Attack Techniques¶
Documented exploitation techniques targeting Android applications and the OS. Each technique covers what it is, the preconditions required, how it works in practice, real-world malware that uses it, and how it has evolved across Android versions.
Organized by the Android component or mechanism being targeted.
Techniques¶
| Technique | Target Surface | Key Permissions |
|---|---|---|
| Overlay Attacks | Window Manager | SYSTEM_ALERT_WINDOW |
| Accessibility Abuse | Accessibility Service | BIND_ACCESSIBILITY_SERVICE |
| Screen Capture | MediaProjection / Accessibility | FOREGROUND_SERVICE, BIND_ACCESSIBILITY_SERVICE |
| Keylogging | InputMethodService / Accessibility | BIND_ACCESSIBILITY_SERVICE |
| SMS Interception | SMS / BroadcastReceiver | RECEIVE_SMS, READ_SMS |
| Notification Listener Abuse | NotificationListenerService | BIND_NOTIFICATION_LISTENER_SERVICE |
| Automated Transfer Systems | Accessibility + Banking Apps | BIND_ACCESSIBILITY_SERVICE |
| Phishing Techniques | UI / Social Engineering | SYSTEM_ALERT_WINDOW (optional) |
| C2 Communication | Network / IPC | INTERNET |
| Dynamic Code Loading | ClassLoader / Runtime | None (app-private storage) |
| Device Admin Abuse | DevicePolicyManager | BIND_DEVICE_ADMIN |
| Persistence Techniques | Services / Receivers | RECEIVE_BOOT_COMPLETED, FOREGROUND_SERVICE |
| Intent Hijacking | Activities, Services | None (component export) |
| Deep Link Exploitation | Activities | None (URI scheme) |
| WebView Exploitation | WebView | Varies |
| Content Provider Attacks | Content Providers | None (provider export) |
| Tapjacking | Touch Events | SYSTEM_ALERT_WINDOW |
| Task Affinity Attacks | Activity Stack | None (manifest config) |
| Broadcast Theft | Broadcast Receivers | Varies |
| NFC Relay | NFC / Host Card Emulation | NFC (normal) |
| Clipboard Hijacking | ClipboardManager | None (foreground) or BIND_ACCESSIBILITY_SERVICE |
| App Virtualization | VirtualApp / DroidPlugin | None (app-level) |
| App Collusion | IPC / Shared Storage / SDKs | Varies (distributed across apps) |
| AI-Assisted Malware | LLMs / Deepfakes / Adversarial ML | Varies |
| Anti-Analysis Techniques | Emulator / Root / Frida / Debugger | QUERY_ALL_PACKAGES |
| Call Interception | TelecomManager / CallRedirectionService | CALL_PHONE, READ_PHONE_STATE |
| Camera & Mic Surveillance | Camera / MediaRecorder / MediaProjection | CAMERA, RECORD_AUDIO |
| Device Wipe & Ransomware | DevicePolicyManager / File System | BIND_DEVICE_ADMIN, MANAGE_EXTERNAL_STORAGE |
| Mass Malware Generation | MaaS Builders / Crypters / Repackaging | None (tooling-level) |
| Network Traffic Interception | VpnService / DNS / Certificate Store | BIND_VPN_SERVICE |
| Notification Suppression | NotificationListenerService / AudioManager | BIND_NOTIFICATION_LISTENER_SERVICE |
Kill Chain¶
How attacks chain together in a typical Android banking trojan or spyware operation. Each stage builds on the previous one.
| Stage | Objective | Techniques / Permissions | What Happens |
|---|---|---|---|
| 1. Delivery | Get on device | Phishing, sideloading, Play Store dropper, smishing link | APK delivered as fake app (Chrome update, Flash Player, bank app) |
| 2. Dropper | Install payload | REQUEST_INSTALL_PACKAGES, Dynamic Code Loading |
Dropper downloads and installs the real malware APK at runtime |
| 3. Persistence | Survive reboots | Persistence Techniques: RECEIVE_BOOT_COMPLETED + FOREGROUND_SERVICE |
Boot receiver re-launches malware; foreground service prevents kill |
| 4. Privilege escalation | Gain control | Accessibility Abuse, Device Admin Abuse | User tricked into enabling accessibility service or device admin; malware can now auto-grant permissions, read screens, inject input, resist uninstall |
| 5. Credential theft | Steal logins | Overlay Attacks, Keylogging, Screen Capture, Clipboard Hijacking | Phishing overlay injected over banking app, keystrokes captured, screen recorded, clipboard monitored for seed phrases |
| 6. 2FA bypass | Intercept OTPs | SMS Interception, Notification Listener Abuse | SMS OTPs intercepted via broadcast receiver or read from notification shade; push-based OTPs captured via notification listener |
| 7. On-device fraud | Move money | Automated Transfer Systems | ATS fills in transfer fields, confirms transactions, hides SMS confirmations |
| 8. Exfiltration | Send data to C2 | C2 Communication: INTERNET |
Credentials, SMS, contacts, screen recordings sent to C2 over HTTP/WebSocket |
| 9. Anti-analysis | Avoid detection | Anti-Analysis Techniques, Device Admin Abuse | Check for emulators/AV/Frida, suppress notifications, wipe device on detection |
Technique Combinations¶
Attacks rarely operate alone. These are the most common pairings observed in active malware families.
| Combination | Result | Families Using It |
|---|---|---|
| Overlay + Accessibility | Credential theft with ATS -- overlay steals creds, accessibility automates transfers | Cerberus, Ermac, Hook, Xenomorph, Octo, GodFather, TsarBot |
| Accessibility + Screen Capture | Remote access / VNC -- accessibility provides input control, screen capture provides visual feed | Hook, Octo, Vultur, BingoMod, Brokewell |
| Accessibility + Keylogging | Full input capture -- every keystroke and text field value recorded | Cerberus, Ermac, TrickMo, SpyNote |
| Accessibility + Clipboard Hijacking | Crypto theft -- accessibility reads screen content, clipboard captures wallet addresses | SparkCat, SpyAgent, Clipper variants |
| Notification Listener + SMS Interception | Complete OTP theft -- SMS receiver grabs text-based codes, notification listener catches push-based codes | Anatsa, Xenomorph, GodFather |
| Dynamic Code Loading + Phishing | Dropper with clean initial scan -- benign APK passes Play Protect, downloads payload post-install | Anatsa, SharkBot, Joker |
| Device Admin + Persistence | Unremovable malware -- device admin blocks uninstall, persistence survives reboots | BRATA, Cerberus, Rafel RAT |
| Overlay + Tapjacking | Layered UI deception -- overlay captures input while tapjacking forces user interaction | Anubis, BankBot (older families pre-Android 12) |
| Accessibility + NFC Relay | Contactless payment fraud -- accessibility extracts card PINs, NFC relay clones tap-to-pay | NGate, GoldPickaxe |
| Deep Links + WebView | Token theft -- deep link redirects into malicious WebView that leaks auth tokens | App-specific exploits, Mandrake |
| Intent Hijacking + Broadcast Theft | SMS interception -- hijack SMS broadcast to steal OTPs before the real app sees them | FluBot, Anatsa, most banking trojans |
| Accessibility + Content Provider | Data exfiltration -- accessibility navigates apps, content provider queries extract stored data | Spyware families (Pegasus, Predator) |
| App Virtualization + Accessibility | Overlay-free credential theft -- real banking app runs in hostile sandbox, accessibility redirects launch intents | GodFather v3, FjordPhantom |
| App Collusion + Persistence | Resilient multi-app architecture -- payload survives deletion of the visible dropper app | PixPirate |
| Mass Malware Generation + Play Store Evasion | Volume-based evasion -- hundreds of variants submitted across distributed developer accounts overwhelm review | Vapor (331 apps), Konfety (250+ apps), Joker (1,700+ variants) |
| Notification Suppression + ATS | Invisible fraud -- transaction alerts dismissed while ATS moves money | Cerberus, Hook, Octo, Xenomorph |
| Call Interception + Phishing | Voice phishing -- victim calls real bank number but reaches attacker IVR | Fakecalls, Letscall |
| Device Wipe + ATS | Post-fraud cleanup -- factory reset destroys evidence after money transfer | BRATA, BingoMod |
| Camera/Mic Surveillance + Accessibility | Full device surveillance -- camera/mic capture with screen reading and input injection | SpyNote, Pegasus |
| Anti-Analysis + Dynamic Code Loading | Staged evasion -- environment checks before loading payload; sandbox sees nothing | Anatsa, Mandrake, Octo |
| Network Interception + DNS Manipulation | Network-level phishing -- DNS hijacking redirects banking domains to credential harvesting | MoqHao / Roaming Mantis |
Defense Priority¶
Ranked by prevalence in modern (2024-2025) Android malware. Priority reflects how frequently the technique appears in active campaigns and how much damage it enables.
| Rank | Technique | Prevalence | Why It Matters |
|---|---|---|---|
| 1 | Accessibility Abuse | Nearly universal in banking trojans | Enables everything: auto-granting permissions, reading screens, performing ATS, bypassing 2FA |
| 2 | Overlay Attacks | High (banking trojans) | Primary credential harvesting method; still effective despite Android restrictions |
| 3 | Screen Capture | High (banking trojans, RATs) | Real-time VNC and screen recording for credential theft and remote control |
| 4 | Keylogging | High (banking trojans, spyware) | Captures passwords and OTPs as users type; pairs with accessibility for full coverage |
| 5 | C2 Communication | Universal | Every malware family needs a command channel; multi-channel C2 is the norm |
| 6 | Persistence Techniques | Universal (supporting) | Required for any long-running operation; boot receivers and foreground services are baseline |
| 7 | Automated Transfer Systems | High (banking trojans) | On-device fraud that bypasses bank-side device fingerprinting and session checks |
| 8 | SMS Interception | High (declining on newer OS) | Original 2FA bypass method; restricted by Play Store policy but still used in sideloaded malware |
| 9 | Notification Listener Abuse | High (rising) | Replaced SMS interception as primary OTP theft vector; reads all app notifications |
| 10 | Dynamic Code Loading | High (droppers) | Foundation of Play Store evasion; clean APK downloads malicious payload post-install |
| 11 | Phishing Techniques | High (delivery) | Primary infection vector; smishing, fake Play Store pages, social engineering for permissions |
| 12 | Clipboard Hijacking | Rising (crypto-targeting) | Growing alongside cryptocurrency adoption; minimal permissions required from foreground |
| 13 | NFC Relay | Emerging | Bypasses contactless payment security entirely; hard to detect at the device level |
| 14 | Device Admin Abuse | Moderate (declining) | Prevents uninstall and enables device wipe; being replaced by accessibility-based persistence |
| 15 | Intent Hijacking | Moderate | Enables SMS/OTP theft and IPC interception; foundational for many attack chains |
| 16 | WebView Exploitation | Moderate | Targets hybrid apps; token theft, JavaScript injection, MITM within the app |
| 17 | Broadcast Theft | Moderate (declining) | SMS interception still works but restricted on newer Android versions |
| 18 | Deep Link Exploitation | Moderate | OAuth redirect attacks, app navigation hijacking; underestimated in mobile pentests |
| 19 | Tapjacking | Low (declining) | Largely mitigated by filterTouchesWhenObscured and Android 12+ restrictions |
| 20 | Task Affinity Attacks | Low | Niche but effective for targeted phishing within the task switcher |
| 21 | Content Provider Attacks | Low | App-specific; dangerous when providers are exported without proper permissions |
| 22 | App Virtualization | Emerging (high impact) | Runs real banking apps inside malware-controlled sandbox; bypasses overlay detection, repackaging checks, and root detection |
| 23 | App Collusion | Moderate (SDK-mediated) | SDK-based cross-app data aggregation is the dominant model; multi-app malware architectures emerging |
| 24 | AI-Assisted Malware | Rising | LLM-assisted development, deepfake biometric fraud, underground AI tools lowering skill barriers |
| 25 | Mass Malware Generation | High (infrastructure) | MaaS builders, crypter services, and coordinated store submission produce variants faster than detection can scale |
| 26 | Anti-Analysis Techniques | Universal (supporting) | Nearly every family implements emulator/root/Frida detection; determines whether payload executes at all |
| 27 | Notification Suppression | High (banking trojans) | Hides transaction alerts during fraud; dual-purpose with OTP theft via notification listener |
| 28 | Camera & Mic Surveillance | High (spyware, RATs) | Core capability of state-sponsored spyware and surveillance RATs; increasingly restricted by OS |
| 29 | Call Interception | Moderate (region-specific) | Voice phishing via call redirection; dominant in Korean-targeting campaigns |
| 30 | Device Wipe & Ransomware | Moderate (declining for ransomware, rising for evidence destruction) | File encryption declining due to scoped storage; factory reset as post-fraud cleanup is growing |
| 31 | Network Traffic Interception | Moderate | DNS hijacking, VPN abuse, proxy configuration; Android 14 APEX certificate store makes MITM harder |