[Mal Series #15] Android Stealer Cabassous

Most of the Android Malware will request for Android’s Accessibility Services (AAS) before it execute any malicious activities.

Good read regarding to AAS -> HERE

App Source

Initial Phase, Gate to Open the AAS

Action & Category to look for:

Android Manifest.xml

In the class MainActivity, the app will pop out a alert dialog for user to enable the AAS.

Request Accessibility Access

Meanwhile, class IntentStarter will request for more app permission such as the on shows below and setting up things for SMS receiver/sender (e.g. change the other SMS application (Signal Messaging App) to default one (Message) based on the factory settings.

Action Involved

Request for App Permission

Constant Involved (ProgConfig.PERMISSIONS)

Persistent Mechanism

Permission Required

Android’s Accessibility Services (AAS)

Permission Required

Android Manifest.xml

What does the ASS does in the malicious App?

Hide Application Icon

Generate Victim’s BotID via randomUUID()

Setting Up Language

Available Lang Opt:be,ca,de,es,eu,gl,hy,kk,ky,mo,pl,ro,ru,tg,ua,uz

Default: en

Disable Play Protect

Open GPP Programatically -> check for the package com.google.android.gms || com.android.vending -> Disable GPP

GMS == Google Mobile Services

Flow to disable GPP via ASS

Based on my understanding, here’s the flow:

Get toogle/switch_widget component -> Click on it (Show Alert) -> Click to Parent Screen (Choose Button for Cancel / “TurnOff”) -> Click “TurnOff”

New GPP: Switch_Toggle
Turn off Button

Enable Wake Lock

Permission Required


Wake lock level: Ensures that the CPU is running; the screen and keyboard backlight will be allowed to go off.

If the user presses the power button, then the screen will be turned off but the CPU will be kept on until all partial wake locks have been released.

Disable Battery Optimization

Permission Required

App will get suspend by GP if they detect it requests for this permission.

Sos Code

The ASS will automatically disable it by first scanning the battery status of the app’s package name and passing the <action> via intent. Screenshot below for better reference 😉:

References <action> & <package>

Prevent Manually Uninstall by Victim

Conditions to trigger it:

2. When getRootInActiveWindow() found the component, “accessibility_service_description” (might be vary)

3. If the rootWindow’s app_name equals to the string value that points to:


4. Found value of accessibility_service_description in com.android.settings from accessibilityEvent.getPackageName()

5. Open Google Play App Scan Window. These Spanish strings will gets detected Activar análisis de Play Protect
& Ajustes de Play Protectin the getRootInActiveWindow() node.

Web Injection

Permission Required (App Enumeration)

Gather app installed in the device fpackage

Inject with Js & HTML

Code Snippet for Web Injection

Overlay Attack

Some Validation for Name, Card Number, ExpMonth, ExpYear & CVV

Validation Code Snippet

There will have a general validation for Credit Card Number which is Luhn Check.

Luhn Check

Sending Data to C2

Permission Required

DGA for C2

C2 connection made up of of [a-z]{15}[.ru|.com|.cn]

DGA code snippet

SMS Send & Intercept

Permission Required

Code Snippet For Handling Sending/Handling Sent SMS

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec