GPT Trade Fake Google Play Store Drops BTMob Spyware and UAS...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.d3lab.net/gpt-trade-fake-google-play-store-drops-btmob-spyware-and-uasecurity-miner-on-android-devices/
• Blog Title: GPT Trade: Fake Google Play Store Drops BTMob Spyware and UASecurity Miner on Android Devices
• Suggested Section: 📱 Mobile Pentesting -> Android Applications Pentesting (new subsection such as 'Android Droppers, Packers & Malware-style Persistence' or 'Android Spyware & Permission Abuse Techniques')

🎯 Content Summary

This blog post analyzes a modern Android malware campaign where a fake Google Play Store–like domain is used to distribute a malicious APK called GPT Trade, advertised as an AI-powered trading assistant and visually branded like official ChatGPT / OpenAI assets. The APK is served from https://playgoogle-gpttrade[.]com/GPT%20Trade.apk and has package name com.jxtfkrsl.bjtgsb. The campaign was initially detected by D3Lab via their Brand Monitor...

🔧 Technical Details

Trick 1 – Using Fake App Store Domains and Brand Impersonation to Drive Sideloading
Threat actors register domains that closely resemble legitimate app stores (e.g., playgoogle-gpttrade[.]com) and dress them up with official-looking branding (here mimicking Google Play and ChatGPT/OpenAI). The site advertises an attractive app (GPT Trade) and provides a direct .apk download (GPT%20Trade.apk). Users are socially engineered into enabling installation from unknown sources and sideloading the APK. This general pattern can be reused with any brand: create a plausible fake store page, copy visual assets, and push APK downloads that bypass official store vetting.

Trick 2 – Dropper as a Dynamic APK Generator with Split-APK Style Logic
Instead of embedding static malicious APK payloads, the dropper application behaves like a generic installer. It creates internal directories in its private storage, u...

🤖 Agent Actions

Updated src/mobile-pentesting/android-app-pentesting/README.md with a new “Android Droppers, Packers & Malware-Style Persistence” section detailing how fake app stores deliver GPT Trade, how its split-APK dropper architecture operates (directories, SharedPreferences, dex2oat32 activity, PackageInstaller usage), how UASecurity Tools packer-as-a-service infrastructure is abused, and how the UASecurity Miner and BTMob payloads achieve persistence and permission-based surveillance. Added actionable adb/logcat triage commands, enumerated IoCs (packages, hashes, domains/IPs), and emphasized defensive heuristics. Appended the D3Lab campaign analysis to the References list. No tests were run (documentation-only change).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.d3lab.net/gpt-trade-fake-google-play-store-drops-btmob-spyware-and-uasecurity-miner-on-android-devices/

Content Categories: Based on the analysis, this content was categorized under "📱 Mobile Pentesting -> Android Applications Pentesting (new subsection such as 'Android Droppers, Packers & Malware-style Persistence' or 'Android Spyware & Permission Abuse Techniques')".

Repository Maintenance:

• MD Files Formatting: 909 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0