Add content from: ToxicPanda Android Banking Malware 2025 Study

src/mobile-pentesting/android-app-pentesting/tapjacking.md

@@ -63,8 +63,49 @@ The mitigation is relatively simple as the developer may choose not to receive t
 >
 > To enable touch filtering, call [`setFilterTouchesWhenObscured(boolean)`](https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured%28boolean%29) or set the android:filterTouchesWhenObscured layout attribute to true. When enabled, the framework will discard touches that are received whenever the view's window is obscured by another visible window. As a result, the view will not receive touches whenever a toast, dialog or other window appears above the view's window.
 
+---
 
-{{#include ../../banners/hacktricks-training.md}}
+## Accessibility Overlay Phishing (Banking-Trojan Variant)
 
+Besides classic Tapjacking, modern Android banking malware families (e.g. **ToxicPanda**, BrasDex, Sova, etc.) abuse the **Accessibility Service** to place a full-screen WebView **overlay** above the legitimate application while still being able to **forward the user input** to the view underneath.  This dramatically increases believability and allows attackers to steal credentials, OTPs or even automate fraudulent transactions.
 
+### How it works
+1. The malicious APK requests the highly-sensitive `BIND_ACCESSIBILITY_SERVICE` permission, usually hiding the request behind a fake Google/Chrome/PDF-viewer dialog.
+2. Once the user enables the service, the malware programmatically simulates the taps required to grant additional dangerous permissions (`READ_SMS`, `SYSTEM_ALERT_WINDOW`, `REQUEST_INSTALL_PACKAGES`, …).
+3. A **WebView** is inflated and added to the window manager using the **`TYPE_ACCESSIBILITY_OVERLAY`** window type.  The overlay can be rendered totally opaque or semi-transparent and can be flagged as *“through”* so that the original touches are still delivered to the background activity (thus the transaction really happens while the victim only sees the phishing form).
 
+```java
+WebView phishingView = new WebView(getApplicationContext());
+phishingView.getSettings().setJavaScriptEnabled(true);
+phishingView.loadUrl("file:///android_asset/bank_login.html");
+
+WindowManager wm = (WindowManager) getSystemService(WINDOW_SERVICE);
+WindowManager.LayoutParams lp = new WindowManager.LayoutParams(
+        WindowManager.LayoutParams.MATCH_PARENT,
+        WindowManager.LayoutParams.MATCH_PARENT,
+        WindowManager.LayoutParams.TYPE_ACCESSIBILITY_OVERLAY,  // <-- bypasses SYSTEM_ALERT_WINDOW prompt
+        WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE |
+        WindowManager.LayoutParams.FLAG_NOT_TOUCH_MODAL,        // «through» flag → forward touches
+        PixelFormat.TRANSLUCENT);
+wm.addView(phishingView, lp);
+```
+
+### Typical workflow used by banking Trojans
+* Query installed packages (`QUERY_ALL_PACKAGES`) to figure out which banking / wallet app is currently opened.
+* Download an **HTML/JS overlay template** from the C2 that perfectly imitates that specific application (Logo, colours, i18n strings…).
+* Display the overlay, harvest credentials/PIN/pattern.
+* Use the **Accessibility API** (`performGlobalAction`, `GestureDescription`) to automate transfers in the background.
+
+### Detection & Mitigation
+* Audit the list of installed apps with `adb shell pm list packages -3 -e BIND_ACCESSIBILITY_SERVICE`.
+* From the application side (bank / wallet):
+  - Enable **`android:accessibilityDataSensitive="accessibilityDataPrivateYes"`** (Android 14+) on sensitive views to block non-Play-Store services.
+  - Combine with `setFilterTouchesWhenObscured(true)` and `FLAG_SECURE`.
+* System hardening:
+  - Disable *Install from Unknown Sources* & *Accessibility for untrusted apps*.
+  - Enforce PlayProtect & up-to-date devices.
+
+## References
+* [Bitsight – ToxicPanda Android Banking Malware 2025 Study](https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study)
+
+{{#include ../../banners/hacktricks-training.md}}