From a5c2657845147ee1a392707a73c7a4f5c176762e Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 10 Mar 2026 18:51:03 +0000 Subject: [PATCH] =?UTF-8?q?Add=20content=20from:=20BeatBanker:=20A=20dual?= =?UTF-8?q?=E2=80=91mode=20Android=20Trojan?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../android-app-pentesting/README.md | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md index ff7922799c5..a4bda63fa9a 100644 --- a/src/mobile-pentesting/android-app-pentesting/README.md +++ b/src/mobile-pentesting/android-app-pentesting/README.md @@ -57,6 +57,61 @@ java -jar ../APKEditor.jar m -i splits/ -o merged.apk java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed ``` +## Android malware tradecraft (loaders, fileless DEX, persistence) + +### Native staging + fileless DEX loaders + +Some Android droppers embed a native library (`lib*.so`) that **decrypts and writes a second ELF** (e.g., `l.so`) to a temp path, loads it via JNI, and then loads the real logic as DEX **only in memory** using `dalvik.system.InMemoryDexClassLoader`. This reduces static visibility of the payload and avoids writing `classes*.dex` to disk. + +Practical triage points: +- Look for native libs that `dlopen` or call `System.loadLibrary` very early, then resolve Java methods via obfuscated stack strings (e.g., XOR decoded on the stack). +- Watch for `InMemoryDexClassLoader` in logs/strings or hooks, which indicates fileless DEX execution. + +Quick Frida hook to dump the in‑memory DEX buffer: +```javascript +Java.perform(() => { + const IM = Java.use('dalvik.system.InMemoryDexClassLoader'); + IM.$init.overload('java.nio.ByteBuffer','java.lang.ClassLoader').implementation = function(buf, parent){ + const arr = Java.array('byte', buf.array()); + const fos = Java.use('java.io.FileOutputStream').$new("/sdcard/memdex.dex"); + fos.write(arr); fos.close(); + return this.$init(buf, parent); + }; +}); +``` + +### Anti-analysis kill-switch + +Packed loaders often **self-terminate** when emulator or analysis checks fail (e.g., `CPU_ABI` validation) by calling: + +```java +android.os.Process.killProcess(android.os.Process.myPid()); +``` + +### Persistence via foreground service + MediaPlayer loop + +A lightweight persistence pattern is to keep a **foreground service** alive with a **pinned notification** and continuously play a near-inaudible audio loop via `MediaPlayer`. This keeps the process “active” and reduces OS inactivity kills. Look for `ForegroundService` + `MediaPlayer` usage that loops a tiny asset (often a few seconds long). + +### Accessibility overlay + ACTION_SET_TEXT hijacking + +After a user grants Accessibility, banking trojans can monitor the **foreground app**, render a realistic overlay (often WebView HTML stored as Base64), and replace transaction fields using `AccessibilityNodeInfo.ACTION_SET_TEXT`. This enables silent recipient address substitution while the victim sees a plausible UI. + +Minimal text replacement example: +```java +Bundle args = new Bundle(); +args.putCharSequence(AccessibilityNodeInfo.ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE, + "ATTACKER_USDT_ADDRESS"); +node.performAction(AccessibilityNodeInfo.ACTION_SET_TEXT, args); +``` + +### Legitimate push infrastructure as C2 gating + +Instead of custom sockets, some malware uses **Firebase Cloud Messaging (FCM)** as the C2 channel. FCM messages can trigger telemetry checks (charging state, battery %, temperature, user inactivity) and **gate** actions like mining or fraud for stealth. + +### Encrypted native payload staging with filename‑derived keys + +Native payloads can be delivered as encrypted ELF blobs and decrypted with `CipherInputStream()`, using a key **derived from SHA‑1 of the downloaded filename**. Each filename/version yields a distinct key, hindering static IOC reuse. + ## Jezail rooted Android pentesting toolkit (REST API + web UI) - Runs on a **rooted device** (Magisk/rootAVD) and starts an **HTTP server on tcp/8080** with a **Flutter web UI** and **REST API**. @@ -900,5 +955,6 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th - [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools) - [CoRPhone — Android in-memory JNI execution and packaging pipeline](https://github.com/0xdevil/corphone) - [Jezail rooted Android pentesting toolkit (REST API + Flutter UI)](https://github.com/zahidaz/jezail) +- [BeatBanker: A dual‑mode Android Trojan](https://securelist.com/beatbanker-miner-and-banker/119121/) {{#include ../../banners/hacktricks-training.md}}