-app-pentesting/README.md

@@ -27,6 +27,7 @@ Sometimes it is interesting to **modify the application code** to access **hidde
 - [Spoofing your location in Play Store](spoofing-your-location-in-play-store.md)
 - [Shizuku Privileged API (ADB-based non-root privileged access)](shizuku-privileged-api.md)
 - [Exploiting Insecure In-App Update Mechanisms](insecure-in-app-update-rce.md)
+- [Abusing Accessibility Services (Android RAT)](accessibility-services-abuse.md)
 - **Download APKs**: [https://apps.evozi.com/apk-downloader/](https://apps.evozi.com/apk-downloader/), [https://apkpure.com/es/](https://apkpure.com/es/), [https://www.apkmirror.com/](https://www.apkmirror.com), [https://apkcombo.com/es-es/apk-downloader/](https://apkcombo.com/es-es/apk-downloader/), [https://github.com/kiber-io/apkd](https://github.com/kiber-io/apkd)
 - Extract APK from device:
 

src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md

@@ -0,0 +1,153 @@
+# Android Accessibility Service Abuse
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Overview
+
+`AccessibilityService` was created to help users with disabilities interact with Android devices.  Unfortunately, the same **powerful automation APIs** (global navigation, text input, gesture dispatch, overlay windows…) can be weaponised by malware to gain **complete remote control** of the handset _without root privileges_.
+
+Modern Android banking Trojans and Remote-Access-Trojans (RATs) such as **PlayPraetor, SpyNote, BrasDex, SOVA, ToxicPanda** and many others follow the same recipe:
+
+1. Social-engineer the victim into enabling a rogue accessibility service (the *BIND_ACCESSIBILITY_SERVICE* permission is considered "high-risk" and requires an explicit user action).
+2. Leverage the service to
+   * capture every UI event & text that appears on screen,
+   * inject synthetic gestures (`dispatchGesture`) and global actions (`performGlobalAction`) to automate any task the operator desires,
+   * draw full-screen overlays on top of legitimate apps using the **TYPE_ACCESSIBILITY_OVERLAY** window type (no `SYSTEM_ALERT_WINDOW` prompt!),
+   * silently grant additional runtime permissions by clicking on the system dialogs on the victim’s behalf.
+3. Exfiltrate data or perform **On-Device-Fraud (ODF)** in real-time while the user is looking at a perfectly normal screen.
+
+---
+
+## Requesting the permission
+
+```xml
+<!-- AndroidManifest.xml -->
+<service
+    android:name="com.evil.rat.EvilService"
+    android:permission="android.permission.BIND_ACCESSIBILITY_SERVICE"
+    android:exported="false">
+
+    <intent-filter>
+        <action android:name="android.accessibilityservice.AccessibilityService" />
+    </intent-filter>
+
+    <meta-data android:name="android.accessibilityservice"
+        android:resource="@xml/evil_accessibility_config"/>
+</service>
+```
+
+The companion XML defines how the fake dialog will look like:
+
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<accessibility-service xmlns:android="http://schemas.android.com/apk/res/android"
+    android:description="@string/service_description"
+    android:accessibilityEventTypes="typeAllMask"
+    android:accessibilityFeedbackType="feedbackGeneric"
+    android:notificationTimeout="200"
+    android:canPerformGestures="true"
+    android:canRetrieveWindowContent="true"/>
+```
+
+---
+
+## Remote UI automation primitives
+
+```java
+public class EvilService extends AccessibilityService {
+    @Override
+    public void onAccessibilityEvent(AccessibilityEvent event) {
+        // harvest text or detect foreground app change
+    }
+
+    // Simulate HOME / BACK / RECENTS …
+    private void navHome()     { performGlobalAction(GLOBAL_ACTION_HOME); }
+    private void navBack()     { performGlobalAction(GLOBAL_ACTION_BACK); }
+    private void openRecents() { performGlobalAction(GLOBAL_ACTION_RECENTS); }
+
+    // Generic tap / swipe
+    public void tap(float x, float y) {
+        Path p = new Path(); p.moveTo(x, y);
+        GestureDescription.StrokeDescription s = new GestureDescription.StrokeDescription(p, 0, 50);
+        dispatchGesture(new GestureDescription.Builder().addStroke(s).build(), null, null);
+    }
+}
+```
+
+With only these two APIs an attacker can:
+* Unlock the screen, open the banking app, navigate its UI tree and submit a transfer form.
+* Accept every permission dialog that pops up.
+* Install/update extra APKs via the Play Store intent.
+
+---
+
+## Abuse patterns
+
+### 1. Overlay Phishing (Credential Harvesting)
+A transparent or opaque `WebView` is added to the window manager:
+
+```java
+WindowManager.LayoutParams lp = new WindowManager.LayoutParams(
+        MATCH_PARENT, MATCH_PARENT,
+        TYPE_ACCESSIBILITY_OVERLAY,                      // ⬅ bypasses SYSTEM_ALERT_WINDOW
+        FLAG_NOT_FOCUSABLE | FLAG_NOT_TOUCH_MODAL,       // touches still reach the real app
+        PixelFormat.TRANSLUCENT);
+wm.addView(phishingView, lp);
+```
+
+The victim types credentials into the fake form while the background app receives the same gestures – no suspicious "draw over other apps" prompt is ever shown.
+
+> Detailed example: the *Accessibility Overlay Phishing* section inside the Tapjacking page.
+
+### 2. On-Device Fraud automation
+Malware families such as **PlayPraetor** maintain a persistent WebSocket channel where the operator can issue high-level commands (`init`, `update`, `alert_arr`, `report_list`, …).  The service translates those commands into the low-level gestures above, achieving real-time unauthorized transactions that easily bypass multi-factor-authentication tied to that very device.
+
+### 3. Screen streaming & monitoring
+By combining the **MediaProjection API** with an RTMP client library, the RAT can broadcast the live framebuffer to `rtmp://<c2>:1935/live/<device_id>`, giving the adversary perfect situational awareness while the Accessibility engine drives the UI.
+
+---
+
+## PlayPraetor – command & control workflow
+
+1. **HTTP(S) heartbeat** – iterate over a hard-coded list until one domain answers `POST /app/searchPackageName` with the active C2.
+2. **WebSocket (port 8282)** – bidirectional JSON commands:
+   * `update` – push new conf/APKs
+   * `alert_arr` – configure overlay templates
+   * `report_list` – send list of targeted package names
+   * `heartbeat_web` – keep-alive
+3. **RTMP (port 1935)** – live screen/video streaming.
+4. **REST exfiltration** –
+   * `/app/saveDevice` (fingerprint)
+   * `/app/saveContacts` | `/app/saveSms` | `/app/uploadImageBase64`
+   * `/app/saveCardPwd` (bank creds)
+
+The **AccessibilityService** is the local engine that turns those cloud commands into physical interactions.
+
+---
+
+## Detecting malicious accessibility services
+
+* `adb shell settings get secure enabled_accessibility_services`
+* Settings → Accessibility → *Downloaded services* – look for apps that are **not** from Google Play.
+* MDM / EMM solutions can enforce `ACCESSIBILITY_ENFORCEMENT_DEFAULT_DENY` (Android 13+) to block sideloaded services.
+* Analyse running services:
+  ```bash
+  adb shell dumpsys accessibility | grep "Accessibility Service"
+  ```
+
+---
+
+## Hardening recommendations for app developers
+
+* Mark sensitive views with `android:accessibilityDataSensitive="accessibilityDataPrivateYes"` (API 34+).
+* Combine `setFilterTouchesWhenObscured(true)` with `FLAG_SECURE` to prevent tap/overlay hijacking.
+* Detect overlays by polling `WindowManager.getDefaultDisplay().getFlags()` or the `ViewRootImpl` API.
+* Refuse to operate when `Settings.canDrawOverlays()` **or** a non-trusted Accessibility service is active.
+
+---
+
+## References
+* [PlayPraetor’s evolving threat: How Chinese-speaking actors globally scale an Android RAT](https://www.cleafy.com/cleafy-labs/playpraetors-evolving-threat-how-chinese-speaking-actors-globally-scale-an-android-rat)
+* [Android accessibility documentation – Automating UI interaction](https://developer.android.com/guide/topics/ui/accessibility/service)
+
+{{#include ../../banners/hacktricks-training.md}}

src/mobile-pentesting/android-app-pentesting/tapjacking.md

@@ -105,6 +105,12 @@ wm.addView(phishingView, lp);
   - Disable *Install from Unknown Sources* & *Accessibility for untrusted apps*.
   - Enforce PlayProtect & up-to-date devices.
 
+For additional details on leveraging Accessibility Services for full remote device control (e.g. PlayPraetor, SpyNote, etc.) see:
+
+{{#ref}}
+accessibility-services-abuse.md
+{{#endref}}
+
 ## References
 * [Bitsight – ToxicPanda Android Banking Malware 2025 Study](https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study)