// Simulate HOME / BACK / RECENTS … private void navHome() { performGlobalAction(GLOBAL_ACTION_HOME); } private void navBack() { performGlobalAction(GLOBAL_ACTION_BACK); } private void openRecents() { performGlobalAction(GLOBAL_ACTION_RECENTS); }

// Generic tap / swipe public void tap(float x, float y) { Path p = new Path(); p.moveTo(x, y); GestureDescription.StrokeDescription s = new GestureDescription.StrokeDescription(p, 0, 50); dispatchGesture(new GestureDescription.Builder().addStroke(s).build(), null, null); } }

</details>

Kwa kutumia APIs hizi mbili tu mshambuliaji anaweza:
* Kufungua skrini, kufungua app ya benki, kuvinjari mti wa UI yake na kuwasilisha fomu ya uhamisho.
* Kubali kila dirisha la ruhusa linalojitokeza.
* Sakinisha au sasisha APK za ziada kupitia Play Store intent.

---

## Mifumo ya matumizi mabaya

### 1. Overlay Phishing (Credential Harvesting)
`WebView` ya uwazi au isiyo wazi inaongezwa kwenye msimamizi wa dirisha:
```java
WindowManager.LayoutParams lp = new WindowManager.LayoutParams(
MATCH_PARENT, MATCH_PARENT,
TYPE_ACCESSIBILITY_OVERLAY,                      // ⬅ bypasses SYSTEM_ALERT_WINDOW
FLAG_NOT_FOCUSABLE | FLAG_NOT_TOUCH_MODAL,       // touches still reach the real app
PixelFormat.TRANSLUCENT);
wm.addView(phishingView, lp);

The victim types credentials into the fake form while the background app receives the same gestures – no suspicious “draw over other apps” prompt is ever shown.

Mfano wa kina: sehemu ya Accessibility Overlay Phishing ndani ya ukurasa wa Tapjacking.

ClayRat exposes this capability with the show_block_screen / hide_block_screen commands that download overlay templates from the C2. Operators can switch layouts on the fly to:

• Funika kwa giza paneli ili muathiriwa afikirie kifaa kimezimwa au kimeganda wakati vitendo vya moja kwa moja vinavunywa Play Protect au kutoa ruhusa zaidi.
• Onyesha paneli bandia za system update / battery optimization zinazotoa sababu kwa nini kifaa kina “busy” wakati automatisering ya background inaendelea.
• Onyesha overlay ya interactive PIN pad inayolingana na skrini ya kufunga ya mfumo—malware huchukua kila namba na ku-stream kwa operator mara tu kodu ya tarakimu 4 inapoingizwa.

Because TYPE_ACCESSIBILITY_OVERLAY windows never raise the SYSTEM_ALERT_WINDOW permission prompt, the victim only sees the decoy UI while the RAT keeps interacting with the real apps underneath.

2. On-Device Fraud automation

Malware families such as PlayPraetor maintain a persistent WebSocket channel where the operator can issue high-level commands (init, update, alert_arr, report_list, …). The service translates those commands into the low-level gestures above, achieving real-time unauthorized transactions that easily bypass multi-factor-authentication tied to that very device.

3. Screen streaming & monitoring

ClayRat upgrades the usual MediaProjection trick into a remote desktop stack:

1. turbo_screen triggers the MediaProjection consent dialog; the Accessibility service clicks “Start now” so the victim never intervenes.
2. With the resulting MediaProjection token it creates a VirtualDisplay backed by an ImageReader, keeps a ForegroundService alive, and drains frames on worker threads.
3. Frames are JPEG/PNG encoded according to the operator-supplied set_quality parameter (defaults to 60 when missing) and shipped over an HTTP→WebSocket upgrade advertising the custom ClayRemoteDesktop user-agent.
4. start_desktop / stop_desktop manage the capture threads while screen_tap, screen_swipe, input_text, press_home, press_back and press_recents replay gestures against the live framebuffer.

The result is a VNC-like feed delivered entirely through sanctioned APIs—no root or kernel exploits—yet it hands the attacker live situational awareness with millisecond latency.

4. Lock-screen credential theft & auto-unlock

ClayRat subscribes to TYPE_WINDOW_CONTENT_CHANGED / TYPE_VIEW_TEXT_CHANGED events emitted by com.android.systemui (Keyguard). It reconstructs whatever guard is active:

• PIN – watches keypad button presses until the locker reports completion.
• Password – concatenates strings seen in the focused password field for each AccessibilityEvent.
• Pattern – records the ordered node indices inferred from gesture coordinates across the 3×3 grid.

Secrets plus metadata (lock type + timestamp) are serialized into SharedPreferences under lock_password_storage. When the operator pushes auto_unlock, the service wakes the device with unlock_device / screen_on, replays the stored digits or gestures through dispatchGesture, and silently bypasses the keyguard so subsequent ODF workflows can continue.

5. Notification phishing & harvesting

A companion Notification Listener turns the shade into a phishing surface:

• get_push_notifications dumps every currently visible notification, including OTP / MFA messages.
• The notifications command toggles a notifications_enabled flag so each future onNotificationPosted() payload is streamed to the C2 in real time.
• send_push_notification lets operators craft fake, interactive notifications that impersonate banking or chat apps; any text the victim submits is parsed as credentials and exfiltrated immediately.

Because Accessibility can open/dismiss the notification shade programmatically, this method harvests secrets without touching the targeted apps.

6. Telephony & SMS command channel

After coercing the user into setting the RAT as the default SMS app, the following commands provide complete modem control:

• send_sms and retransmishion send arbitrary or replayed messages to attacker-controlled numbers.
• messsms iterates over the entire contacts database to spam phishing links for worm-like propagation.
• make_call initiates voice calls that support social-engineering workflows.
• get_sms_list / get_sms and get_call_log / get_calls dump inboxes and call history so MFA codes or call metadata can be abused instantly.

Combined with Accessibility-driven UI navigation, ClayRat can receive an OTP via notification/SMS and immediately input it inside the target banking or enterprise app.

7. Discovery, collection & proxying

Additional ClayRat commands map the environment and keep C2 resilient:

• get_apps / get_apps_list enumerate installed packages (ATT&CK T1418).
• get_device_info reports model, OS version and battery state (T1426).
• get_cam / get_camera capture front-camera stills, while get_keylogger_data serializes lock PINs plus passwords, view descriptions and hints scraped from sensitive fields.
• get_proxy_data fetches a proxy WebSocket URL, appends the unique device ID and spins a job that tunnels HTTP/HTTPS over the same bidirectional channel (T1481.002 / T1646).

PlayPraetor – command & control workflow

1. HTTP(S) heartbeat – iterate over a hard-coded list until one domain answers POST /app/searchPackageName with the active C2.
2. WebSocket (port 8282) – bidirectional JSON commands:

• update – push new conf/APKs
• alert_arr – configure overlay templates
• report_list – send list of targeted package names
• heartbeat_web – keep-alive

3. RTMP (port 1935) – live screen/video streaming.
4. REST exfiltration –

• /app/saveDevice (fingerprint)
• /app/saveContacts | /app/saveSms | /app/uploadImageBase64
• /app/saveCardPwd (bank creds)

The AccessibilityService is the local engine that turns those cloud commands into physical interactions.

Detecting malicious accessibility services

• adb shell settings get secure enabled_accessibility_services
• Settings → Accessibility → Downloaded services – look for apps that are not from Google Play.
• MDM / EMM solutions can enforce ACCESSIBILITY_ENFORCEMENT_DEFAULT_DENY (Android 13+) to block sideloaded services.
• Analyse running services:

adb shell dumpsys accessibility | grep "Accessibility Service"

Hardening recommendations for app developers

• Mark sensitive views with android:accessibilityDataSensitive="accessibilityDataPrivateYes" (API 34+).
• Combine setFilterTouchesWhenObscured(true) with FLAG_SECURE to prevent tap/overlay hijacking.
• Detect overlays by polling WindowManager.getDefaultDisplay().getFlags() or the ViewRootImpl API.
• Refuse to operate when Settings.canDrawOverlays() or a non-trusted Accessibility service is active.

ATS automation cheat-sheet (Accessibility-driven)

Malware can fully automate a bank app with only Accessibility APIs. Generic primitives:

private void dumpTree(AccessibilityNodeInfo n, String indent, StringBuilder sb){
if (n==null) return;
Rect b = new Rect(); n.getBoundsInScreen(b);
CharSequence txt = n.getText(); CharSequence cls = n.getClassName();
sb.append(indent).append("[").append(cls).append("] ")
.append(txt==null?"":txt).append(" ")
.append(b.toShortString()).append("\n");
for (int i=0;i<n.getChildCount();i++) dumpTree(n.getChild(i), indent+"  ", sb);
}

DevicePolicyManager dpm = (DevicePolicyManager) getSystemService(DEVICE_POLICY_SERVICE);
ComponentName admin = new ComponentName(this, AdminReceiver.class);

// 1) Immediate lock
dpm.lockNow();

// 2) Force credential change (expire current PIN/password)
dpm.setPasswordExpirationTimeout(admin, 1L); // may require owner/profile-owner on recent Android

// 3) Disable biometric unlock to force PIN/pattern entry
int flags = DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT |
DevicePolicyManager.KEYGUARD_DISABLE_TRUST_AGENTS;
dpm.setKeyguardDisabledFeatures(admin, flags);