Skip to content

46894-RAFFEY/androspectra-RAT-research

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AndroSpectra: Android 15 Threat Modeling & C2 Architecture Research

A comprehensive academic security research project focused on Command and Control (C2) topologies, trust-surface expansion, and defensive detection engineering within the Android 15 (API 35) ecosystem.

Documentation Only Android 15 Research MITRE ATT&CK University Approved


⚠️ Executive & Ethical Summary

This repository contains academic malware research documentation for a Final Year Project (FYP). No executable malware code, APKs, or exploit payloads are included. All research was conducted in a strictly isolated, university-approved lab environment.

Please read the ETHICAL_NOTICE.md before proceeding.


🔍 Research Scope & Objectives

As mobile operating systems mature, threat actors increasingly shift from exploiting kernel-level vulnerabilities to abusing legitimate platform features. Android 15 introduces strict boundaries, such as hardened Foreground Service (FGS) requirements, Restricted Settings for side-loaded applications, and granular scoped storage.

AndroSpectra is a conceptual, custom-designed Remote Access Trojan (RAT) architecture engineered solely to study these boundaries. The research focuses on:

  1. Capability Chaining: How adversaries combine low-level permissions to achieve high-impact data extraction.
  2. C2 Architecture: The decoupled design of modern mobile botnets and beaconing mechanisms.
  3. Detection Engineering: Developing actionable Indicators of Compromise (IoCs) and behavioral signatures to aid Blue Teams and MDM administrators in identifying similar threats.

📂 Project Navigation

To understand the full scope of this research, explore the documentation in the following order:

1. Visual Evidence & Lab Demonstration

2. Threat Modeling & Offensive Architecture

3. Defensive Engineering (Blue Team)

  • Detection & Mitigation Strategies - [CRITICAL] Network IoCs, host-based behavioral anomalies, and YARA rules for defending against this class of architecture.
  • Isolated Lab Setup - Documentation of the safe, air-gapped environment used for this analysis.

🛡️ Key Defensive Findings (TL;DR)

  1. Accessibility Service Abuse: Despite Android 15's "Restricted Settings," social engineering combined with session-based permission toggling remains the primary vector for UI-interaction hijacking.
  2. Asynchronous Exfiltration: The most resilient C2 topologies do not rely on constant socket connections, but rather asynchronous, jitter-based HTTPS beaconing mimicking standard app analytics traffic.
  3. Detection Bottlenecks: Traditional signature-based AV is ineffective against bespoke C2 payloads; detection must pivot to heuristic network analysis and Permission Combination Risk Scoring.

Author: Syed Raffey Ali | Portfolio Project for Threat Intelligence & Offensive Security Roles

Releases

No releases published

Packages

 
 
 

Contributors