Morpheus A new Spyware linked to IPS Intelligence#2180
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
Morpheus A new Spyware linked to IPS Intelligence#2180carlospolop wants to merge 1 commit intomasterfrom
carlospolop wants to merge 1 commit intomasterfrom
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://osservatorionessuno.org/blog/2026/04/morpheus-a-new-spyware-linked-to-ips-intelligence/ Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android Applications Pentesting (new/expanded pages around: Accessibility Services abuse + overlays/UI redressing; Wireless Debugging/ADB pairing abuse for local privilege-like capabilities; Android persistence with Device Admin and OEM battery-killer bypass/MIUI locked_apps)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Morpheus: A new spyware linked to IPS Intelligence (post date: 23 April 2026)
### 1) What it is / impact (why it’s severe)
The post analyzes a previously unknown Android spyware dubbed “Morpheus” (stage-2 agent:
com.android.core,versionCode="1",versionName="2025.3.0"). It does not rely on 0-days; instead it uses social engineering plus abuse of legitimate Android features (Accessibility, overlay windo...🔧 Technical Details
Staged dropper install to deliver an embedded APK and bypass Android 13+ “Restricted Settings” for Accessibility:
Embed the real payload APK inside a first-stage installer (e.g.,
/assets/mobile-config.apk). The dropper checks whether the target package (e.g.,com.android.core) is already installed, copies the embedded APK to storage if not, then triggers installation when the victim grantsREQUEST_INSTALL_PACKAGES+READ_EXTERNAL_STORAGEor when a specific external intent action is received (e.g.,action_gustavo). This staging can help obtain privileges otherwise blocked for sideloaded apps, notably Accessibility under Android’s “Restricted Settings”.Overlay + Accessibility “workflow engine” for reliable UI automation and deception:
Combine
SYSTEM_ALERT_WINDOWoverlays (rendered above apps and system UI) with an Accessibility Service that performs deterministic step sequences (...🤖 Agent Actions
I’m mapping the Android/mobile sections first, then I’ll read several nearby pages before deciding where a single update fits best.
I’ve narrowed this to Android app pentesting pages. Next I’m reading the most relevant existing docs to see whether this is already covered and whether one page can absorb the new material without duplication.
The existing coverage is broad, but I still need to check whether the specific chain here is already documented: Android 13 restricted-settings bypass via staged installer, wireless-debugging local pairing abuse, and OEM persistence via MIUI
locked_apps.There’s already generic coverage for PackageInstaller-session restricted-settings bypass in the phishing methodology page, so I’m checking whether the missing value is the concrete Accessibility-to-local-ADB chain and the OEM persistence commands rather than repeating the dropper story.
Google search is rate-limited in this environment. I’m switching to direct/Brave-based lookups for primary Android references and will proceed once those are confirmed.
I’ve isolated the gap: HackTricks already mentions staged droppers and generic restricted-settings bypass elsewhere, but this page is missing the concrete Accessibility-to-wireless-ADB escalation, biometric prompt redressing, and OEM persistence steps from the Morpheus chain. I’m patching those into the accessibility abuse page so the new content stays technical and non-duplicative.
The patch is in. I’m reading the updated section and diff now to catch style issues, accidental duplication, or anything that should be tightened before I stop.
Updated accessibility-services-abuse.md as the single target file.
The added material focuses on what was missing from HackTricks rather than repeating existing dropper/accessibility basics: biometric prompt UI redressing, Accessibility-to-Wireless-Debugging/ADB escalation for
shell-level abuse, and OEM persistence tricks such as MIUIlocked_appspinning and battery-killer bypass patterns. I also appended the Morpheus blog and primary Android/AOSP references to the file’s## Referencessection.Verification: reviewed the final diff and file tail; only this one file changed, references remain at the end, and the HackTricks banner include is preserved. No automated tests were run since this is a markdown-only change.
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.