diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/android-malware-post-exploitation.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/android-malware-post-exploitation.md index a4a8871edd4..f7dad0d3c50 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/android-malware-post-exploitation.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/android-malware-post-exploitation.md @@ -629,6 +629,71 @@ wm.addView(v, lp); Operator control primitives often seen: `BACK`, `HOME`, `RECENTS`, `CLICKTXT`/`CLICKDESC`/`CLICKELEMENT`/`CLICKHINT`, `TAP`/`SWIPE`, `NOTIFICATIONS`, `OPNPKG`, `VNC`/`VNCA11Y` (screen sharing). + +## Role hijack, semantic UI parsing, and screenshot-based pseudo-VNC (Rokarolla-like banker workflow) + +A recent Android banker family is a good example of how **post-install fraudware** can avoid new exploits and still reach near-full device takeover by chaining Accessibility, overlays, Android roles, and low-bandwidth screen telemetry. + +### Default SMS / call role hijack with overlay-assisted consent + +Beyond requesting `READ_SMS`/`SEND_SMS`, some bankers explicitly try to become the **default SMS app** and a **call-handling / call-screening component** so they can read incoming OTPs, send SMS as the victim, and suppress bank warning calls. + +Practical pattern: +- request the role through `RoleManager` or the platform call-management flow +- show a blocking overlay while Accessibility locates and clicks the consent buttons +- store per-device click points so later role prompts can be auto-approved faster + +Hunting ideas: +- `RoleManager.createRequestRoleIntent(...)` +- strings such as `android.app.role.SMS`, `call_screening`, `default SMS`, `default handler` +- Accessibility helpers that calibrate overlay coordinates before calling `dispatchGesture(...)` + +### SQLite-backed package → phishing-HTML mapping + +A useful banker design is to keep the **target package list** and downloaded **overlay HTML** in a local SQLite database instead of hardcoding every template in the APK. + +Common flow: +1. fetch a monitored-app mapping from the C2 (`package`, `status`, `url`) +2. compare it with the installed-package list +3. download the matching fake HTML only for apps present on the device +4. cache the template locally and inject it when the legitimate package reaches the foreground + +This design makes the overlay set remotely updateable without shipping a new APK and leaves very specific forensic artifacts: tables or rows storing the package name, enable/disable status, and phishing URL / HTML blob. + +### Semantic Accessibility parsing for app-specific theft + +Instead of exfiltrating the whole UI tree blindly, some samples treat Accessibility as a **semantic screen classifier**. They ignore common labels that belong to the target app's normal chrome and focus only on text that is likely to be sensitive. + +Observed pattern for WhatsApp-style extraction: +- treat labels such as `Chats`, `Calls`, and `New group` as structural noise +- ignore strings that match common time formats +- exfiltrate the remaining visible texts as likely contacts / chat metadata + +This is a reusable technique for any app with stable navigation labels: first identify the screen from a few invariant strings, then strip the known UI shell and keep only attacker-relevant fields. + +### Screenshot loop pseudo-VNC without MediaProjection + +Not every Android RAT uses continuous `MediaProjection` streaming. A quieter alternative is a **snapshot loop**: +- take a screenshot +- encode it as PNG or JPEG +- attach a timestamp / state marker +- exfiltrate it over the existing C2 +- reset internal state and repeat + +For analysts, this matters because the malware may provide operator screen visibility **without** requesting the visible MediaProjection consent flow. Hunt for repeated screenshot helpers, `Bitmap.compress(...)`, PNG encoders, timer/handler loops, and upload routines that send image blobs plus timestamps. + +### Dynamic C2 rotation and security-tool suppression + +Two small but useful patterns: +- **dynamic domain rotation**: a config command updates the active HTTPS C2 list in preferences or local storage, so sinkholing one domain does not kill the bot +- **security-UI targeting**: commands explicitly open Google Play Protect or related settings pages, then rely on overlays + Accessibility to hide the interaction while protections are disabled + +### Triage grep set + +```bash +rg -n 'RoleManager|createRequestRoleIntent|android.app.role.SMS|call_screening|dispatchGesture|AccessibilityNodeInfo|SQLiteDatabase|monitored_apps|Bitmap.compress|png|timestamp|SharedPreferences|Play Protect' . +``` + ## Multi-stage Android dropper with WebView bridge, JNI string decoder, and staged DEX loading CERT Polska's 03 April 2026 analysis of **cifrat** is a good reference for a modern phishing-delivered Android loader where the visible APK is only an installer shell. The reusable tradecraft is not the family name, but the way the stages are chained: @@ -774,6 +839,8 @@ struct Header { - [DomainTools SecuritySnacks - ID/VN Banker Trojans (IOCs)](https://github.com/DomainTools/SecuritySnacks/blob/main/2025/BankerTrojan-ID-VN) - [Bypassing Android 13 Restrictions with SecuriDropper (ThreatFabric)](https://www.threatfabric.com/blogs/droppers-bypassing-android-13-restrictions) - [Analysis of cifrat: could this be an evolution of a mobile RAT?](https://cert.pl/en/posts/2026/04/cifrat-analysis/) +- [Rokarolla : Android Banker with Complete Device Takeover Capabilities](https://zimperium.com/blog/rokarolla-android-banker-with-complete-device-takeover-capabilities) +- [Zimperium IOC – Rokarolla commands](https://github.com/Zimperium/IOC/blob/master/2026-06-Rokarolla/commands.md) - Kimwolf Android TV Botnet: ENS-Based C2 Evasion, TLS+ECDSA C2 Protocol, and Large-Scale Proxy/DDoS Operations - [blog.xlab.qianxin.com](https://blog.xlab.qianxin.com/kimwolf-botnet-en/)