From d0a3914c77f8ee369ccd8a2d9dabb46f7cc70379 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 28 Apr 2026 19:41:31 +0000 Subject: [PATCH] Add content from: Morpheus: A new Spyware linked to IPS Intelligence --- .../accessibility-services-abuse.md | 77 ++++++++++++++++++- 1 file changed, 76 insertions(+), 1 deletion(-) diff --git a/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md b/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md index 6bf2d5a383a..8aa48112548 100644 --- a/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md +++ b/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md @@ -306,6 +306,78 @@ dpm.setKeyguardDisabledFeatures(admin, flags); Note: the exact availability of these policies varies by Android version and OEM; validate the device policy role (admin vs owner) during testing. +## Biometric prompt redressing with Accessibility + overlays +This is not a cryptographic bypass of Android biometrics. The attacker uses Accessibility to navigate to a sensitive flow that raises a legitimate biometric prompt in the background, then places a counterfeit full-screen overlay on top of it so the victim believes they are approving something benign. + +Practical pattern: +- Accessibility workflow opens the target app and reaches a step such as **WhatsApp Linked Devices**. +- The real biometric confirmation is triggered underneath. +- The malware displays a fake biometric/update dialog over the top-most UI and waits for the victim's touch. +- The victim's fingerprint or face approval satisfies the **real** prompt underneath, authorising the protected action. + +Why it matters: +- It bypasses app-level "confirm before linking" safeguards without defeating the biometric subsystem itself. +- It pairs well with `FLAG_NOT_TOUCHABLE` or opaque "device is updating" overlays to reduce the chance that the victim notices the background app switch. +- Treat this as **UI redressing of a trusted prompt**, not as a Keystore or `BiometricPrompt` implementation flaw. + +Detection ideas: +- Correlate suspicious Accessibility-service activity with account-session changes such as new companion devices. +- During malware triage, inspect the overlay workflow for app-specific selectors (`Linked devices`, `Pair with QR code`, `Confirm fingerprint`, etc.). + +## Accessibility-to-ADB escalation through Wireless Debugging +Some Android malware now uses Accessibility only as the **bootstrap**. The real post-exploitation step is to automate **Developer Options**, enable **Wireless debugging**, perform a **local pairing** to the device's ADB daemon, and then execute commands with **`shell`** privileges without a root exploit. + +Typical sequence: +1. Use Accessibility selectors/text matching to navigate Settings and enable Developer Options. +2. Enable **Wireless debugging** and complete the pairing flow locally. +3. Open a localhost ADB channel and run a bundled command script. +4. Use `shell` privileges to grant permissions, relax power restrictions, and weaken security prompts. + +Representative post-pairing commands: + +```bash +pm grant android.permission.WRITE_SECURE_SETTINGS +pm grant android.permission.USE_ICC_AUTH_WITH_DEVICE_IDENTIFIER +cmd deviceidle whitelist + +cmd appops set RUN_IN_BACKGROUND allow +dpm set-active-admin / +cmd device_config put privacy camera_mic_icons_enabled false default +settings put global package_verifier_user_consent -1 +service call sensor_privacy 10 i32 0 i32 0 i32 1 i32 0 +``` + +Why this is useful to an attacker: +- `pm grant` from `shell` silently grants dangerous permissions declared in the manifest. +- `cmd deviceidle` and `appops` reduce the chance that OEM power managers kill the agent. +- `dpm set-active-admin` upgrades persistence and makes casual uninstall harder. +- `device_config`, `settings`, and raw `service call` Binder transactions can disable privacy indicators, suppress verifier prompts, or re-enable sensors the user intentionally disabled. + +Analysis tips: +- Look for APK strings or scripts containing `adb pair`, `localhost`, `deviceidle whitelist`, `sensor_privacy`, `package_verifier_user_consent`, or `camera_mic_icons_enabled`. +- In a dynamic session, compare pre/post-infection values with: + ```bash + adb shell settings get global package_verifier_user_consent + adb shell cmd device_config get privacy camera_mic_icons_enabled + adb shell dumpsys deviceidle | grep -i whitelist + adb shell dpm list active-admins + ``` + +## OEM persistence against battery killers and task cleanup +After obtaining Accessibility and `shell`, modern Android RATs frequently add OEM-specific survival logic instead of relying only on standard boot receivers. + +Common actions: +- Disable or neuter vendor "phone manager" / battery-optimization packages. +- Allow autostart, background activity, and lock-screen execution on ROMs such as MIUI/HyperOS, ColorOS, OneUI, and realmeUI. +- Pin the malware package in OEM-specific recent-task or "locked app" lists so the user cannot easily swipe it away or force-stop it. + +MIUI/HyperOS-specific example: + +```bash +settings put system locked_apps "[{\"u\":0,\"pkgs\":[\"\"]}]" +``` + +That key backs MIUI's **Lock app in Recents** behavior. Combined with `RECEIVE_BOOT_COMPLETED`, Device Admin, and Doze allowlisting, it gives the operator much stronger persistence than a normal Android app would have. + ## Crypto wallet seed-phrase extraction patterns Observed flows for MetaMask, Trust Wallet, Blockchain.com and Phantom: - Unlock with stolen PIN (captured via overlay/Accessibility) or provided wallet password. @@ -325,7 +397,10 @@ Background and TTPs: https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-t * [ClayRat v3 IoCs (Zimperium)](https://github.com/Zimperium/IOC/tree/master/2025-12-ClayRatv3) * [PlayPraetor’s evolving threat: How Chinese-speaking actors globally scale an Android RAT](https://www.cleafy.com/cleafy-labs/playpraetors-evolving-threat-how-chinese-speaking-actors-globally-scale-an-android-rat) * [Android accessibility documentation – Automating UI interaction](https://developer.android.com/guide/topics/ui/accessibility/service) +* [ADB man page and TLS/mDNS pairing behavior](https://android.googlesource.com/platform/packages/modules/adb/+/refs/heads/master/docs/user/adb.1.md) +* [WindowManager.LayoutParams reference](https://developer.android.com/reference/android/view/WindowManager.LayoutParams) * [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats) * [GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay) +* [Morpheus: A new Spyware linked to IPS Intelligence](https://osservatorionessuno.org/blog/2026/04/morpheus-a-new-spyware-linked-to-ips-intelligence/) -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}}