Skip to content

Glitch SPY Emerging Android RAT Distributed Through a Fake P...#2451

Open
carlospolop wants to merge 1 commit into
masterfrom
update_Glitch_SPY_Emerging_Android_RAT_Distributed_Thro_04de20f3dd6ad3d7
Open

Glitch SPY Emerging Android RAT Distributed Through a Fake P...#2451
carlospolop wants to merge 1 commit into
masterfrom
update_Glitch_SPY_Emerging_Android_RAT_Distributed_Thro_04de20f3dd6ad3d7

Conversation

@carlospolop

Copy link
Copy Markdown
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://cyble.com/blog/glitch-spy-rat-distributed-via-fake-polish-app
  • Blog Title: Glitch SPY: Emerging Android RAT Distributed Through a Fake Polish Rental App
  • Suggested Section: Mobile Pentesting -> Android Applications Pentesting -> Accessibility Services Abuse / Mobile Phishing Malicious Apps; optionally Basic Forensic Methodology -> Android Malware Post-Exploitation for RAT behavior patterns

🎯 Content Summary

Glitch SPY Android RAT: technical summary

Cyble Research and Intelligence Labs analyzed Glitch SPY, an emerging Android RAT/builder platform identified through branding on an exposed command-and-control admin panel. The campaign is distributed through a fraudulent Polish apartment and house rental site, tutaj-dompl[.]com, which impersonates a rental platform offering verified apartments, viewing reservations, direct owner contact, no broker commissions, a...

🔧 Technical Details

Staged Android malware delivery with a believable sideloading pretext: attackers can increase installation success by pairing a realistic phishing site with a plausible app requirement. In this case, a fake rental platform convinces victims to sideload an APK to reserve viewings and receive updates. The first-stage loader shows a fake update flow and requests permission to install applications from unknown sources. Once granted, it deploys the second-stage RAT and the payload displays a decoy WebView matching the lure. The generalizable technique is to separate delivery from payload execution: use a trusted-looking first-stage app to obtain sideloading permission, then install the real implant.


Accessibility Service as an Android post-exploitation primitive: once a victim enables Accessibility, malware can inspect UI nodes, read visible text, click buttons, type into input fields, dispatch gestures, approve runtime permissions, interact w...

🤖 Agent Actions

Plan re-initialized via the available plan tracker.

I also ran a cross-repo overlap check for:

  • remote_browser_*
  • ClipboardManager.setPrimaryClip
  • FMENC1
  • AES/GCM/NoPadding
  • hello_ack
  • screen_frame
  • browser_command_result
  • REQUEST_INSTALL_PACKAGES

Result:

  • the only meaningful consolidated location for these Glitch SPY-derived techniques is still
    src/generic-methodologies-and-resources/basic-forensic-methodology/android-malware-post-exploitation.md
  • other repo hits are only partial/adjacent overlaps, not a better single-file home

I am still not finalizing yet.


This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop

Copy link
Copy Markdown
Collaborator Author

🔗 Additional Context

Original Blog Post: https://cyble.com/blog/glitch-spy-rat-distributed-via-fake-polish-app

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android Applications Pentesting -> Accessibility Services Abuse / Mobile Phishing Malicious Apps; optionally Basic Forensic Methodology -> Android Malware Post-Exploitation for RAT behavior patterns".

Repository Maintenance:

  • MD Files Formatting: 981 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant