Skip to content

Return of ClayRat Expanded Features and Techniques #1637

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
carlospolop merged 1 commit into from
Dec 7, 2025
+86 −1
Merged

Return of ClayRat Expanded Features and Techniques #1637

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
87 changes: 86 additions & 1 deletion src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,28 @@ Modern Android banking Trojans and Remote-Access-Trojans (RATs) such as **PlayPr

---

### Packed Accessibility droppers

ClayRat v3.0.8 couples its Accessibility RAT with a staged payload hidden under `assets/`. At runtime the host APK:

1. Streams the encrypted blob from `assets/*.dat`.
2. Decrypts it with a hard-coded AES/CBC key + IV embedded inside the Java/Kotlin loader.
3. Writes the plaintext DEX to the app's private dir and loads it via `DexClassLoader`, exposing the actual spyware classes only in memory.

```java
byte[] blob = readAsset("payload.enc");
Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding");
SecretKeySpec key = new SecretKeySpec(hex("A1..."), "AES");
c.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(iv));
byte[] dex = c.doFinal(blob);
DexClassLoader cl = new DexClassLoader(writeTemp(dex), getCodeCacheDir().getPath(), null, getClassLoader());
cl.loadClass("com.clayrat.Core").newInstance();
```

This packing pattern (ATT&CK T1406.002) keeps the Accessibility module off-disk until the dropper executes, defeating static signature scans and Play Protect until the user already granted the dangerous permissions.

---

## Requesting the permission

```xml
Expand Down Expand Up @@ -53,6 +75,9 @@ The companion XML defines how the fake dialog will look like:

## Remote UI automation primitives

<details>
<summary>Accessibility service automation skeleton</summary>

```java
public class EvilService extends AccessibilityService {
@Override
Expand All @@ -74,6 +99,8 @@ public class EvilService extends AccessibilityService {
}
```

</details>

With only these two APIs an attacker can:
* Unlock the screen, open the banking app, navigate its UI tree and submit a transfer form.
* Accept every permission dialog that pops up.
Expand All @@ -99,11 +126,62 @@ The victim types credentials into the fake form while the background app receive

> Detailed example: the *Accessibility Overlay Phishing* section inside the Tapjacking page.

ClayRat exposes this capability with the `show_block_screen` / `hide_block_screen` commands that download overlay templates from the C2. Operators can switch layouts on the fly to:

- **Black out** the panel so the victim assumes the handset is off or frozen while automated gestures disable Play Protect or grant more permissions.
- Display fake **system update / battery optimization** panels that justify why the device is “busy” while background automation continues.
- Show an **interactive PIN pad** overlay that mirrors the system lock screen—the malware captures every digit and streams it to the operator as soon as a 4‑digit code is entered.

Because TYPE_ACCESSIBILITY_OVERLAY windows never raise the `SYSTEM_ALERT_WINDOW` permission prompt, the victim only sees the decoy UI while the RAT keeps interacting with the real apps underneath.

### 2. On-Device Fraud automation
Malware families such as **PlayPraetor** maintain a persistent WebSocket channel where the operator can issue high-level commands (`init`, `update`, `alert_arr`, `report_list`, …). The service translates those commands into the low-level gestures above, achieving real-time unauthorized transactions that easily bypass multi-factor-authentication tied to that very device.

### 3. Screen streaming & monitoring
By combining the **MediaProjection API** with an RTMP client library, the RAT can broadcast the live framebuffer to `rtmp://<c2>:1935/live/<device_id>`, giving the adversary perfect situational awareness while the Accessibility engine drives the UI.
ClayRat upgrades the usual MediaProjection trick into a remote desktop stack:

1. `turbo_screen` triggers the MediaProjection consent dialog; the Accessibility service clicks “Start now” so the victim never intervenes.
2. With the resulting `MediaProjection` token it creates a `VirtualDisplay` backed by an `ImageReader`, keeps a `ForegroundService` alive, and drains frames on worker threads.
3. Frames are JPEG/PNG encoded according to the operator-supplied `set_quality` parameter (defaults to `60` when missing) and shipped over an HTTP→WebSocket upgrade advertising the custom `ClayRemoteDesktop` user-agent.
4. `start_desktop` / `stop_desktop` manage the capture threads while `screen_tap`, `screen_swipe`, `input_text`, `press_home`, `press_back` and `press_recents` replay gestures against the live framebuffer.

The result is a VNC-like feed delivered entirely through sanctioned APIs—no root or kernel exploits—yet it hands the attacker live situational awareness with millisecond latency.

### 4. Lock-screen credential theft & auto-unlock
ClayRat subscribes to `TYPE_WINDOW_CONTENT_CHANGED` / `TYPE_VIEW_TEXT_CHANGED` events emitted by `com.android.systemui` (`Keyguard`). It reconstructs whatever guard is active:

- **PIN** – watches keypad button presses until the locker reports completion.
- **Password** – concatenates strings seen in the focused password field for each `AccessibilityEvent`.
- **Pattern** – records the ordered node indices inferred from gesture coordinates across the 3×3 grid.

Secrets plus metadata (lock type + timestamp) are serialized into `SharedPreferences` under `lock_password_storage`. When the operator pushes `auto_unlock`, the service wakes the device with `unlock_device` / `screen_on`, replays the stored digits or gestures through `dispatchGesture`, and silently bypasses the keyguard so subsequent ODF workflows can continue.

### 5. Notification phishing & harvesting
A companion Notification Listener turns the shade into a phishing surface:

- `get_push_notifications` dumps every currently visible notification, including OTP / MFA messages.
- The `notifications` command toggles a `notifications_enabled` flag so each future `onNotificationPosted()` payload is streamed to the C2 in real time.
- `send_push_notification` lets operators craft fake, interactive notifications that impersonate banking or chat apps; any text the victim submits is parsed as credentials and exfiltrated immediately.

Because Accessibility can open/dismiss the notification shade programmatically, this method harvests secrets without touching the targeted apps.

### 6. Telephony & SMS command channel
After coercing the user into setting the RAT as the default SMS app, the following commands provide complete modem control:

- `send_sms` and `retransmishion` send arbitrary or replayed messages to attacker-controlled numbers.
- `messsms` iterates over the entire contacts database to spam phishing links for worm-like propagation.
- `make_call` initiates voice calls that support social-engineering workflows.
- `get_sms_list` / `get_sms` and `get_call_log` / `get_calls` dump inboxes and call history so MFA codes or call metadata can be abused instantly.

Combined with Accessibility-driven UI navigation, ClayRat can receive an OTP via notification/SMS and immediately input it inside the target banking or enterprise app.

### 7. Discovery, collection & proxying
Additional ClayRat commands map the environment and keep C2 resilient:

- `get_apps` / `get_apps_list` enumerate installed packages (ATT&CK T1418).
- `get_device_info` reports model, OS version and battery state (T1426).
- `get_cam` / `get_camera` capture front-camera stills, while `get_keylogger_data` serializes lock PINs plus passwords, view descriptions and hints scraped from sensitive fields.
- `get_proxy_data` fetches a proxy WebSocket URL, appends the unique device ID and spins a job that tunnels HTTP/HTTPS over the same bidirectional channel (T1481.002 / T1646).

---

Expand Down Expand Up @@ -149,6 +227,9 @@ The **AccessibilityService** is the local engine that turns those cloud commands
## ATS automation cheat-sheet (Accessibility-driven)
Malware can fully automate a bank app with only Accessibility APIs. Generic primitives:

<details>
<summary>Helper methods for ATS automation</summary>

```java
// Helpers inside your AccessibilityService
private List<AccessibilityNodeInfo> byText(String t){
Expand All @@ -174,6 +255,8 @@ private void tap(float x, float y){
}
```

</details>

Example flow (Czech → English labels):
- "Nová platba" (New payment) → click
- "Zadat platbu" (Enter payment) → click
Expand Down Expand Up @@ -238,6 +321,8 @@ Background and TTPs: https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-t
---

## References
* [Return of ClayRat: Expanded Features and Techniques](https://zimperium.com/blog/return-of-clayrat-expanded-features-and-techniques)
* [ClayRat v3 IoCs (Zimperium)](https://github.com/Zimperium/IOC/tree/master/2025-12-ClayRatv3)
* [PlayPraetor’s evolving threat: How Chinese-speaking actors globally scale an Android RAT](https://www.cleafy.com/cleafy-labs/playpraetors-evolving-threat-how-chinese-speaking-actors-globally-scale-an-android-rat)
* [Android accessibility documentation – Automating UI interaction](https://developer.android.com/guide/topics/ui/accessibility/service)
* [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats)
Expand Down