Skip to content

BeatBanker A dual‑mode Android Trojan #1976

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

BeatBanker A dual‑mode Android Trojan #1976

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions src/mobile-pentesting/android-app-pentesting/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,61 @@ java -jar ../APKEditor.jar m -i splits/ -o merged.apk
java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed
```

## Android malware tradecraft (loaders, fileless DEX, persistence)

### Native staging + fileless DEX loaders

Some Android droppers embed a native library (`lib*.so`) that **decrypts and writes a second ELF** (e.g., `l.so`) to a temp path, loads it via JNI, and then loads the real logic as DEX **only in memory** using `dalvik.system.InMemoryDexClassLoader`. This reduces static visibility of the payload and avoids writing `classes*.dex` to disk.

Practical triage points:
- Look for native libs that `dlopen` or call `System.loadLibrary` very early, then resolve Java methods via obfuscated stack strings (e.g., XOR decoded on the stack).
- Watch for `InMemoryDexClassLoader` in logs/strings or hooks, which indicates fileless DEX execution.

Quick Frida hook to dump the in‑memory DEX buffer:
```javascript
Java.perform(() => {
const IM = Java.use('dalvik.system.InMemoryDexClassLoader');
IM.$init.overload('java.nio.ByteBuffer','java.lang.ClassLoader').implementation = function(buf, parent){
const arr = Java.array('byte', buf.array());
const fos = Java.use('java.io.FileOutputStream').$new("/sdcard/memdex.dex");
fos.write(arr); fos.close();
return this.$init(buf, parent);
};
});
```

### Anti-analysis kill-switch

Packed loaders often **self-terminate** when emulator or analysis checks fail (e.g., `CPU_ABI` validation) by calling:

```java
android.os.Process.killProcess(android.os.Process.myPid());
```

### Persistence via foreground service + MediaPlayer loop

A lightweight persistence pattern is to keep a **foreground service** alive with a **pinned notification** and continuously play a near-inaudible audio loop via `MediaPlayer`. This keeps the process “active” and reduces OS inactivity kills. Look for `ForegroundService` + `MediaPlayer` usage that loops a tiny asset (often a few seconds long).

### Accessibility overlay + ACTION_SET_TEXT hijacking

After a user grants Accessibility, banking trojans can monitor the **foreground app**, render a realistic overlay (often WebView HTML stored as Base64), and replace transaction fields using `AccessibilityNodeInfo.ACTION_SET_TEXT`. This enables silent recipient address substitution while the victim sees a plausible UI.

Minimal text replacement example:
```java
Bundle args = new Bundle();
args.putCharSequence(AccessibilityNodeInfo.ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE,
"ATTACKER_USDT_ADDRESS");
node.performAction(AccessibilityNodeInfo.ACTION_SET_TEXT, args);
```

### Legitimate push infrastructure as C2 gating

Instead of custom sockets, some malware uses **Firebase Cloud Messaging (FCM)** as the C2 channel. FCM messages can trigger telemetry checks (charging state, battery %, temperature, user inactivity) and **gate** actions like mining or fraud for stealth.

### Encrypted native payload staging with filename‑derived keys

Native payloads can be delivered as encrypted ELF blobs and decrypted with `CipherInputStream()`, using a key **derived from SHA‑1 of the downloaded filename**. Each filename/version yields a distinct key, hindering static IOC reuse.

## Jezail rooted Android pentesting toolkit (REST API + web UI)

- Runs on a **rooted device** (Magisk/rootAVD) and starts an **HTTP server on tcp/8080** with a **Flutter web UI** and **REST API**.
Expand Down Expand Up @@ -900,5 +955,6 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
- [CoRPhone — Android in-memory JNI execution and packaging pipeline](https://github.com/0xdevil/corphone)
- [Jezail rooted Android pentesting toolkit (REST API + Flutter UI)](https://github.com/zahidaz/jezail)
- [BeatBanker: A dual‑mode Android Trojan](https://securelist.com/beatbanker-miner-and-banker/119121/)

{{#include ../../banners/hacktricks-training.md}}