Skip to content

Morpheus A new Spyware linked to IPS Intelligence #2180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Morpheus A new Spyware linked to IPS Intelligence #2180

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 76 additions & 1 deletion src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -306,6 +306,78 @@ dpm.setKeyguardDisabledFeatures(admin, flags);

Note: the exact availability of these policies varies by Android version and OEM; validate the device policy role (admin vs owner) during testing.

## Biometric prompt redressing with Accessibility + overlays
This is not a cryptographic bypass of Android biometrics. The attacker uses Accessibility to navigate to a sensitive flow that raises a legitimate biometric prompt in the background, then places a counterfeit full-screen overlay on top of it so the victim believes they are approving something benign.

Practical pattern:
- Accessibility workflow opens the target app and reaches a step such as **WhatsApp Linked Devices**.
- The real biometric confirmation is triggered underneath.
- The malware displays a fake biometric/update dialog over the top-most UI and waits for the victim's touch.
- The victim's fingerprint or face approval satisfies the **real** prompt underneath, authorising the protected action.

Why it matters:
- It bypasses app-level "confirm before linking" safeguards without defeating the biometric subsystem itself.
- It pairs well with `FLAG_NOT_TOUCHABLE` or opaque "device is updating" overlays to reduce the chance that the victim notices the background app switch.
- Treat this as **UI redressing of a trusted prompt**, not as a Keystore or `BiometricPrompt` implementation flaw.

Detection ideas:
- Correlate suspicious Accessibility-service activity with account-session changes such as new companion devices.
- During malware triage, inspect the overlay workflow for app-specific selectors (`Linked devices`, `Pair with QR code`, `Confirm fingerprint`, etc.).

## Accessibility-to-ADB escalation through Wireless Debugging
Some Android malware now uses Accessibility only as the **bootstrap**. The real post-exploitation step is to automate **Developer Options**, enable **Wireless debugging**, perform a **local pairing** to the device's ADB daemon, and then execute commands with **`shell`** privileges without a root exploit.

Typical sequence:
1. Use Accessibility selectors/text matching to navigate Settings and enable Developer Options.
2. Enable **Wireless debugging** and complete the pairing flow locally.
3. Open a localhost ADB channel and run a bundled command script.
4. Use `shell` privileges to grant permissions, relax power restrictions, and weaken security prompts.

Representative post-pairing commands:

```bash
pm grant <pkg> android.permission.WRITE_SECURE_SETTINGS
pm grant <pkg> android.permission.USE_ICC_AUTH_WITH_DEVICE_IDENTIFIER
cmd deviceidle whitelist +<pkg>
cmd appops set <pkg> RUN_IN_BACKGROUND allow
dpm set-active-admin <pkg>/<receiver>
cmd device_config put privacy camera_mic_icons_enabled false default
settings put global package_verifier_user_consent -1
service call sensor_privacy 10 i32 0 i32 0 i32 1 i32 0
```

Why this is useful to an attacker:
- `pm grant` from `shell` silently grants dangerous permissions declared in the manifest.
- `cmd deviceidle` and `appops` reduce the chance that OEM power managers kill the agent.
- `dpm set-active-admin` upgrades persistence and makes casual uninstall harder.
- `device_config`, `settings`, and raw `service call` Binder transactions can disable privacy indicators, suppress verifier prompts, or re-enable sensors the user intentionally disabled.

Analysis tips:
- Look for APK strings or scripts containing `adb pair`, `localhost`, `deviceidle whitelist`, `sensor_privacy`, `package_verifier_user_consent`, or `camera_mic_icons_enabled`.
- In a dynamic session, compare pre/post-infection values with:
```bash
adb shell settings get global package_verifier_user_consent
adb shell cmd device_config get privacy camera_mic_icons_enabled
adb shell dumpsys deviceidle | grep -i whitelist
adb shell dpm list active-admins
```

## OEM persistence against battery killers and task cleanup
After obtaining Accessibility and `shell`, modern Android RATs frequently add OEM-specific survival logic instead of relying only on standard boot receivers.

Common actions:
- Disable or neuter vendor "phone manager" / battery-optimization packages.
- Allow autostart, background activity, and lock-screen execution on ROMs such as MIUI/HyperOS, ColorOS, OneUI, and realmeUI.
- Pin the malware package in OEM-specific recent-task or "locked app" lists so the user cannot easily swipe it away or force-stop it.

MIUI/HyperOS-specific example:

```bash
settings put system locked_apps "[{\"u\":0,\"pkgs\":[\"<pkg>\"]}]"
```

That key backs MIUI's **Lock app in Recents** behavior. Combined with `RECEIVE_BOOT_COMPLETED`, Device Admin, and Doze allowlisting, it gives the operator much stronger persistence than a normal Android app would have.

## Crypto wallet seed-phrase extraction patterns
Observed flows for MetaMask, Trust Wallet, Blockchain.com and Phantom:
- Unlock with stolen PIN (captured via overlay/Accessibility) or provided wallet password.
Expand All @@ -325,7 +397,10 @@ Background and TTPs: https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-t
* [ClayRat v3 IoCs (Zimperium)](https://github.com/Zimperium/IOC/tree/master/2025-12-ClayRatv3)
* [PlayPraetor’s evolving threat: How Chinese-speaking actors globally scale an Android RAT](https://www.cleafy.com/cleafy-labs/playpraetors-evolving-threat-how-chinese-speaking-actors-globally-scale-an-android-rat)
* [Android accessibility documentation – Automating UI interaction](https://developer.android.com/guide/topics/ui/accessibility/service)
* [ADB man page and TLS/mDNS pairing behavior](https://android.googlesource.com/platform/packages/modules/adb/+/refs/heads/master/docs/user/adb.1.md)
* [WindowManager.LayoutParams reference](https://developer.android.com/reference/android/view/WindowManager.LayoutParams)
* [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats)
* [GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay)
* [Morpheus: A new Spyware linked to IPS Intelligence](https://osservatorionessuno.org/blog/2026/04/morpheus-a-new-spyware-linked-to-ips-intelligence/)

{{#include ../../banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}