diff --git a/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md b/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md index 6bf2d5a383a..0df2b07c2c8 100644 --- a/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md +++ b/src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md @@ -285,6 +285,27 @@ private void dumpTree(AccessibilityNodeInfo n, String indent, StringBuilder sb){ This is the basis for commands like `txt_screen` (one-shot) and `screen_live` (continuous). +### UI-tree export to bypass FLAG_SECURE / screenshot protections +Textual dumps can be upgraded into structured DTO telemetry that works even when `FLAG_SECURE` or in-app screenshot blocks are present: +- Iterate `getWindows()` → `AccessibilityWindowInfo.getRoot()` and recursively walk `AccessibilityNodeInfo` children. +- Keep only “important” nodes: **visible** and (`isClickable` || `isEditable` || `getText()` / `getContentDescription()` is non-empty). +- Serialize JSON fields per node: `text`, `contentDescription`, `className`, **bounds** (`Rect`), and state flags (`clickable`, `editable`, `focused`, `enabled`). Include parent/child indices to preserve layout context. +- Ship the JSON snapshot over the WebSocket C2 so the operator can target elements by attributes/coordinates even without pixels. + +This UI-tree mode is a common fallback for DTO malware to maintain control of banking apps that forbid MediaProjection / screen-capture. + +### Massiv-style WebSocket DTO command set +ThreatFabric’s **Massiv** DTO uses a WebSocket channel for both UI telemetry (screen stream or UI-tree JSON) and operator commands. Useful primitives to replicate in test harnesses / RAT PoCs: +- **Global navigation**: `back`, `home`, `overview`, `power`, `wakeUp`. +- **Gesture/typing**: `click`, `swipe`, `swipeUp`, `swipeDown`, `keypress`. +- **Visibility control**: `enableGraphics` / `disableGraphics` to toggle MediaProjection streaming; `blackscreen` / `disableBlackscreen` to hide activity and mute. +- **Overlay/phishing control**: `inject`, `injectPattern`, `injectPin`, `updateInjects`, `get_files_zip` to fetch/refresh HTML overlays (including lock-screen PIN/pattern phishing). +- **Permission/persistence prompts**: `requestAdmin`, `requestBattery`, `requestGoogleProtect`, `requestInstallPermission`, `requestFileAccess`, `requestWriteSettings`, `requestMiuiBackground`, `requestPush`, `requestReadSms` (open the corresponding settings UI so Accessibility can auto-click consent). +- **Payload & data ops**: `installApk`, `uninstallApp`, `fileManager`, `clipboard`, `check`, `push`, `get_backup_addresses`, `log`. +- **Connection management**: `reinitialization` / `renicilization` to force WebSocket reconnects. + +Pairing these verbs with the UI-tree export allows deterministic remote operation (e.g., click by coordinates from `bounds` or target nodes by `text`/`contentDescription`) even when screenshots are blocked. + ## Device Admin coercion primitives Once a Device Admin receiver is activated, these calls increase opportunities to capture credentials and maintain control: @@ -327,5 +348,6 @@ Background and TTPs: https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-t * [Android accessibility documentation – Automating UI interaction](https://developer.android.com/guide/topics/ui/accessibility/service) * [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats) * [GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay) +* [Massiv: When your IPTV app terminates your savings](https://www.threatfabric.com/blogs/massiv-when-your-iptv-app-terminates-your-savings) {{#include ../../banners/hacktricks-training.md}} \ No newline at end of file