// Simulate HOME / BACK / RECENTS … private void navHome() { performGlobalAction(GLOBAL_ACTION_HOME); } private void navBack() { performGlobalAction(GLOBAL_ACTION_BACK); } private void openRecents() { performGlobalAction(GLOBAL_ACTION_RECENTS); }

// Generic tap / swipe public void tap(float x, float y) { Path p = new Path(); p.moveTo(x, y); GestureDescription.StrokeDescription s = new GestureDescription.StrokeDescription(p, 0, 50); dispatchGesture(new GestureDescription.Builder().addStroke(s).build(), null, null); } }

</details>

केवल इन दो APIs के साथ एक हमलावर कर सकता है:
* स्क्रीन अनलॉक करना, बैंकिंग ऐप खोलना, उसके UI tree में नेविगेट करना और एक ट्रांसफ़र फॉर्म सबमिट करना।
* उठने वाले हर अनुमति संवाद को स्वीकार करना।
* अतिरिक्त APKs को Play Store intent के माध्यम से इंस्टॉल/अपडेट करना।

---

## दुरुपयोग पैटर्न

### 1. Overlay Phishing (Credential Harvesting)
एक पारदर्शी या अपारदर्शी `WebView` window manager में जोड़ा जाता है:
```java
WindowManager.LayoutParams lp = new WindowManager.LayoutParams(
MATCH_PARENT, MATCH_PARENT,
TYPE_ACCESSIBILITY_OVERLAY,                      // ⬅ bypasses SYSTEM_ALERT_WINDOW
FLAG_NOT_FOCUSABLE | FLAG_NOT_TOUCH_MODAL,       // touches still reach the real app
PixelFormat.TRANSLUCENT);
wm.addView(phishingView, lp);

The victim types credentials into the fake form while the background app receives the same gestures – no suspicious “draw over other apps” prompt is ever shown.

Detailed example: the Accessibility Overlay Phishing section inside the Tapjacking page.

ClayRat exposes this capability with the show_block_screen / hide_block_screen commands that download overlay templates from the C2. Operators can switch layouts on the fly to:

• Black out the panel so the victim assumes the handset is off or frozen while automated gestures disable Play Protect or grant more permissions.
• Display fake system update / battery optimization panels that justify why the device is “busy” while background automation continues.
• Show an interactive PIN pad overlay that mirrors the system lock screen—the malware captures every digit and streams it to the operator as soon as a 4‑digit code is entered.

Because TYPE_ACCESSIBILITY_OVERLAY windows never raise the SYSTEM_ALERT_WINDOW permission prompt, the victim only sees the decoy UI while the RAT keeps interacting with the real apps underneath.

2. ऑन-डिवाइस धोखाधड़ी स्वचालन

Malware families such as PlayPraetor maintain a persistent WebSocket channel where the operator can issue high-level commands (init, update, alert_arr, report_list, …). The service translates those commands into the low-level gestures above, achieving real-time unauthorized transactions that easily bypass multi-factor-authentication tied to that very device.

3. स्क्रीन स्ट्रीमिंग & मॉनिटरिंग

ClayRat upgrades the usual MediaProjection trick into a remote desktop stack:

1. turbo_screen triggers the MediaProjection consent dialog; the Accessibility service clicks “Start now” so the victim never intervenes.
2. With the resulting MediaProjection token it creates a VirtualDisplay backed by an ImageReader, keeps a ForegroundService alive, and drains frames on worker threads.
3. Frames are JPEG/PNG encoded according to the operator-supplied set_quality parameter (defaults to 60 when missing) and shipped over an HTTP→WebSocket upgrade advertising the custom ClayRemoteDesktop user-agent.
4. start_desktop / stop_desktop manage the capture threads while screen_tap, screen_swipe, input_text, press_home, press_back and press_recents replay gestures against the live framebuffer.

परिणाम एक VNC-जैसा फ़ीड है जो पूरी तरह अधिकृत APIs के माध्यम से प्रदान किया जाता है—कोई root या kernel exploits नहीं—फिर भी यह हमलावर को मिलीसेकंड लेटेंसी के साथ लाइव परिस्थितिजन्य जागरूकता देता है।

4. लॉक-स्क्रीन क्रेडेंशियल चोरी & ऑटो-अनलॉक

ClayRat subscribes to TYPE_WINDOW_CONTENT_CHANGED / TYPE_VIEW_TEXT_CHANGED events emitted by com.android.systemui (Keyguard). It reconstructs whatever guard is active:

• PIN – watches keypad button presses until the locker reports completion.
• Password – concatenates strings seen in the focused password field for each AccessibilityEvent.
• Pattern – records the ordered node indices inferred from gesture coordinates across the 3×3 grid.

Secrets plus metadata (lock type + timestamp) are serialized into SharedPreferences under lock_password_storage. When the operator pushes auto_unlock, the service wakes the device with unlock_device / screen_on, replays the stored digits or gestures through dispatchGesture, and silently bypasses the keyguard so subsequent ODF workflows can continue.

5. नोटिफिकेशन फिशिंग & हार्वेस्टिंग

A companion Notification Listener turns the shade into a phishing surface:

• get_push_notifications dumps every currently visible notification, including OTP / MFA messages.
• The notifications command toggles a notifications_enabled flag so each future onNotificationPosted() payload is streamed to the C2 in real time.
• send_push_notification lets operators craft fake, interactive notifications that impersonate banking or chat apps; any text the victim submits is parsed as credentials and exfiltrated immediately.

क्योंकि Accessibility प्रोग्रामेटिकली notification shade खोल/बंद कर सकता है, यह तरीका लक्षित ऐप्स को छुए बिना ही सीक्रेट्स हार्वेस्ट कर लेता है।

6. टेलीफ़ोनी & SMS कमांड चैनल

After coercing the user into setting the RAT as the default SMS app, the following commands provide complete modem control:

• send_sms and retransmishion send arbitrary or replayed messages to attacker-controlled numbers.
• messsms iterates over the entire contacts database to spam phishing links for worm-like propagation.
• make_call initiates voice calls that support social-engineering workflows.
• get_sms_list / get_sms and get_call_log / get_calls dump inboxes and call history so MFA codes or call metadata can be abused instantly.

Accessibility-driven UI navigation के साथ मिलकर, ClayRat नोटिफिकेशन/SMS के जरिए OTP प्राप्त कर सकता है और उसे तत्क्षण लक्ष्य बैंकिंग या एंटरप्राइज़ ऐप में इनपुट करवा सकता है।

7. डिस्कवरी, कलेक्शन & प्रॉक्सीइंग

Additional ClayRat commands map the environment and keep C2 resilient:

• get_apps / get_apps_list enumerate installed packages (ATT&CK T1418).
• get_device_info reports model, OS version and battery state (T1426).
• get_cam / get_camera capture front-camera stills, while get_keylogger_data serializes lock PINs plus passwords, view descriptions and hints scraped from sensitive fields.
• get_proxy_data fetches a proxy WebSocket URL, appends the unique device ID and spins a job that tunnels HTTP/HTTPS over the same bidirectional channel (T1481.002 / T1646).

PlayPraetor – कमांड & कंट्रोल वर्कफ़्लो

1. HTTP(S) heartbeat – iterate over a hard-coded list until one domain answers POST /app/searchPackageName with the active C2.
2. WebSocket (port 8282) – bidirectional JSON commands:

• update – push new conf/APKs
• alert_arr – configure overlay templates
• report_list – send list of targeted package names
• heartbeat_web – keep-alive

3. RTMP (port 1935) – live screen/video streaming.
4. REST exfiltration –

• /app/saveDevice (fingerprint)
• /app/saveContacts | /app/saveSms | /app/uploadImageBase64
• /app/saveCardPwd (bank creds)

The AccessibilityService is the local engine that turns those cloud commands into physical interactions.

मालिशियस accessibility services का पता लगाना

• adb shell settings get secure enabled_accessibility_services
• Settings → Accessibility → Downloaded services – उन ऐप्स को देखें जो Google Play से नहीं हैं।
• MDM / EMM solutions can enforce ACCESSIBILITY_ENFORCEMENT_DEFAULT_DENY (Android 13+) to block sideloaded services.
• Analyse running services:

adb shell dumpsys accessibility | grep "Accessibility Service"

ऐप डेवलपर्स के लिए हार्डेनिंग सिफारिशें

• Mark sensitive views with android:accessibilityDataSensitive="accessibilityDataPrivateYes" (API 34+).
• Combine setFilterTouchesWhenObscured(true) with FLAG_SECURE to prevent tap/overlay hijacking.
• Detect overlays by polling WindowManager.getDefaultDisplay().getFlags() or the ViewRootImpl API.
• Refuse to operate when Settings.canDrawOverlays() or a non-trusted Accessibility service is active.

ATS automation cheat-sheet (Accessibility-driven)

Malware can fully automate a bank app with only Accessibility APIs. Generic primitives:

private void dumpTree(AccessibilityNodeInfo n, String indent, StringBuilder sb){
if (n==null) return;
Rect b = new Rect(); n.getBoundsInScreen(b);
CharSequence txt = n.getText(); CharSequence cls = n.getClassName();
sb.append(indent).append("[").append(cls).append("] ")
.append(txt==null?"":txt).append(" ")
.append(b.toShortString()).append("\n");
for (int i=0;i<n.getChildCount();i++) dumpTree(n.getChild(i), indent+"  ", sb);
}

DevicePolicyManager dpm = (DevicePolicyManager) getSystemService(DEVICE_POLICY_SERVICE);
ComponentName admin = new ComponentName(this, AdminReceiver.class);

// 1) Immediate lock
dpm.lockNow();

// 2) Force credential change (expire current PIN/password)
dpm.setPasswordExpirationTimeout(admin, 1L); // may require owner/profile-owner on recent Android

// 3) Disable biometric unlock to force PIN/pattern entry
int flags = DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT |
DevicePolicyManager.KEYGUARD_DISABLE_TRUST_AGENTS;
dpm.setKeyguardDisabledFeatures(admin, flags);