Add content from: The Dark Side of Romance: SarangTrap Extortion Campaign

2025-10-10 18:36:50 +00:00 · 2025-07-24 12:42:10 +00:00 · 2025-07-24 12:42:10 +00:00 · f36ea4547e
commit f36ea4547e
parent 236d9b7376
3 changed files with 105 additions and 0 deletions
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@ -32,6 +32,7 @@
  - [Clone a Website](generic-methodologies-and-resources/phishing-methodology/clone-a-website.md)
  - [Detecting Phishing](generic-methodologies-and-resources/phishing-methodology/detecting-phising.md)
  - [Discord Invite Hijacking](generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md)
+  - [Mobile Phishing Malicious Apps](generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md)
  - [Phishing Files & Documents](generic-methodologies-and-resources/phishing-methodology/phishing-documents.md)
 - [Basic Forensic Methodology](generic-methodologies-and-resources/basic-forensic-methodology/README.md)
  - [Baseline Monitoring](generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md)
--- a/src/generic-methodologies-and-resources/phishing-methodology/README.md
+++ b/src/generic-methodologies-and-resources/phishing-methodology/README.md
@ -466,6 +466,12 @@ Attackers can silently copy malicious commands into the victim’s clipboard fro
 clipboard-hijacking.md
 {{#endref}}

+## Mobile Phishing & Malicious App Distribution (Android & iOS)
+
+{{#ref}}
+mobile-phishing-malicious-apps.md
+{{#endref}}
+
 ## References

 - [https://zeltser.com/domain-name-variations-in-phishing/](https://zeltser.com/domain-name-variations-in-phishing/)
--- a/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
+++ b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
@ -0,0 +1,98 @@
+# Mobile Phishing & Malicious App Distribution (Android & iOS)
+
+{{#include ../../banners/hacktricks-training.md}}
+
+> [!INFO]
+> This page covers techniques used by threat actors to distribute **malicious Android APKs** and **iOS mobile-configuration profiles** through phishing (SEO, social engineering, fake stores, dating apps, etc.).
+> The material is adapted from the SarangTrap campaign exposed by Zimperium zLabs (2025) and other public research.
+
+## Attack Flow
+
+1. **SEO/Phishing Infrastructure**
+   * Register dozens of look-alike domains (dating, cloud share, car service…).  
+     – Use local language keywords and emojis in the `<title>` element to rank in Google.  
+     – Host *both* Android (`.apk`) and iOS install instructions on the same landing page.
+2. **First Stage Download**
+   * Android: direct link to an *unsigned* or “third-party store” APK.  
+   * iOS: `itms-services://` or plain HTTPS link to a malicious **mobileconfig** profile (see below).
+3. **Post-install Social Engineering**
+   * On first run the app asks for an **invitation / verification code** (exclusive access illusion).  
+   * The code is **POSTed over HTTP** to the Command-and-Control (C2).  
+   * C2 replies `{"success":true}` ➜ malware continues.  
+   * Sandbox / AV dynamic analysis that never submits a valid code sees **no malicious behaviour** (evasion).
+4. **Runtime Permission Abuse** (Android)
+   * Dangerous permissions are only requested **after positive C2 response**:
+     ```xml
+     <uses-permission android:name="android.permission.READ_CONTACTS"/>
+     <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
+     <uses-permission android:name="android.permission.READ_PHONE_STATE"/>
+     <!-- Older builds also asked for SMS permissions -->
+     ```
+   * Recent variants **remove `<uses-permission>` for SMS from `AndroidManifest.xml`** but leave the Java/Kotlin code path that reads SMS through reflection ⇒ lowers static score while still functional on devices that grant the permission via `AppOps` abuse or old targets.
+5. **Facade UI & Background Collection**
+   * App shows harmless views (SMS viewer, gallery picker) implemented locally.  
+   * Meanwhile it exfiltrates:
+     - IMEI / IMSI, phone number
+     - Full `ContactsContract` dump (JSON array)
+     - JPEG/PNG from `/sdcard/DCIM` compressed with [Luban](https://github.com/Curzibn/Luban) to reduce size
+     - Optional SMS content (`content://sms`)
+     Payloads are **batch-zipped** and sent via `HTTP POST /upload.php`.
+6. **iOS Delivery Technique**
+   * A single **mobile-configuration profile** can request `PayloadType=com.apple.sharedlicenses`, `com.apple.managedConfiguration` etc. to enroll the device in “MDM”-like supervision.  
+   * Social-engineering instructions:
+     1. Open Settings ➜ *Profile downloaded*.
+     2. Tap *Install* three times (screenshots on the phishing page).  
+     3. Trust the unsigned profile ➜ attacker gains *Contacts* & *Photo* entitlement without App Store review.
+7. **Network Layer**
+   * Plain HTTP, often on port 80 with HOST header like `api.<phishingdomain>.com`.
+   * `User-Agent: Dalvik/2.1.0 (Linux; U; Android 13; Pixel 6 Build/TQ3A.230805.001)` (no TLS → easy to spot).
+
+## Defensive Testing / Red-Team Tips
+
+* **Dynamic Analysis Bypass** – During malware assessment, automate the invitation code phase with Frida/Objection to reach the malicious branch.
+* **Manifest vs. Runtime Diff** – Compare `aapt dump permissions` with runtime `PackageManager#getRequestedPermissions()`; missing dangerous perms is a red flag.
+* **Network Canary** – Configure `iptables -p tcp --dport 80 -j NFQUEUE` to detect unsolid POST bursts after code entry.
+* **mobileconfig Inspection** – Use `security cms -D -i profile.mobileconfig` on macOS to list `PayloadContent` and spot excessive entitlements.
+
+## Blue-Team Detection Ideas
+
+* **Certificate Transparency / DNS Analytics** to catch sudden bursts of keyword-rich domains.
+* **User-Agent & Path Regex**: `(?i)POST\s+/(check|upload)\.php` from Dalvik clients outside Google Play.
+* **Invite-code Telemetry** – POST of 6–8 digit numeric codes shortly after APK install may indicate staging.
+* **MobileConfig Signing** – Block unsigned configuration profiles via MDM policy.
+
+## Useful Frida Snippet: Auto-Bypass Invitation Code
+
+```python
+# frida -U -f com.badapp.android -l bypass.js --no-pause
+# Hook HttpURLConnection write to always return success
+Java.perform(function() {
+  var URL = Java.use('java.net.URL');
+  URL.openConnection.implementation = function() {
+    var conn = this.openConnection();
+    var HttpURLConnection = Java.use('java.net.HttpURLConnection');
+    if (Java.cast(conn, HttpURLConnection)) {
+        conn.getResponseCode.implementation = function(){ return 200; };
+        conn.getInputStream.implementation = function(){
+            return Java.use('java.io.ByteArrayInputStream').$new("{\"success\":true}".getBytes());
+        };
+    }
+    return conn;
+  };
+});
+```
+
+## Indicators (Generic)
+
+```
+/req/checkCode.php        # invite code validation
+/upload.php               # batched ZIP exfiltration
+LubanCompress 1.1.8       # "Luban" string inside classes.dex
+```
+
+## References
+
+- [The Dark Side of Romance: SarangTrap Extortion Campaign](https://zimperium.com/blog/the-dark-side-of-romance-sarangtrap-extortion-campaign)
+- [Luban – Android image compression library](https://github.com/Curzibn/Luban)
+
+{{#include ../../banners/hacktricks-training.md}}