GhostSpy Web-Based Android RAT : Advanced Persistent RAT with Stealthy Remote Control and Uninstall Resistance

MITRE Techniques

• [T1660] Phishing – Initial delivery using a fake app update prompt to trick users into installing the dropper. (‘displays a deceptive interface, typically presenting a fake app update prompt’)
• [T1541] Foreground Persistence – The malware maintains persistence by requesting Device Admin permissions and displaying overlays. (‘uses Device Admin APIs and creates overlay windows to prevent uninstallation’)
• [T1603] Scheduled Task/Job – Employs recurring Accessibility Services to automate permission granting and monitoring. (‘auto grants permissions by simulating user interactions across screen areas’)
• [T1626.001] Device Administrator Permissions – Gains elevated privileges to enable remote wipe and block removal. (‘requests Device Administrator privileges to entrench itself’)
• [T1628] Hide Artifacts – Uses full-screen overlays and system dialog hijacking to obscure its presence. (‘displays fake warning messages via overlays to block uninstallation’)
• [T1629.001] Prevent Application Removal – Detects uninstall attempts and reacts by showing fake warning dialogs. (‘monitors uninstallation UI and overlays fake warnings to deter removal’)
• [T1516] Input Injection – Simulates permission dialog clicks via Accessibility API to auto-accept permissions. (‘simulates user clicks on permission dialogs using AccessibilityNodeInfo.ACTION_CLICK’)
• [T1414] Clipboard Data – Captures clipboard contents to steal sensitive information. (‘steals clipboard data as part of credential and personal data theft’)
• [T1417.001] Keylogging – Uses Accessibility API to monitor keystrokes and input events. (‘captures text input events such as passwords and chat messages’)
• [T1420] File and Directory Discovery – Collects files including images and media from the device gallery. (‘transmits gallery images by enumerating stored photos’)
• [T1430] Location Tracking – Continuously obtains precise GPS location data from the device. (‘requests high-accuracy location updates via FusedLocationProviderClient’)
• [T1418] Software Discovery – Gathers information about installed apps and system state. (‘monitors installed applications and device identifiers’)
• [T1426] System Information Discovery – Collects device model, OS version, and manufacturer details. (‘gathers Android ID, model, and OS version to form a unique fingerprint’)
• [T1422] Internet Connection Discovery – Monitors network status to maintain C2 connectivity. (‘checks internet connection status to manage C2 channel’)
• [T1636.002] Call Log Collection – Extracts call history data from the device. (‘queries call logs and exfiltrates call details’)
• [T1636.004] SMS Messages Collection – Reads SMS inbox and sends message data to attackers. (‘accesses SMS inbox via content://sms/inbox provider’)
• [T1513] Screen Capture – Captures screenshots and video frames using MediaProjection API. (‘mirrors screen activity and records screen content’)
• [T1512] Video Capture – Records camera video streams covertly via Camera2 API. (‘initiates continuous camera recording using Camera2 API’)
• [T1437] Application Layer Protocol – Communicates over HTTP/S protocols with C2 servers. (‘persistent socket connection to C2 server for remote control’)
• [T1521] Encrypted Channel – Uses encrypted channels for C2 communication. (‘C2 communication over SSL/TLS with pinning mechanisms’)
• [T1646] Exfiltration Over C2 Channel – Sends stolen data to C2 infrastructure via socket events. (‘exfiltrates sensitive files, keylogs, and location over C2 connections’)