Skip to content

GhostGrab Android Malware Hybrid Banking Stealer and Monero ... #1536

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

GhostGrab Android Malware Hybrid Banking Stealer and Monero ... #1536

wants to merge 1 commit into from

Conversation

@carlospolop
Copy link
Collaborator

@carlospolop carlospolop commented Oct 29, 2025

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

Context (Published October 25, 2025)
GhostGrab is a modular Android stealer plus covert Monero miner distributed outside Google Play. It combines credential harvesting (banking/net‑banking, card data, OTPs), SMS/telephony control, SIM/device fingerprinting, Firebase‑backed C2, and strong persistence via a foreground audio service and broadcast receivers.

Kill chain overview
1) Lure/Delivery ➜ kychelp[.]live redirects to dropper APK: BOM FIXED DEPOSIT.apk</cod...

🔧 Technical Details

Sideload + WebView phishing pipeline: Distribute an APK outside Play, request REQUEST_INSTALL_PACKAGES, then load staged HTML from assets in a JS‑enabled WebView (kyc.html → debit.html → net.html → pass.html → pin.html) to capture PII, card data, online‑banking creds, transaction password, and ATM PIN. Exfiltrate each submission with a device identifier to Firebase (e.g., formInfo.json).

Foreground audio persistence: Create a NotificationChannel and call startForeground() with an “Audio Playing” notification while looping a silent MediaPlayer. This elevates process priority, bypasses Doze throttling, and resists background kills on modern Android.

Broadcast‑driven auto‑revival: Register exported receivers for boot, screen, power, connectivity, package, and SMS events. On any trigger, verify and restart the core service with startForegroundService() and re‑arm a...

🤖 Agent Actions

I analyzed the blog and the HackTricks repository and identified the best place to integrate the new technical techniques: the existing page “Mobile Phishing & Malicious App Distribution (Android & iOS)” under Phishing Methodology. This page already covers Android phishing, droppers, WebView, FCM, etc., but it lacked specific content on foreground audio persistence, broadcast-driven auto-revival, Firebase Realtime DB exfil structure, telephony hijack via USSD + SmsManager with SIM-slot control, launcher hiding via intent-filter, and covert native crypto-mining on Android—all central to the GhostGrab campaign.

What I did:

  • Read relevant files (5+):
    • src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
    • src/generic-methodologies-and-resources/phishing-methodology/README.md
    • src/generic-methodologies-and-resources/phishing-methodology/detecting-phising.md
    • src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md
    • other phishing-methodology files
  • Updated a single file: src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
  • Added a new section “GhostGrab-style Android Stealer + Miner tradecraft (WebView phishing, Firebase C2, foreground audio persistence)” with concise, highly technical abstractions:
    • Sideload + assets/WebView phishing pipeline with Firebase Realtime DB exfil (JS example with fetch to https://<project>.firebaseio.com/formInfo.json)
    • Foreground audio persistence to bypass Doze and background kills (notification channel + startForeground + looping silent MediaPlayer). Code provided in an expandable.
    • Watchdog auto-revival via exported BroadcastReceiver + AlarmManager + startForegroundService; manifest and code sketches in an expandable.
    • Firebase as covert C2: push token via FCM + Realtime DB schema; commands: callForward (USSD *21<NUMBER># / ##21#), sendSms (SmsManager with subscription id), forwardSms with deduplication.
    • SMS scraping via content://sms/ and SIM profiling via SubscriptionManager/TelephonyManager.
    • Launcher/icon hiding by using CATEGORY.INFO instead of CATEGORY.LAUNCHER.
    • Covert mobile crypto-mining pattern: drop/decrypt native miner .so, load with System.load and start with Monero TLS flags using a runtime worker id (example provided).
    • Hunting pointers for detection (foreground “Audio Playing” pattern, USSD **21*/##21#, FCM+Realtime DB keys clients/<DeviceID>, repository, miner artifacts).
  • Ensured placeholders between angle brackets aren’t interpreted as HTML by wrapping them in backticks per guidelines.
  • Appended the blog URL to the References section.

Changes applied via repo tools:

  • Modified: src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
    • Inserted the GhostGrab techniques section with code/examples and hunting pointers.
    • Added CYFIRMA blog to “References”.

No new files were created. The update maintains HackTricks style, adds concrete code snippets, and includes the required “References” update.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop
Copy link
Collaborator Author

carlospolop commented Oct 29, 2025

🔗 Additional Context

Original Blog Post: https://www.cyfirma.com/research/ghostgrab-android-malware/

Content Categories: Based on the analysis, this content was categorized under "Phishing Methodology > Mobile Phishing Malicious Apps".

Repository Maintenance:

  • MD Files Formatting: 906 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlospolop