// Simulate HOME / BACK / RECENTS … private void navHome() { performGlobalAction(GLOBAL_ACTION_HOME); } private void navBack() { performGlobalAction(GLOBAL_ACTION_BACK); } private void openRecents() { performGlobalAction(GLOBAL_ACTION_RECENTS); }

// Generic tap / swipe public void tap(float x, float y) { Path p = new Path(); p.moveTo(x, y); GestureDescription.StrokeDescription s = new GestureDescription.StrokeDescription(p, 0, 50); dispatchGesture(new GestureDescription.Builder().addStroke(s).build(), null, null); } }

</details>

이 두 개의 API만으로 공격자는:
* 화면 잠금을 해제하고, 은행 앱을 열어 UI 트리를 탐색한 뒤 이체 폼을 제출할 수 있다.
* 떠오르는 모든 권한 대화상자를 수락할 수 있다.
* 추가 APK를 Play Store intent를 통해 설치/업데이트할 수 있다.

---

## 악용 패턴

### 1. Overlay Phishing (Credential Harvesting)
A transparent or opaque `WebView` is added to the window manager:
```java
WindowManager.LayoutParams lp = new WindowManager.LayoutParams(
MATCH_PARENT, MATCH_PARENT,
TYPE_ACCESSIBILITY_OVERLAY,                      // ⬅ bypasses SYSTEM_ALERT_WINDOW
FLAG_NOT_FOCUSABLE | FLAG_NOT_TOUCH_MODAL,       // touches still reach the real app
PixelFormat.TRANSLUCENT);
wm.addView(phishingView, lp);

The victim types credentials into the fake form while the background app receives the same gestures – no suspicious “draw over other apps” prompt is ever shown.

Detailed example: the Accessibility Overlay Phishing section inside the Tapjacking page.

ClayRat exposes this capability with the show_block_screen / hide_block_screen commands that download overlay templates from the C2. Operators can switch layouts on the fly to:

• Black out the panel so the victim assumes the handset is off or frozen while automated gestures disable Play Protect or grant more permissions.
• Display fake system update / battery optimization panels that justify why the device is “busy” while background automation continues.
• Show an interactive PIN pad overlay that mirrors the system lock screen—the malware captures every digit and streams it to the operator as soon as a 4‑digit code is entered.

Because TYPE_ACCESSIBILITY_OVERLAY windows never raise the SYSTEM_ALERT_WINDOW permission prompt, the victim only sees the decoy UI while the RAT keeps interacting with the real apps underneath.

2. 디바이스 내 사기 자동화

Malware families such as PlayPraetor maintain a persistent WebSocket channel where the operator can issue high-level commands (init, update, alert_arr, report_list, …). The service translates those commands into the low-level gestures above, achieving real-time unauthorized transactions that easily bypass multi-factor-authentication tied to that very device.

3. 화면 스트리밍 및 모니터링

ClayRat upgrades the usual MediaProjection trick into a remote desktop stack:

1. turbo_screen triggers the MediaProjection consent dialog; the Accessibility service clicks “Start now” so the victim never intervenes.
2. With the resulting MediaProjection token it creates a VirtualDisplay backed by an ImageReader, keeps a ForegroundService alive, and drains frames on worker threads.
3. Frames are JPEG/PNG encoded according to the operator-supplied set_quality parameter (defaults to 60 when missing) and shipped over an HTTP→WebSocket upgrade advertising the custom ClayRemoteDesktop user-agent.
4. start_desktop / stop_desktop manage the capture threads while screen_tap, screen_swipe, input_text, press_home, press_back and press_recents replay gestures against the live framebuffer.

The result is a VNC-like feed delivered entirely through sanctioned APIs—no root or kernel exploits—yet it hands the attacker live situational awareness with millisecond latency.

4. 잠금화면 인증 정보 탈취 및 자동 잠금해제

ClayRat subscribes to TYPE_WINDOW_CONTENT_CHANGED / TYPE_VIEW_TEXT_CHANGED events emitted by com.android.systemui (Keyguard). It reconstructs whatever guard is active:

• PIN – watches keypad button presses until the locker reports completion.
• Password – concatenates strings seen in the focused password field for each AccessibilityEvent.
• Pattern – records the ordered node indices inferred from gesture coordinates across the 3×3 grid.

Secrets plus metadata (lock type + timestamp) are serialized into SharedPreferences under lock_password_storage. When the operator pushes auto_unlock, the service wakes the device with unlock_device / screen_on, replays the stored digits or gestures through dispatchGesture, and silently bypasses the keyguard so subsequent ODF workflows can continue.

5. 알림 피싱 및 수집

A companion Notification Listener turns the shade into a phishing surface:

• get_push_notifications dumps every currently visible notification, including OTP / MFA messages.
• The notifications command toggles a notifications_enabled flag so each future onNotificationPosted() payload is streamed to the C2 in real time.
• send_push_notification lets operators craft fake, interactive notifications that impersonate banking or chat apps; any text the victim submits is parsed as credentials and exfiltrated immediately.

Because Accessibility can open/dismiss the notification shade programmatically, this method harvests secrets without touching the targeted apps.

6. 통화 및 SMS 명령 채널

After coercing the user into setting the RAT as the default SMS app, the following commands provide complete modem control:

• send_sms and retransmishion send arbitrary or replayed messages to attacker-controlled numbers.
• messsms iterates over the entire contacts database to spam phishing links for worm-like propagation.
• make_call initiates voice calls that support social-engineering workflows.
• get_sms_list / get_sms and get_call_log / get_calls dump inboxes and call history so MFA codes or call metadata can be abused instantly.

Combined with Accessibility-driven UI navigation, ClayRat can receive an OTP via notification/SMS and immediately input it inside the target banking or enterprise app.

7. 탐지, 수집 및 프록시

Additional ClayRat commands map the environment and keep C2 resilient:

• get_apps / get_apps_list enumerate installed packages (ATT&CK T1418).
• get_device_info reports model, OS version and battery state (T1426).
• get_cam / get_camera capture front-camera stills, while get_keylogger_data serializes lock PINs plus passwords, view descriptions and hints scraped from sensitive fields.
• get_proxy_data fetches a proxy WebSocket URL, appends the unique device ID and spins a job that tunnels HTTP/HTTPS over the same bidirectional channel (T1481.002 / T1646).

PlayPraetor – 명령 및 제어 워크플로우

1. HTTP(S) heartbeat – iterate over a hard-coded list until one domain answers POST /app/searchPackageName with the active C2.
2. WebSocket (port 8282) – bidirectional JSON commands:

• update – push new conf/APKs
• alert_arr – configure overlay templates
• report_list – send list of targeted package names
• heartbeat_web – keep-alive

3. RTMP (port 1935) – live screen/video streaming.
4. REST exfiltration –

• /app/saveDevice (fingerprint)
• /app/saveContacts | /app/saveSms | /app/uploadImageBase64
• /app/saveCardPwd (bank creds)

The AccessibilityService is the local engine that turns those cloud commands into physical interactions.

악성 Accessibility 서비스 탐지

• adb shell settings get secure enabled_accessibility_services
• Settings → Accessibility → Downloaded services – look for apps that are not from Google Play.
• MDM / EMM solutions can enforce ACCESSIBILITY_ENFORCEMENT_DEFAULT_DENY (Android 13+) to block sideloaded services.
• Analyse running services:

adb shell dumpsys accessibility | grep "Accessibility Service"

앱 개발자를 위한 강화 권고

• Mark sensitive views with android:accessibilityDataSensitive="accessibilityDataPrivateYes" (API 34+).
• Combine setFilterTouchesWhenObscured(true) with FLAG_SECURE to prevent tap/overlay hijacking.
• Detect overlays by polling WindowManager.getDefaultDisplay().getFlags() or the ViewRootImpl API.
• Refuse to operate when Settings.canDrawOverlays() or a non-trusted Accessibility service is active.

ATS 자동화 치트시트 (Accessibility-driven)

Malware can fully automate a bank app with only Accessibility APIs. Generic primitives:

private void dumpTree(AccessibilityNodeInfo n, String indent, StringBuilder sb){
if (n==null) return;
Rect b = new Rect(); n.getBoundsInScreen(b);
CharSequence txt = n.getText(); CharSequence cls = n.getClassName();
sb.append(indent).append("[").append(cls).append("] ")
.append(txt==null?"":txt).append(" ")
.append(b.toShortString()).append("\n");
for (int i=0;i<n.getChildCount();i++) dumpTree(n.getChild(i), indent+"  ", sb);
}

DevicePolicyManager dpm = (DevicePolicyManager) getSystemService(DEVICE_POLICY_SERVICE);
ComponentName admin = new ComponentName(this, AdminReceiver.class);

// 1) Immediate lock
dpm.lockNow();

// 2) Force credential change (expire current PIN/password)
dpm.setPasswordExpirationTimeout(admin, 1L); // may require owner/profile-owner on recent Android

// 3) Disable biometric unlock to force PIN/pattern entry
int flags = DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT |
DevicePolicyManager.KEYGUARD_DISABLE_TRUST_AGENTS;
dpm.setKeyguardDisabledFeatures(admin, flags);