HackTricksMobile Phishing & Malicious App Distribution (Android & iOS)
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
info
This page covers techniques used by threat actors to distribute malicious Android APKs and iOS mobile-configuration profiles through phishing (SEO, social engineering, fake stores, dating apps, etc.). The material is adapted from the SarangTrap campaign exposed by Zimperium zLabs (2025) and other public research.
Attack Flow
- SEO/Phishing Infrastructure
- Register dozens of look-alike domains (dating, cloud share, car serviceβ¦).
β Use local language keywords and emojis in the<title>element to rank in Google.
β Host both Android (.apk) and iOS install instructions on the same landing page.
- Register dozens of look-alike domains (dating, cloud share, car serviceβ¦).
- First Stage Download
- Android: direct link to an unsigned or βthird-party storeβ APK.
- iOS:
itms-services://or plain HTTPS link to a malicious mobileconfig profile (see below).
- Post-install Social Engineering
- On first run the app asks for an invitation / verification code (exclusive access illusion).
- The code is POSTed over HTTP to the Command-and-Control (C2).
- C2 replies
{"success":true}β malware continues. - Sandbox / AV dynamic analysis that never submits a valid code sees no malicious behaviour (evasion).
- Runtime Permission Abuse (Android)
- Dangerous permissions are only requested after positive C2 response:
<uses-permission android:name="android.permission.READ_CONTACTS"/> <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/> <uses-permission android:name="android.permission.READ_PHONE_STATE"/> <!-- Older builds also asked for SMS permissions --> - Recent variants remove
<uses-permission>for SMS fromAndroidManifest.xmlbut leave the Java/Kotlin code path that reads SMS through reflection β lowers static score while still functional on devices that grant the permission viaAppOpsabuse or old targets.
- Dangerous permissions are only requested after positive C2 response:
- Facade UI & Background Collection
- App shows harmless views (SMS viewer, gallery picker) implemented locally.
- Meanwhile it exfiltrates:
- IMEI / IMSI, phone number
- Full
ContactsContractdump (JSON array) - JPEG/PNG from
/sdcard/DCIMcompressed with Luban to reduce size - Optional SMS content (
content://sms) Payloads are batch-zipped and sent viaHTTP POST /upload.php.
- iOS Delivery Technique
- A single mobile-configuration profile can request
PayloadType=com.apple.sharedlicenses,com.apple.managedConfigurationetc. to enroll the device in βMDMβ-like supervision. - Social-engineering instructions:
- Open Settings β Profile downloaded.
- Tap Install three times (screenshots on the phishing page).
- Trust the unsigned profile β attacker gains Contacts & Photo entitlement without App Store review.
- A single mobile-configuration profile can request
- Network Layer
- Plain HTTP, often on port 80 with HOST header like
api.<phishingdomain>.com. User-Agent: Dalvik/2.1.0 (Linux; U; Android 13; Pixel 6 Build/TQ3A.230805.001)(no TLS β easy to spot).
- Plain HTTP, often on port 80 with HOST header like
Defensive Testing / Red-Team Tips
- Dynamic Analysis Bypass β During malware assessment, automate the invitation code phase with Frida/Objection to reach the malicious branch.
- Manifest vs. Runtime Diff β Compare
aapt dump permissionswith runtimePackageManager#getRequestedPermissions(); missing dangerous perms is a red flag. - Network Canary β Configure
iptables -p tcp --dport 80 -j NFQUEUEto detect unsolid POST bursts after code entry. - mobileconfig Inspection β Use
security cms -D -i profile.mobileconfigon macOS to listPayloadContentand spot excessive entitlements.
Blue-Team Detection Ideas
- Certificate Transparency / DNS Analytics to catch sudden bursts of keyword-rich domains.
- User-Agent & Path Regex:
(?i)POST\s+/(check|upload)\.phpfrom Dalvik clients outside Google Play. - Invite-code Telemetry β POST of 6β8 digit numeric codes shortly after APK install may indicate staging.
- MobileConfig Signing β Block unsigned configuration profiles via MDM policy.
Useful Frida Snippet: Auto-Bypass Invitation Code
python
# frida -U -f com.badapp.android -l bypass.js --no-pause
# Hook HttpURLConnection write to always return success
Java.perform(function() {
var URL = Java.use('java.net.URL');
URL.openConnection.implementation = function() {
var conn = this.openConnection();
var HttpURLConnection = Java.use('java.net.HttpURLConnection');
if (Java.cast(conn, HttpURLConnection)) {
conn.getResponseCode.implementation = function(){ return 200; };
conn.getInputStream.implementation = function(){
return Java.use('java.io.ByteArrayInputStream').$new("{\"success\":true}".getBytes());
};
}
return conn;
};
});
Indicators (Generic)
/req/checkCode.php # invite code validation
/upload.php # batched ZIP exfiltration
LubanCompress 1.1.8 # "Luban" string inside classes.dex
References
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.