Merge pull request #1637 from HackTricks-wiki/update_Return_of_ClayRat__Expanded_Features_and_Technique_20251205_182607

Return of ClayRat Expanded Features and Techniques

Author: carlospolop

src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md

@@ -18,6 +18,28 @@ Modern Android banking Trojans and Remote-Access-Trojans (RATs) such as **PlayPr
 
 ---
 
+### Packed Accessibility droppers
+
+ClayRat v3.0.8 couples its Accessibility RAT with a staged payload hidden under `assets/`. At runtime the host APK:
+
+1. Streams the encrypted blob from `assets/*.dat`.
+2. Decrypts it with a hard-coded AES/CBC key + IV embedded inside the Java/Kotlin loader.
+3. Writes the plaintext DEX to the app's private dir and loads it via `DexClassLoader`, exposing the actual spyware classes only in memory.
+
+```java
+byte[] blob = readAsset("payload.enc");
+Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding");
+SecretKeySpec key = new SecretKeySpec(hex("A1..."), "AES");
+c.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(iv));
+byte[] dex = c.doFinal(blob);
+DexClassLoader cl = new DexClassLoader(writeTemp(dex), getCodeCacheDir().getPath(), null, getClassLoader());
+cl.loadClass("com.clayrat.Core").newInstance();
+```
+
+This packing pattern (ATT&CK T1406.002) keeps the Accessibility module off-disk until the dropper executes, defeating static signature scans and Play Protect until the user already granted the dangerous permissions.
+
+---
+
 ## Requesting the permission
 
 ```xml
@@ -53,6 +75,9 @@ The companion XML defines how the fake dialog will look like:
 
 ## Remote UI automation primitives
 
+<details>
+<summary>Accessibility service automation skeleton</summary>
+
 ```java
 public class EvilService extends AccessibilityService {
     @Override
@@ -74,6 +99,8 @@ public class EvilService extends AccessibilityService {
 }
 ```
 
+</details>
+
 With only these two APIs an attacker can:
 * Unlock the screen, open the banking app, navigate its UI tree and submit a transfer form.
 * Accept every permission dialog that pops up.
@@ -99,11 +126,62 @@ The victim types credentials into the fake form while the background app receive
 
 > Detailed example: the *Accessibility Overlay Phishing* section inside the Tapjacking page.
 
+ClayRat exposes this capability with the `show_block_screen` / `hide_block_screen` commands that download overlay templates from the C2. Operators can switch layouts on the fly to:
+
+- **Black out** the panel so the victim assumes the handset is off or frozen while automated gestures disable Play Protect or grant more permissions.
+- Display fake **system update / battery optimization** panels that justify why the device is “busy” while background automation continues.
+- Show an **interactive PIN pad** overlay that mirrors the system lock screen—the malware captures every digit and streams it to the operator as soon as a 4‑digit code is entered.
+
+Because TYPE_ACCESSIBILITY_OVERLAY windows never raise the `SYSTEM_ALERT_WINDOW` permission prompt, the victim only sees the decoy UI while the RAT keeps interacting with the real apps underneath.
+
 ### 2. On-Device Fraud automation
 Malware families such as **PlayPraetor** maintain a persistent WebSocket channel where the operator can issue high-level commands (`init`, `update`, `alert_arr`, `report_list`, …).  The service translates those commands into the low-level gestures above, achieving real-time unauthorized transactions that easily bypass multi-factor-authentication tied to that very device.
 
 ### 3. Screen streaming & monitoring
-By combining the **MediaProjection API** with an RTMP client library, the RAT can broadcast the live framebuffer to `rtmp://<c2>:1935/live/<device_id>`, giving the adversary perfect situational awareness while the Accessibility engine drives the UI.
+ClayRat upgrades the usual MediaProjection trick into a remote desktop stack:
+
+1. `turbo_screen` triggers the MediaProjection consent dialog; the Accessibility service clicks “Start now” so the victim never intervenes.
+2. With the resulting `MediaProjection` token it creates a `VirtualDisplay` backed by an `ImageReader`, keeps a `ForegroundService` alive, and drains frames on worker threads.
+3. Frames are JPEG/PNG encoded according to the operator-supplied `set_quality` parameter (defaults to `60` when missing) and shipped over an HTTP→WebSocket upgrade advertising the custom `ClayRemoteDesktop` user-agent.
+4. `start_desktop` / `stop_desktop` manage the capture threads while `screen_tap`, `screen_swipe`, `input_text`, `press_home`, `press_back` and `press_recents` replay gestures against the live framebuffer.
+
+The result is a VNC-like feed delivered entirely through sanctioned APIs—no root or kernel exploits—yet it hands the attacker live situational awareness with millisecond latency.
+
+### 4. Lock-screen credential theft & auto-unlock
+ClayRat subscribes to `TYPE_WINDOW_CONTENT_CHANGED` / `TYPE_VIEW_TEXT_CHANGED` events emitted by `com.android.systemui` (`Keyguard`). It reconstructs whatever guard is active:
+
+- **PIN** – watches keypad button presses until the locker reports completion.
+- **Password** – concatenates strings seen in the focused password field for each `AccessibilityEvent`.
+- **Pattern** – records the ordered node indices inferred from gesture coordinates across the 3×3 grid.
+
+Secrets plus metadata (lock type + timestamp) are serialized into `SharedPreferences` under `lock_password_storage`. When the operator pushes `auto_unlock`, the service wakes the device with `unlock_device` / `screen_on`, replays the stored digits or gestures through `dispatchGesture`, and silently bypasses the keyguard so subsequent ODF workflows can continue.
+
+### 5. Notification phishing & harvesting
+A companion Notification Listener turns the shade into a phishing surface:
+
+- `get_push_notifications` dumps every currently visible notification, including OTP / MFA messages.
+- The `notifications` command toggles a `notifications_enabled` flag so each future `onNotificationPosted()` payload is streamed to the C2 in real time.
+- `send_push_notification` lets operators craft fake, interactive notifications that impersonate banking or chat apps; any text the victim submits is parsed as credentials and exfiltrated immediately.
+
+Because Accessibility can open/dismiss the notification shade programmatically, this method harvests secrets without touching the targeted apps.
+
+### 6. Telephony & SMS command channel
+After coercing the user into setting the RAT as the default SMS app, the following commands provide complete modem control:
+
+- `send_sms` and `retransmishion` send arbitrary or replayed messages to attacker-controlled numbers.
+- `messsms` iterates over the entire contacts database to spam phishing links for worm-like propagation.
+- `make_call` initiates voice calls that support social-engineering workflows.
+- `get_sms_list` / `get_sms` and `get_call_log` / `get_calls` dump inboxes and call history so MFA codes or call metadata can be abused instantly.
+
+Combined with Accessibility-driven UI navigation, ClayRat can receive an OTP via notification/SMS and immediately input it inside the target banking or enterprise app.
+
+### 7. Discovery, collection & proxying
+Additional ClayRat commands map the environment and keep C2 resilient:
+
+- `get_apps` / `get_apps_list` enumerate installed packages (ATT&CK T1418).
+- `get_device_info` reports model, OS version and battery state (T1426).
+- `get_cam` / `get_camera` capture front-camera stills, while `get_keylogger_data` serializes lock PINs plus passwords, view descriptions and hints scraped from sensitive fields.
+- `get_proxy_data` fetches a proxy WebSocket URL, appends the unique device ID and spins a job that tunnels HTTP/HTTPS over the same bidirectional channel (T1481.002 / T1646).
 
 ---
 
@@ -149,6 +227,9 @@ The **AccessibilityService** is the local engine that turns those cloud commands
 ## ATS automation cheat-sheet (Accessibility-driven)
 Malware can fully automate a bank app with only Accessibility APIs. Generic primitives:
 
+<details>
+<summary>Helper methods for ATS automation</summary>
+
 ```java
 // Helpers inside your AccessibilityService
 private List<AccessibilityNodeInfo> byText(String t){
@@ -174,6 +255,8 @@ private void tap(float x, float y){
 }
 ```
 
+</details>
+
 Example flow (Czech → English labels):
 - "Nová platba" (New payment) → click
 - "Zadat platbu" (Enter payment) → click
@@ -238,6 +321,8 @@ Background and TTPs: https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-t
 ---
 
 ## References
+* [Return of ClayRat: Expanded Features and Techniques](https://zimperium.com/blog/return-of-clayrat-expanded-features-and-techniques)
+* [ClayRat v3 IoCs (Zimperium)](https://github.com/Zimperium/IOC/tree/master/2025-12-ClayRatv3)
 * [PlayPraetor’s evolving threat: How Chinese-speaking actors globally scale an Android RAT](https://www.cleafy.com/cleafy-labs/playpraetors-evolving-threat-how-chinese-speaking-actors-globally-scale-an-android-rat)
 * [Android accessibility documentation – Automating UI interaction](https://developer.android.com/guide/topics/ui/accessibility/service)
 * [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats)