Android Bankers 4 Campaigns in a Row

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://zimperium.com/blog/android-bankers-4-campaigns-in-a-row
• Blog Title: Android Bankers: 4 Campaigns in a Row
• Suggested Section: Mobile Pentesting -> Android Applications Pentesting (Accessibility Services Abuse, WebView Attacks/Overlays, Play Integrity/Install flows) and Basic Forensic Methodology -> Specific Software/File-Type Tricks (ZIPs tricks / Structural File Format Exploit Detection) or Android reversing notes (APK anti-analysis: ZIP structural tampering, DexClassLoader, string crypto+reflection). Also cross-link to Pentesting Web -> 2FA/MFA/OTP Bypass for Accessibility-based OTP theft.

🎯 Content Summary

Title/Scope: Zimperium zLabs reports a surge in modern Android banking trojans across four distinct active campaigns: RecruitRat, SaferRat, Astrinox (also reported by Cleafy as Mirax), and Massiv (aligned with prior ThreatFabric reporting). Collectively they target 800+ applications spanning banking, cryptocurrency, and social media. This is ...

🔧 Technical Details

Session Installation API for stealthy multi-stage installs: Use a benign-looking dropper that stages a hidden secondary payload and installs it via the PackageInstaller session-based flow. Pair it with a trusted-looking UI (e.g., “Play Store update”) so OS install prompts appear normal, improving sideload success under newer Android security restrictions.

Accessibility “blindfold” overlays to automate permission grants: After the payload is present, request Accessibility Service and display a non-interactive overlay to obstruct the user’s view. Use Accessibility-driven UI automation behind the overlay to grant dangerous permissions (e.g., contacts/phone/SMS) and bootstrap full RAT capability.

Anti-uninstall via Accessibility-controlled Settings navigation: Monitor for user attempts to open app-management/uninstall screens and programmatically redirect the user away. This can be toggled by a C2 command (example:...

🤖 Agent Actions

Inspecting the HackTricks tree first, then I’ll read the existing Android/mobile pages and adjacent sections to find the single best place for the new techniques.
I’ve narrowed the likely landing zone to Android app pentesting. Next I’m reading the existing pages that overlap the blog’s techniques so I can avoid duplicating what HackTricks already has and keep the update in one file.
The existing accessibility page already covers generic overlays, screen streaming, and OTP interception. I’m checking adjacent pages now for the specific gaps from this banker write-up: session-based installs, anti-uninstall flows, remote WebView overlays, and APK ZIP tampering.
I found a stronger candidate: mobile-phishing-malicious-apps.md already covers mobile phishing droppers, session-based installs, accessibility coercion, overlays, and MediaProjection. I’m reading that file now because it may be the correct single place to extend with the banker-specific anti-analysis and enumeration details.
The target file is the right fit, but most of the banker core is already there. I’m doing a gap check against the new blog now so I only add material that is both new and specific enough to matter.
I have the gap list. I’m updating the mobile phishing page with the banker-specific pieces that are still missing there: stealth persistence, app discovery without QUERY_ALL_PACKAGES, overlay delivery variants, and APK anti-analysis/ZIP tampering triage.
Updated mobile-phishing-malicious-apps.md as the single target file. I kept the change scoped there because the repo already had broad coverage for Accessibility/WebView/ATS banker behavior, and this page was the best existing place to add the new, non-duplicated tradecraft from the Zimperium post.

The added content covers the gaps that were not yet documented there: session-installer plus blindfold overlay flows, anti-uninstall via Accessibility redirection, blank-icon stealth, app enumeration without QUERY_ALL_PACKAGES, local ZIP versus remote WebView overlay delivery, and banker-specific APK anti-analysis patterns such as DexClassLoader staging, AES/GCM in-memory payload reconstruction, rooted/AV gating, and ZIP structural tampering. I also added a link to the ZIP tricks page and appended the Zimperium blog and IOC repo to the final references section.

Verification was done with git diff, tail, and rg on the edited file. No code tests were applicable since this was a documentation-only update.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://zimperium.com/blog/android-bankers-4-campaigns-in-a-row

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android Applications Pentesting (Accessibility Services Abuse, WebView Attacks/Overlays, Play Integrity/Install flows) and Basic Forensic Methodology -> Specific Software/File-Type Tricks (ZIPs tricks / Structural File Format Exploit Detection) or Android reversing notes (APK anti-analysis: ZIP structural tampering, DexClassLoader, string crypto+reflection). Also cross-link to Pentesting Web -> 2FA/MFA/OTP Bypass for Accessibility-based OTP theft.".

Repository Maintenance:

• MD Files Formatting: 972 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0