From 2864fd1ac029aa125fcfdca430cad2cbadaae2d8 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 5 Dec 2025 18:39:00 +0000 Subject: [PATCH] Add content from: Return of ClayRat: Expanded Features and Techniques --- .../accessibility-services-abuse.md | 87 ++++++++++++++++++- 1 file changed, 86 insertions(+), 1 deletion(-) diff --git a/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md b/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md index e37e673a3e5..6bf2d5a383a 100644 --- a/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md +++ b/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md @@ -18,6 +18,28 @@ Modern Android banking Trojans and Remote-Access-Trojans (RATs) such as **PlayPr --- +### Packed Accessibility droppers + +ClayRat v3.0.8 couples its Accessibility RAT with a staged payload hidden under `assets/`. At runtime the host APK: + +1. Streams the encrypted blob from `assets/*.dat`. +2. Decrypts it with a hard-coded AES/CBC key + IV embedded inside the Java/Kotlin loader. +3. Writes the plaintext DEX to the app's private dir and loads it via `DexClassLoader`, exposing the actual spyware classes only in memory. + +```java +byte[] blob = readAsset("payload.enc"); +Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding"); +SecretKeySpec key = new SecretKeySpec(hex("A1..."), "AES"); +c.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(iv)); +byte[] dex = c.doFinal(blob); +DexClassLoader cl = new DexClassLoader(writeTemp(dex), getCodeCacheDir().getPath(), null, getClassLoader()); +cl.loadClass("com.clayrat.Core").newInstance(); +``` + +This packing pattern (ATT&CK T1406.002) keeps the Accessibility module off-disk until the dropper executes, defeating static signature scans and Play Protect until the user already granted the dangerous permissions. + +--- + ## Requesting the permission ```xml @@ -53,6 +75,9 @@ The companion XML defines how the fake dialog will look like: ## Remote UI automation primitives +
+Accessibility service automation skeleton + ```java public class EvilService extends AccessibilityService { @Override @@ -74,6 +99,8 @@ public class EvilService extends AccessibilityService { } ``` +
+ With only these two APIs an attacker can: * Unlock the screen, open the banking app, navigate its UI tree and submit a transfer form. * Accept every permission dialog that pops up. @@ -99,11 +126,62 @@ The victim types credentials into the fake form while the background app receive > Detailed example: the *Accessibility Overlay Phishing* section inside the Tapjacking page. +ClayRat exposes this capability with the `show_block_screen` / `hide_block_screen` commands that download overlay templates from the C2. Operators can switch layouts on the fly to: + +- **Black out** the panel so the victim assumes the handset is off or frozen while automated gestures disable Play Protect or grant more permissions. +- Display fake **system update / battery optimization** panels that justify why the device is “busy” while background automation continues. +- Show an **interactive PIN pad** overlay that mirrors the system lock screen—the malware captures every digit and streams it to the operator as soon as a 4‑digit code is entered. + +Because TYPE_ACCESSIBILITY_OVERLAY windows never raise the `SYSTEM_ALERT_WINDOW` permission prompt, the victim only sees the decoy UI while the RAT keeps interacting with the real apps underneath. + ### 2. On-Device Fraud automation Malware families such as **PlayPraetor** maintain a persistent WebSocket channel where the operator can issue high-level commands (`init`, `update`, `alert_arr`, `report_list`, …). The service translates those commands into the low-level gestures above, achieving real-time unauthorized transactions that easily bypass multi-factor-authentication tied to that very device. ### 3. Screen streaming & monitoring -By combining the **MediaProjection API** with an RTMP client library, the RAT can broadcast the live framebuffer to `rtmp://:1935/live/`, giving the adversary perfect situational awareness while the Accessibility engine drives the UI. +ClayRat upgrades the usual MediaProjection trick into a remote desktop stack: + +1. `turbo_screen` triggers the MediaProjection consent dialog; the Accessibility service clicks “Start now” so the victim never intervenes. +2. With the resulting `MediaProjection` token it creates a `VirtualDisplay` backed by an `ImageReader`, keeps a `ForegroundService` alive, and drains frames on worker threads. +3. Frames are JPEG/PNG encoded according to the operator-supplied `set_quality` parameter (defaults to `60` when missing) and shipped over an HTTP→WebSocket upgrade advertising the custom `ClayRemoteDesktop` user-agent. +4. `start_desktop` / `stop_desktop` manage the capture threads while `screen_tap`, `screen_swipe`, `input_text`, `press_home`, `press_back` and `press_recents` replay gestures against the live framebuffer. + +The result is a VNC-like feed delivered entirely through sanctioned APIs—no root or kernel exploits—yet it hands the attacker live situational awareness with millisecond latency. + +### 4. Lock-screen credential theft & auto-unlock +ClayRat subscribes to `TYPE_WINDOW_CONTENT_CHANGED` / `TYPE_VIEW_TEXT_CHANGED` events emitted by `com.android.systemui` (`Keyguard`). It reconstructs whatever guard is active: + +- **PIN** – watches keypad button presses until the locker reports completion. +- **Password** – concatenates strings seen in the focused password field for each `AccessibilityEvent`. +- **Pattern** – records the ordered node indices inferred from gesture coordinates across the 3×3 grid. + +Secrets plus metadata (lock type + timestamp) are serialized into `SharedPreferences` under `lock_password_storage`. When the operator pushes `auto_unlock`, the service wakes the device with `unlock_device` / `screen_on`, replays the stored digits or gestures through `dispatchGesture`, and silently bypasses the keyguard so subsequent ODF workflows can continue. + +### 5. Notification phishing & harvesting +A companion Notification Listener turns the shade into a phishing surface: + +- `get_push_notifications` dumps every currently visible notification, including OTP / MFA messages. +- The `notifications` command toggles a `notifications_enabled` flag so each future `onNotificationPosted()` payload is streamed to the C2 in real time. +- `send_push_notification` lets operators craft fake, interactive notifications that impersonate banking or chat apps; any text the victim submits is parsed as credentials and exfiltrated immediately. + +Because Accessibility can open/dismiss the notification shade programmatically, this method harvests secrets without touching the targeted apps. + +### 6. Telephony & SMS command channel +After coercing the user into setting the RAT as the default SMS app, the following commands provide complete modem control: + +- `send_sms` and `retransmishion` send arbitrary or replayed messages to attacker-controlled numbers. +- `messsms` iterates over the entire contacts database to spam phishing links for worm-like propagation. +- `make_call` initiates voice calls that support social-engineering workflows. +- `get_sms_list` / `get_sms` and `get_call_log` / `get_calls` dump inboxes and call history so MFA codes or call metadata can be abused instantly. + +Combined with Accessibility-driven UI navigation, ClayRat can receive an OTP via notification/SMS and immediately input it inside the target banking or enterprise app. + +### 7. Discovery, collection & proxying +Additional ClayRat commands map the environment and keep C2 resilient: + +- `get_apps` / `get_apps_list` enumerate installed packages (ATT&CK T1418). +- `get_device_info` reports model, OS version and battery state (T1426). +- `get_cam` / `get_camera` capture front-camera stills, while `get_keylogger_data` serializes lock PINs plus passwords, view descriptions and hints scraped from sensitive fields. +- `get_proxy_data` fetches a proxy WebSocket URL, appends the unique device ID and spins a job that tunnels HTTP/HTTPS over the same bidirectional channel (T1481.002 / T1646). --- @@ -149,6 +227,9 @@ The **AccessibilityService** is the local engine that turns those cloud commands ## ATS automation cheat-sheet (Accessibility-driven) Malware can fully automate a bank app with only Accessibility APIs. Generic primitives: +
+Helper methods for ATS automation + ```java // Helpers inside your AccessibilityService private List byText(String t){ @@ -174,6 +255,8 @@ private void tap(float x, float y){ } ``` +
+ Example flow (Czech → English labels): - "Nová platba" (New payment) → click - "Zadat platbu" (Enter payment) → click @@ -238,6 +321,8 @@ Background and TTPs: https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-t --- ## References +* [Return of ClayRat: Expanded Features and Techniques](https://zimperium.com/blog/return-of-clayrat-expanded-features-and-techniques) +* [ClayRat v3 IoCs (Zimperium)](https://github.com/Zimperium/IOC/tree/master/2025-12-ClayRatv3) * [PlayPraetor’s evolving threat: How Chinese-speaking actors globally scale an Android RAT](https://www.cleafy.com/cleafy-labs/playpraetors-evolving-threat-how-chinese-speaking-actors-globally-scale-an-android-rat) * [Android accessibility documentation – Automating UI interaction](https://developer.android.com/guide/topics/ui/accessibility/service) * [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats)