Attack Techniques¶
Documented exploitation techniques targeting Android applications and the OS. Each technique covers what it is, the preconditions required, how it works in practice, real-world malware that uses it, and how it has evolved across Android versions.
Organized by attack surface and offensive objective.
Techniques¶
UI Deception¶
| Technique | Target Surface | Key Permissions |
|---|---|---|
| Overlay Attacks | Window Manager | SYSTEM_ALERT_WINDOW |
| Tapjacking | Touch Events | SYSTEM_ALERT_WINDOW |
| Phishing Techniques | UI / Social Engineering | SYSTEM_ALERT_WINDOW (optional) |
| Fake Biometric Prompts | KeyguardManager / BiometricPrompt | BIND_ACCESSIBILITY_SERVICE or SYSTEM_ALERT_WINDOW |
| Launcher Hijacking | HOME Intent / Launcher | None (intent filter) |
| Task Affinity Attacks | Activity Stack | None (manifest config) -- StrandHogg, Promon; StrandHogg 2.0, Promon |
Input, Screen & Sensor Capture¶
| Technique | Target Surface | Key Permissions |
|---|---|---|
| Keylogging | InputMethodService / Accessibility | BIND_ACCESSIBILITY_SERVICE |
| Screen Capture | MediaProjection / Accessibility | FOREGROUND_SERVICE, BIND_ACCESSIBILITY_SERVICE |
| Clipboard Hijacking | ClipboardManager | None (foreground) or BIND_ACCESSIBILITY_SERVICE |
| Camera & Mic Surveillance | Camera / MediaRecorder / MediaProjection | CAMERA, RECORD_AUDIO |
| Location Tracking | LocationManager / FusedLocation | ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION |
Privilege & Accessibility Abuse¶
| Technique | Target Surface | Key Permissions |
|---|---|---|
| Accessibility Abuse | Accessibility Service | BIND_ACCESSIBILITY_SERVICE |
| Runtime Permission Manipulation | Settings / Accessibility | BIND_ACCESSIBILITY_SERVICE |
| Automated Transfer Systems | Accessibility + Banking Apps | BIND_ACCESSIBILITY_SERVICE |
| Device Admin Abuse | DevicePolicyManager | BIND_DEVICE_ADMIN |
| Privilege Escalation | Kernel / SELinux / Platform | None (exploit) |
| Work Profile Abuse | Android Enterprise / DPC | Device or Profile Owner |
Component & IPC Abuse¶
| Technique | Target Surface | Key Permissions |
|---|---|---|
| Intent Hijacking | Activities, Services | None (component export) -- Google intent redirection, Oversecured |
| Broadcast Theft | Broadcast Receivers | Varies |
| Content Provider Attacks | Content Providers | None (provider export) |
| Deep Link Exploitation | Activities | None (URI scheme) -- Google deep-link risks, Oversecured |
| WebView Exploitation | WebView | Varies |
Communications Interception¶
| Technique | Target Surface | Key Permissions |
|---|---|---|
| SMS Interception | SMS / BroadcastReceiver | RECEIVE_SMS, READ_SMS |
| Notification Listener Abuse | NotificationListenerService | BIND_NOTIFICATION_LISTENER_SERVICE |
| Notification Suppression | NotificationListenerService / AudioManager | BIND_NOTIFICATION_LISTENER_SERVICE |
| Call Interception | TelecomManager / CallRedirectionService | CALL_PHONE, READ_PHONE_STATE |
| SIM & Carrier Attacks | SIM Toolkit / SS7 / USSD | Cellular-infrastructure level |
| Carrier Billing Fraud | Direct Carrier Billing portals / OTP / WebView | RECEIVE_SMS, INTERNET |
Networking, C2 & Exfiltration¶
| Technique | Target Surface | Key Permissions |
|---|---|---|
| C2 Communication | Network / IPC | INTERNET |
| Network Traffic Interception | VpnService / DNS / Certificate Store | BIND_VPN_SERVICE |
| Data Exfiltration | Outbound channels (HTTP, cloud APIs, SMS) | INTERNET plus collection permissions |
| NFC Relay | NFC / Host Card Emulation | NFC (normal) |
Persistence & Stealth¶
| Technique | Target Surface | Key Permissions |
|---|---|---|
| Persistence Techniques | Services / Receivers / WorkManager | RECEIVE_BOOT_COMPLETED, FOREGROUND_SERVICE |
| Anti-Analysis Techniques | Emulator / Root / Frida / Debugger | QUERY_ALL_PACKAGES |
| Device Wipe & Ransomware | DevicePolicyManager / File System | BIND_DEVICE_ADMIN, MANAGE_EXTERNAL_STORAGE |
Distribution & Code Delivery¶
| Technique | Target Surface | Key Permissions |
|---|---|---|
| Play Store Evasion | Play Protect / Store Review | None (build and distribution) |
| Dynamic Code Loading | ClassLoader / Runtime | None (app-private storage) |
| Supply Chain Attacks | SDKs / Build Chain / Firmware | None (pre-install) |
| Mass Malware Generation | MaaS Builders / Crypters / Repackaging | None (tooling-level) |
| AI-Assisted Malware | LLMs / Deepfakes / Adversarial ML | Varies |
| App Virtualization | VirtualApp / DroidPlugin | None (app-level) |
| App Collusion | IPC / Shared Storage / SDKs | Varies (distributed across apps) |
Kill Chain¶
How attacks chain together in a typical Android banking trojan or spyware operation. Each stage builds on the previous one. Anti-Analysis Techniques run as a cross-cutting layer at every stage, not as a final step.
| Stage | Objective | Techniques / Permissions | What Happens |
|---|---|---|---|
| 1. Delivery | Get on device | Phishing, sideloading, Play Store dropper, supply chain, smishing link | APK delivered as fake app (Chrome update, Flash Player, bank app), pre-installed in firmware, or pulled in via a poisoned SDK |
| 2. Dropper | Install payload | REQUEST_INSTALL_PACKAGES, Dynamic Code Loading |
Dropper downloads and installs the real malware APK at runtime |
| 3. Persistence | Survive reboots | Persistence Techniques: RECEIVE_BOOT_COMPLETED + FOREGROUND_SERVICE |
Boot receiver re-launches malware; foreground service prevents kill |
| 4. Privilege escalation | Gain control | Accessibility Abuse, Runtime Permission Manipulation, Device Admin Abuse, kernel exploits | User tricked into enabling accessibility service or device admin; malware auto-grants further permissions, reads screens, injects input, resists uninstall |
| 5. Discovery | Identify targets | Installed package enumeration (QUERY_ALL_PACKAGES), banking app fingerprinting via accessibility, location checks |
Malware enumerates banking, crypto, and authenticator apps; geofences activation to target countries |
| 6. Credential theft | Steal logins | Overlay Attacks, Keylogging, Screen Capture, Clipboard Hijacking, Fake Biometric Prompts | Phishing overlay injected over banking app; keystrokes captured; screen recorded; clipboard monitored for seed phrases; fake lockscreen captures device PIN |
| 7. 2FA bypass | Intercept OTPs | SMS Interception, Notification Listener Abuse, SIM & Carrier Attacks | SMS OTPs intercepted via broadcast receiver or read from notification shade; push-based OTPs captured via notification listener; SIM swap defeats SMS 2FA entirely |
| 8. On-device fraud | Move money | Automated Transfer Systems, NFC Relay, Carrier Billing Fraud | ATS fills in transfer fields and confirms transactions; NFC relay clones tap-to-pay; DCB silently subscribes victim to premium services |
| 9. Exfiltration | Send data to C2 | C2 Communication: INTERNET, Data Exfiltration, Network Traffic Interception |
Credentials, SMS, contacts, screen recordings sent to C2 over HTTP, WebSocket, or cloud-service tunnels |
| 10. Cleanup | Destroy evidence | Notification Suppression, Device Wipe | Transaction alerts hidden; factory reset wipes forensic artifacts post-fraud |
Technique Combinations¶
Attacks rarely operate alone. These are the most common pairings observed in active malware families, with citations to the original disclosures.
| Combination | Result | Families Using It |
|---|---|---|
| Overlay + Accessibility | Credential theft with ATS -- overlay steals creds, accessibility automates transfers | Cerberus (ThreatFabric), Ermac (ThreatFabric), Hook (ThreatFabric), Xenomorph (ThreatFabric), Octo (ThreatFabric), GodFather (Group-IB), TsarBot (Cyble) |
| Accessibility + Screen Capture | Remote access / VNC -- accessibility provides input control, screen capture provides visual feed | Hook (ThreatFabric), Octo (ThreatFabric), Vultur (ThreatFabric), BingoMod (Cleafy), Brokewell (ThreatFabric) |
| Accessibility + Keylogging | Full input capture -- every keystroke and text-field value recorded | Cerberus (ThreatFabric), Ermac (ThreatFabric), TrickMo (Zimperium), SpyNote (Cleafy) |
| Accessibility + Clipboard Hijacking | Crypto theft -- accessibility reads screen content, clipboard captures wallet addresses | SparkCat (Kaspersky), SpyAgent (McAfee) |
| Notification Listener + SMS Interception | Complete OTP theft -- SMS receiver grabs text-based codes, notification listener catches push-based codes | Anatsa (ThreatFabric), Xenomorph (ThreatFabric), GodFather (Group-IB) |
| Dynamic Code Loading + Phishing | Dropper with clean initial scan -- benign APK passes Play Protect, downloads payload post-install | Anatsa (ThreatFabric), SharkBot (NCC Group), Joker (Zimperium) |
| Device Admin + Persistence | Unremovable malware -- device admin blocks uninstall, persistence survives reboots | BRATA (Cleafy), Cerberus (ThreatFabric), Rafel RAT (Check Point) |
| Overlay + Tapjacking | Layered UI deception -- overlay captures input while tapjacking forces user interaction | Anubis, BankBot (The Hacker News) (pre-Android 12) |
| Accessibility + NFC Relay | Contactless payment fraud -- accessibility extracts card PINs, NFC relay clones tap-to-pay | NGate (ESET) |
| Fake Biometric Prompts + Accessibility | Device unlock theft -- fake lockscreen captures PIN, accessibility downgrades biometric prompts to force PIN entry | TrickMo (Zimperium), GoldPickaxe (Group-IB) |
| Intent Hijacking + Broadcast Theft | SMS interception -- hijack SMS broadcast to steal OTPs before the real app sees them | FluBot (NCC Group), Anatsa (ThreatFabric) |
| App Virtualization + Accessibility | Overlay-free credential theft -- real banking app runs in hostile sandbox, accessibility redirects launch intents | GodFather v3 (Zimperium), FjordPhantom (Promon) |
| App Collusion + Persistence | Resilient multi-app architecture -- payload survives deletion of the visible dropper app | PixPirate (Cleafy) |
| Mass Malware Generation + Play Store Evasion | Volume-based evasion -- hundreds of variants submitted across distributed developer accounts overwhelm review | Vapor 331 apps, Konfety 250+ apps, Joker 1,800+ variants |
| Notification Suppression + ATS | Invisible fraud -- transaction alerts dismissed while ATS moves money | Cerberus (ThreatFabric), Hook (ThreatFabric), Octo (ThreatFabric), Xenomorph (ThreatFabric) |
| Call Interception + Phishing | Voice phishing -- victim calls real bank number but reaches attacker IVR | Fakecalls (Kaspersky), Letscall (ThreatFabric) |
| Device Wipe + ATS | Post-fraud cleanup -- factory reset destroys evidence after money transfer | BRATA (The Record), BingoMod (Cleafy) |
| Camera/Mic Surveillance + Accessibility | Full device surveillance -- camera/mic capture with screen reading and input injection | SpyNote (Cleafy) |
| Privilege Escalation (zero-click exploit chain) | State-sponsored surveillance -- kernel/browser/messenger exploit chains break out of the app sandbox without user interaction | Pegasus on Android (Google TAG), Predator (Citizen Lab) |
| Anti-Analysis + Dynamic Code Loading | Staged evasion -- environment checks before loading payload; sandbox sees nothing | Anatsa (ThreatFabric), Mandrake (Kaspersky), Octo (ThreatFabric) |
| Network Interception + DNS Manipulation | Network-level phishing -- DNS hijacking redirects banking domains to credential harvesting | MoqHao / Roaming Mantis (Kaspersky) |
| Supply Chain + Persistence | Pre-installed malware -- payload ships in firmware or in widely-embedded SDK | BADBOX (HUMAN Security), Triada firmware (Kaspersky), SpinOk SDK (Doctor Web), Necro SDK (Kaspersky), Goldoson SDK (McAfee) |
| SIM Toolkit (Simjacker / WIBattack) | Carrier-level location tracking and SMS exfiltration through SIM applets, invisible to the OS | Simjacker (AdaptiveMobile) |
Attacker Priority¶
Ranked by prevalence in modern (2024-2025) Android malware campaigns. Priority reflects how frequently the technique appears in active operations and how much attacker value it enables. Sources cited where the claim is specific.
| Rank | Technique | Prevalence | Why It Matters |
|---|---|---|---|
| 1 | Accessibility Abuse | Universal in banking trojans | Enables everything: auto-granting permissions, reading screens, performing ATS, bypassing 2FA |
| 2 | C2 Communication | Universal | Every malware family needs a command channel; multi-channel C2 is the norm |
| 3 | Data Exfiltration | Universal (operational objective) | The endpoint of every campaign; HTTP, Telegram/Discord, Firebase, SMS all in active use |
| 4 | Persistence Techniques | Universal (supporting) | Required for any long-running operation; boot receivers and foreground services are baseline |
| 5 | Anti-Analysis Techniques | Universal (supporting) | Nearly every family implements emulator/root/Frida detection; determines whether payload executes at all |
| 6 | Runtime Permission Manipulation | Near-universal once accessibility is granted (Octo, ThreatFabric) | Bootstraps every other permission without further user prompts |
| 7 | Overlay Attacks | High (banking trojans) | Primary credential harvesting method; still effective despite Android 12+ restrictions |
| 8 | Screen Capture | High (banking trojans, RATs -- Vultur, BingoMod) | Real-time VNC and screen recording for credential theft and remote control |
| 9 | Keylogging | High (banking trojans, spyware) | Captures passwords and OTPs as users type; pairs with accessibility for full coverage |
| 10 | Automated Transfer Systems | High (banking trojans) | On-device fraud that bypasses bank-side device fingerprinting and session checks |
| 11 | Notification Listener Abuse | High (rising) | Replaced SMS interception as primary OTP theft vector; reads all app notifications |
| 12 | Notification Suppression | High (banking trojans) | Hides transaction alerts during fraud; dual-purpose with OTP theft via notification listener |
| 13 | SMS Interception | High (declining on newer OS) | Original 2FA bypass method; restricted by Play Store policy but still used in sideloaded malware |
| 14 | Dynamic Code Loading | High (droppers -- Anatsa, ThreatFabric) | Foundation of Play Store evasion; clean APK downloads malicious payload post-install |
| 15 | Play Store Evasion | High (Anatsa droppers, ThreatFabric; SharkBot, NCC Group; Joker 1,800+ apps) | Dropper apps, versioning attacks, and session-based installer abuse reach millions through the official store |
| 16 | Phishing Techniques | High (delivery) | Primary infection vector; smishing, fake Play Store pages, social engineering for permissions |
| 17 | Mass Malware Generation | High (infrastructure) | MaaS builders, crypter services, and coordinated store submission produce variants faster than detection can scale |
| 18 | Location Tracking | High in spyware; activation gate in banking trojans | Core spyware capability; banking trojans use it to restrict execution to target countries |
| 19 | Camera & Mic Surveillance | High (spyware, RATs) | Core capability of state-sponsored spyware and surveillance RATs; increasingly restricted by OS |
| 20 | Clipboard Hijacking | Rising (crypto-targeting -- SparkCat, SpyAgent) | Growing alongside cryptocurrency adoption; minimal permissions required from foreground |
| 21 | Fake Biometric Prompts | Rising (TrickMo, GoldPickaxe) | Captures device unlock PIN; lets remote-access malware unlock the device |
| 22 | AI-Assisted Malware | Rising | LLM-assisted development, deepfake biometric fraud, underground AI tools lowering skill barriers |
| 23 | NFC Relay | Emerging (NGate, ESET) | Bypasses contactless payment security entirely; hard to detect at the device level |
| 24 | App Virtualization | Emerging, high impact (FjordPhantom, Promon; GodFather v3, Zimperium) | Runs real banking apps inside malware-controlled sandbox; bypasses overlay detection, repackaging checks, root detection |
| 25 | Device Admin Abuse | Moderate (declining) | Prevents uninstall and enables device wipe; being replaced by accessibility-based persistence |
| 26 | Intent Hijacking | Moderate | Enables SMS/OTP theft and IPC interception; foundational for many attack chains |
| 27 | WebView Exploitation | Moderate | Targets hybrid apps; token theft, JavaScript injection, MITM within the app |
| 28 | Broadcast Theft | Moderate (declining) | SMS interception via broadcast receivers still works but restricted on newer Android versions |
| 29 | Deep Link Exploitation | Moderate | OAuth redirect attacks, app navigation hijacking; underestimated in mobile pentests |
| 30 | App Collusion | Moderate (SDK-mediated; PixPirate, Cleafy) | SDK-based cross-app data aggregation is the dominant model; multi-app malware architectures emerging |
| 31 | Network Traffic Interception | Moderate | DNS hijacking, VPN abuse, proxy configuration; Android 14 APEX certificate store makes user-CA MITM harder |
| 32 | Call Interception | Moderate (region-specific; Fakecalls, Kaspersky) | Voice phishing via call redirection; dominant in Korean-targeting campaigns |
| 33 | Device Wipe & Ransomware | Moderate (declining for ransomware, rising for evidence destruction) | File encryption declining due to scoped storage; factory reset as post-fraud cleanup is growing |
| 34 | Supply Chain Attacks | Moderate, very high impact (BADBOX, Triada firmware, SpinOk SDK, Necro, Goldoson) | Pre-install via firmware or poisoned SDKs bypasses the user's trust decision entirely |
| 35 | Carrier Billing Fraud | Moderate (region-dependent) | Joker-class DCB fraud persists in regions with active carrier billing; small per-victim charges hide at scale |
| 36 | SIM & Carrier Attacks | Moderate (region-specific) | SIM swap defeats SMS 2FA at the carrier level; Simjacker / WIBattack operate below the OS |
| 37 | Tapjacking | Low (declining) | Largely mitigated by filterTouchesWhenObscured and Android 12+ untrusted-touch restrictions |
| 38 | Task Affinity Attacks | Low | Niche but effective for targeted phishing within the task switcher |
| 39 | Launcher Hijacking | Low | Niche; mostly seen in lockscreen ransomware and parental-control abuse |
| 40 | Content Provider Attacks | Low | App-specific; dangerous when providers are exported without proper permissions |
| 41 | Work Profile Abuse | Low (targeted) | Enterprise-only attack surface; DPC API abuse and cross-profile intent attacks in BYOD environments |
| 42 | Privilege Escalation | Low for commodity malware, defining for commercial spyware (Pegasus, Predator) | Dividing line between sandboxed banking trojans and zero-click surveillance toolkits |