diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 088f962ffec..4a374c24d79 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -32,6 +32,7 @@ - [Clone a Website](generic-methodologies-and-resources/phishing-methodology/clone-a-website.md) - [Detecting Phishing](generic-methodologies-and-resources/phishing-methodology/detecting-phising.md) - [Discord Invite Hijacking](generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md) + - [Mobile Phishing Malicious Apps](generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md) - [Phishing Files & Documents](generic-methodologies-and-resources/phishing-methodology/phishing-documents.md) - [Basic Forensic Methodology](generic-methodologies-and-resources/basic-forensic-methodology/README.md) - [Baseline Monitoring](generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md) diff --git a/src/generic-methodologies-and-resources/phishing-methodology/README.md b/src/generic-methodologies-and-resources/phishing-methodology/README.md index ab2c5dadf21..a5ac2912c70 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/README.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/README.md @@ -466,6 +466,12 @@ Attackers can silently copy malicious commands into the victim’s clipboard fro clipboard-hijacking.md {{#endref}} +## Mobile Phishing & Malicious App Distribution (Android & iOS) + +{{#ref}} +mobile-phishing-malicious-apps.md +{{#endref}} + ## References - [https://zeltser.com/domain-name-variations-in-phishing/](https://zeltser.com/domain-name-variations-in-phishing/) diff --git a/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md new file mode 100644 index 00000000000..af6d758bf6e --- /dev/null +++ b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md @@ -0,0 +1,98 @@ +# Mobile Phishing & Malicious App Distribution (Android & iOS) + +{{#include ../../banners/hacktricks-training.md}} + +> [!INFO] +> This page covers techniques used by threat actors to distribute **malicious Android APKs** and **iOS mobile-configuration profiles** through phishing (SEO, social engineering, fake stores, dating apps, etc.). +> The material is adapted from the SarangTrap campaign exposed by Zimperium zLabs (2025) and other public research. + +## Attack Flow + +1. **SEO/Phishing Infrastructure** + * Register dozens of look-alike domains (dating, cloud share, car service…). + – Use local language keywords and emojis in the `` element to rank in Google. + – Host *both* Android (`.apk`) and iOS install instructions on the same landing page. +2. **First Stage Download** + * Android: direct link to an *unsigned* or “third-party store” APK. + * iOS: `itms-services://` or plain HTTPS link to a malicious **mobileconfig** profile (see below). +3. **Post-install Social Engineering** + * On first run the app asks for an **invitation / verification code** (exclusive access illusion). + * The code is **POSTed over HTTP** to the Command-and-Control (C2). + * C2 replies `{"success":true}` ➜ malware continues. + * Sandbox / AV dynamic analysis that never submits a valid code sees **no malicious behaviour** (evasion). +4. **Runtime Permission Abuse** (Android) + * Dangerous permissions are only requested **after positive C2 response**: + ```xml + <uses-permission android:name="android.permission.READ_CONTACTS"/> + <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/> + <uses-permission android:name="android.permission.READ_PHONE_STATE"/> + <!-- Older builds also asked for SMS permissions --> + ``` + * Recent variants **remove `<uses-permission>` for SMS from `AndroidManifest.xml`** but leave the Java/Kotlin code path that reads SMS through reflection ⇒ lowers static score while still functional on devices that grant the permission via `AppOps` abuse or old targets. +5. **Facade UI & Background Collection** + * App shows harmless views (SMS viewer, gallery picker) implemented locally. + * Meanwhile it exfiltrates: + - IMEI / IMSI, phone number + - Full `ContactsContract` dump (JSON array) + - JPEG/PNG from `/sdcard/DCIM` compressed with [Luban](https://github.com/Curzibn/Luban) to reduce size + - Optional SMS content (`content://sms`) + Payloads are **batch-zipped** and sent via `HTTP POST /upload.php`. +6. **iOS Delivery Technique** + * A single **mobile-configuration profile** can request `PayloadType=com.apple.sharedlicenses`, `com.apple.managedConfiguration` etc. to enroll the device in “MDM”-like supervision. + * Social-engineering instructions: + 1. Open Settings ➜ *Profile downloaded*. + 2. Tap *Install* three times (screenshots on the phishing page). + 3. Trust the unsigned profile ➜ attacker gains *Contacts* & *Photo* entitlement without App Store review. +7. **Network Layer** + * Plain HTTP, often on port 80 with HOST header like `api.<phishingdomain>.com`. + * `User-Agent: Dalvik/2.1.0 (Linux; U; Android 13; Pixel 6 Build/TQ3A.230805.001)` (no TLS → easy to spot). + +## Defensive Testing / Red-Team Tips + +* **Dynamic Analysis Bypass** – During malware assessment, automate the invitation code phase with Frida/Objection to reach the malicious branch. +* **Manifest vs. Runtime Diff** – Compare `aapt dump permissions` with runtime `PackageManager#getRequestedPermissions()`; missing dangerous perms is a red flag. +* **Network Canary** – Configure `iptables -p tcp --dport 80 -j NFQUEUE` to detect unsolid POST bursts after code entry. +* **mobileconfig Inspection** – Use `security cms -D -i profile.mobileconfig` on macOS to list `PayloadContent` and spot excessive entitlements. + +## Blue-Team Detection Ideas + +* **Certificate Transparency / DNS Analytics** to catch sudden bursts of keyword-rich domains. +* **User-Agent & Path Regex**: `(?i)POST\s+/(check|upload)\.php` from Dalvik clients outside Google Play. +* **Invite-code Telemetry** – POST of 6–8 digit numeric codes shortly after APK install may indicate staging. +* **MobileConfig Signing** – Block unsigned configuration profiles via MDM policy. + +## Useful Frida Snippet: Auto-Bypass Invitation Code + +```python +# frida -U -f com.badapp.android -l bypass.js --no-pause +# Hook HttpURLConnection write to always return success +Java.perform(function() { + var URL = Java.use('java.net.URL'); + URL.openConnection.implementation = function() { + var conn = this.openConnection(); + var HttpURLConnection = Java.use('java.net.HttpURLConnection'); + if (Java.cast(conn, HttpURLConnection)) { + conn.getResponseCode.implementation = function(){ return 200; }; + conn.getInputStream.implementation = function(){ + return Java.use('java.io.ByteArrayInputStream').$new("{\"success\":true}".getBytes()); + }; + } + return conn; + }; +}); +``` + +## Indicators (Generic) + +``` +/req/checkCode.php # invite code validation +/upload.php # batched ZIP exfiltration +LubanCompress 1.1.8 # "Luban" string inside classes.dex +``` + +## References + +- [The Dark Side of Romance: SarangTrap Extortion Campaign](https://zimperium.com/blog/the-dark-side-of-romance-sarangtrap-extortion-campaign) +- [Luban – Android image compression library](https://github.com/Curzibn/Luban) + +{{#include ../../banners/hacktricks-training.md}}