GHOSTGRAB ANDROID MALWARE

MITRE Techniques

• [T1660 ] Phishing – Used as the initial access vector via kychelp[.]live which forces a browser download of the malicious dropper APK (“A JavaScript-based redirect on that site automatically forces the victim’s browser to download a malicious dropper APK”).
• [T1541 ] Foreground Persistence – Maintains persistence by running a foreground service with silent audio loops and sticky notifications to resist system kills (“plays silent audio to sustain a persistent foreground service”).
• [T1603 ] Scheduled Task/Job – Uses AlarmReceiver and scheduled alarms to periodically restart services and ensure auto-revival after termination (“An AlarmReceiver monitors the app … reschedules alarms to periodically restart the service”).
• [T1628 ] Hide Artifacts – Hides the app icon using an intent-filter with CATEGORY.INFO instead of CATEGORY.LAUNCHER to remain concealed from the launcher (“allows it to stay hidden from the app launcher and run discreetly in the background”).
• [T1406 ] Obfuscated Files or Information – Uses APK protection/obfuscation services (access[.]uasecurity[.]org) to frustrate static analysis and hide malicious code (“advertises an ‘APK protection’ service offering obfuscation and hardening”).
• [T1417 ] Input Capture – Captures credentials via injected JavaScript in WebView phishing pages and form monitoring to collect banking credentials and PINs (“injected JavaScript monitors the DOMContentLoaded event, captures the entered fields…”).
• [T1418 ] Software Discovery – Enumerates installed apps using QUERY_ALL_PACKAGES and other APIs to profile the device (“presence of the Android permissions QUERY_ALL_PACKAGES … indicates the malware can enumerate all installed apps”).
• [T1426 ] System Information Discovery – Collects device fingerprinting data including model, OS, CPU, identifiers, root status, battery and storage stats (“collects … Android version, battery level, CPU architecture, SIM information”).
• [T1422 ] Internet Connection Discovery – Gathers network-related telemetry such as public IP and connectivity state as part of device profiling (“generates a comprehensive device fingerprint, including public IP…”).
• [T1414 ] Input Capture – Intercepts SMS messages and reads SMS history to harvest OTPs and transaction messages (“reads SMS records from the device’s content provider (content://sms/) and filters messages for banking-related keywords”).
• [T1636.004 ] SMS Messages – Uses SMS interception and forwarding capabilities to capture incoming OTPs and optionally forward them to attacker numbers (“handleSmsReceived method functions as an SMS interceptor, silently capturing all incoming messages … can optionally forward the messages to an attacker’s phone number”).
• [T1437 ] Application Layer Protocol – Uses Web protocols and Firebase for command-and-control and data exfiltration (“registers with Firebase Cloud Messaging (FCM) … stores stolen credentials in a Firebase Realtime Database”).
• [T1521 ] Encrypted Channel – Employs TLS and encrypted channels for miner and C2 communications (miner parameters include “–tls” and mining pools use secure endpoints noted in configuration parameters).
• [T1481 ] Web Services – Leverages Firebase Realtime Database and Firebase webhooks as C2 and data exfiltration channels (“the malware stores stolen credentials … in a publicly accessible Firebase Realtime Database”).
• [T1646 ] Exfiltration Over C2 Channel – Exfiltrates captured forms, SMS, and device fingerprints to the attacker’s Firebase backend and webhook endpoints (“packages the data … and sends to a Firebase Realtime Database node (formInfo.json)”).