Skip to content

abdullah-5j/Android-RAT-Threat-Analysis

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

📱 Android RAT Threat Analysis

How AhMyth Weaponizes a Legitimate APK to Compromise Android Devices

Purpose Lab Target Framework License

A practical study of mobile malware delivery, APK trojanization, and Android post-exploitation — with a focus on defense.


Caution

Authorized research and education only. Every action documented here was performed inside fully isolated virtual machines against a device the researchers owned. Building, binding, or deploying a RAT against any device, account, or network without explicit written permission is illegal in most jurisdictions. The authors do not condone misuse and accept no liability for it.Read DISCLAIMER.md.


🔎 The Core Question

How does a harmless-looking Android app become a full surveillance implant?

This project answers that by dissecting one concrete, reproducible attack chain: taking an ordinary open-source camera app, injecting a Remote Access Trojan payload into its APK with AhMyth, and observing exactly what an attacker gains once a victim installs and grants permissions to the trojanized app.

The emphasis is on the mechanism and impact — the APK-as-malware delivery model that makes Android an attractive target — and on turning that understanding into actionable defenses.

🧬 Why This Matters

Android's security model is built on user-granted permissions. That model breaks down when:

  1. A malicious payload is hidden inside an app whose stated purpose justifies the permissions it requests (a camera app asking for camera + microphone looks normal).
  2. The app is distributed outside the Play Store as a raw .apk, bypassing store-side scanning.
  3. The user, trusting the app's appearance, grants everything on first launch.

At that moment, "permission abuse" becomes total device compromise. This repo shows that failure mode step by step so it can be recognized and blocked.

⚔️ The Attack Chain at a Glance

 ┌──────────────┐   ┌───────────────┐   ┌──────────────┐   ┌───────────────┐   ┌────────────────┐
 │ 1. PICK A    │──►│ 2. TROJANIZE  │──►│ 3. DELIVER   │──►│ 4. VICTIM     │──►│ 5. FULL REMOTE │
 │ CREDIBLE APK │   │ INJECT PAYLOAD│   │ THE .APK     │   │ INSTALLS +    │   │ CONTROL (C2)   │
 │ (Libre Cam)  │   │ VIA AhMyth    │   │ TO TARGET    │   │ GRANTS PERMS  │   │ camera/mic/... │
 └──────────────┘   └───────────────┘   └──────────────┘   └───────────────┘   └────────────────┘
        The "credible cover app" is what makes the malicious permissions look reasonable.

Full technical breakdown: docs/ATTACK_CHAIN.md

🧨 What the APK Malware Can Do

Once the trojanized APK is live on the victim device, AhMyth's C2 panel exposed the following over the network:

Capability Impact
📷 Camera capture Silent photos from front and rear cameras
🎙️ Microphone Ambient audio recording
📍 Location Live GPS tracking
📁 File manager Browse and exfiltrate stored files
💬 SMS access Read messages (incl. potential OTPs)
📞 Call logs Full call history
👥 Contacts Address book harvesting
🖥️ Remote commands Arbitrary command execution
🔁 Persistence Survives reboots (boot method)

The danger is concentration: a phone holds conversations, credentials, banking data, and real-time location all in one place.

🔧 How the Trojanization Actually Works

AhMyth doesn't write a new app from scratch — it hijacks an existing one. When given a real APK, it:

  1. Decompiles the original APK.
  2. Locates the correct injection point in the app's code.
  3. Inserts the malicious payload (the C2 client) into that flow.
  4. Rebuilds and re-signs the APK into a working, installable file.

Two trigger strategies were compared:

Boot Method Activity Method
Trigger Auto-runs on power-on / reboot Runs only when app is opened
User action needed None Must open the app
Visibility Silent, background More noticeable
Persistence Strong, hard to spot Stops when app closes

Details: docs/TROJANIZATION.md

🏗️ Lab Environment

┌─────────────────────────────┐          ┌─────────────────────────────┐
│  ATTACKER                   │   C2     │  VICTIM                     │
│  Kali Linux (VMware)        │◄────────►│  Android 9 (MEmu Play)      │
│  AhMyth v1.0-beta.5a        │  link    │  Trojanized "Libre Camera"  │
│  Java 11                    │          │                             │
└─────────────────────────────┘          └─────────────────────────────┘
         Closed, offline lab — no external exposure at any point

Build instructions: docs/LAB_SETUP.md

📂 Repository Layout

Android-RAT-Threat-Analysis/
├── README.md                      ← Project overview
├── docs/
│   ├── LAB_SETUP.md               ← Isolated environment build
│   ├── TROJANIZATION.md           ← How a benign APK is weaponized
│   ├── ATTACK_CHAIN.md            ← End-to-end controlled demo
│   └── AHMYTH_REFERENCE.md        ← Tool capabilities & architecture
├── defense/
│   ├── DEFENSE_GUIDE.md           ← Hardening & prevention
│   ├── DETECTION.md               ← Indicators of compromise
│   └── INCIDENT_RESPONSE.md       ← Response if a RAT is suspected
├── assets/screenshots/            
├── DISCLAIMER.md                  ← Legal & ethical notice
├── CONTRIBUTING.md
└── LICENSE

🧭 Start Here

I want to… Go to
Build the lab docs/LAB_SETUP.md
Understand the APK weaponization docs/TROJANIZATION.md
Follow the full attack docs/ATTACK_CHAIN.md
Defend a device defense/DEFENSE_GUIDE.md
Detect an infection defense/DETECTION.md

🎓 Key Insight

The strength of this attack isn't sophisticated code — it's social plausibility plus sideloaded APKs plus permission trust. Break any one of those links (verify sources, avoid sideloading unknown apps, scrutinize permission requests) and the whole chain collapses. That is the defensive thesis of this project.

📄 License

MIT — see LICENSE. Documentation and educational content only. Use responsibly and legally.


⚠️ For authorized security research only. Read the disclaimer before proceeding.

About

A controlled lab study of how the AhMyth RAT weaponizes a legitimate Android APK

Topics

Resources

License

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors