{"id":15374506,"url":"https://github.com/ivan-sincek/malware-apk","last_synced_at":"2026-01-26T12:08:58.818Z","repository":{"id":248403910,"uuid":"826801414","full_name":"ivan-sincek/malware-apk","owner":"ivan-sincek","description":"Are your bug bounty reports getting rejected because you don't use a \"malicious\" PoC app to exploit the vulnerabilities? I've got you covered!","archived":false,"fork":false,"pushed_at":"2024-09-02T18:22:36.000Z","size":4125,"stargazers_count":5,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-13T12:51:54.514Z","etag":null,"topics":["android","bug-bounty","content-provider","deep-link","deep-link-hijacking","ethical-hacking","file-content-provider","implicit-intent","implicit-intent-injection","intent-injection","java","malware","mobile-penetration-testing","offensive-security","penetration-testing","security","shared-preferences","sqlite","sqlite-content-provider","task-hijacking"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ivan-sincek.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-10T12:04:25.000Z","updated_at":"2025-01-19T16:42:57.000Z","dependencies_parsed_at":"2024-07-22T14:59:56.016Z","dependency_job_id":null,"html_url":"https://github.com/ivan-sincek/malware-apk","commit_stats":null,"previous_names":["ivan-sincek/malware-apk"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Fmalware-apk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Fmalware-apk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Fmalware-apk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Fmalware-apk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ivan-sincek","download_url":"https://codeload.github.com/ivan-sincek/malware-apk/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239921844,"owners_count":19718844,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","bug-bounty","content-provider","deep-link","deep-link-hijacking","ethical-hacking","file-content-provider","implicit-intent","implicit-intent-injection","intent-injection","java","malware","mobile-penetration-testing","offensive-security","penetration-testing","security","shared-preferences","sqlite","sqlite-content-provider","task-hijacking"],"created_at":"2024-10-01T13:58:56.326Z","updated_at":"2026-01-26T12:08:58.812Z","avatar_url":"https://github.com/ivan-sincek.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Malware APK\n\nAs a bug hunter, are your bug bounty reports getting rejected because you don't use a \"malicious\" Proof of Concept (PoC) app to exploit the vulnerabilities?\n\nAs a security engineer, do you struggle with validating bug bounty reports, performing regression testing, and conduct penetration testing?\n\nI've got you covered - all from the comfort of your own device!\n\n[YouTube: Malware APK v5.0 - Proxy Intent Injection PoC](https://youtube.com/shorts/hMcJ4JhPhnQ)\n\n---\n\n**Rooting your device is not required.**\n\nFor more tips and tricks check my [Android Penetration Testing Cheat Sheet](https://github.com/ivan-sincek/android-penetration-testing-cheat-sheet).\n\n---\n\nBuilt with Android Studio v2024.3.2 (64-bit) (JDK 17) and tested on Samsung Galaxy Note S20 Ultra with Android OS v13.0 (Tiramisu).\n\nMade for educational purposes. I hope it will help!\n\nFuture plans:\n\n* add an option to bind to a service,\n* add an option to specify intent categories,\n* add an option to specify `null` in intent extras,\n* add a content encoding and decoding section,\n* add a log toolbar with search, copy, scroll to top, and more,\n* add a project to easily compile native `.so` libraries for arbitrary code execution,\n* add more UI customizations.\n\n## Table of Contents\n\n* [About the App](#about-the-app)\n* [Usage](#usage)\n    * [File System](#file-system)\n    * [Process](#process)\n    * [Enumeration](#enumeration)\n    * [Intent](#intent)\n    * [Broadcast Monitor](#broadcast-monitor)\n    * [Web](#web)\n    * [Task Hijacking](#task-hijacking)\n    * [Tap Hijacking](#tap-hijacking)\n    * [Accessibility Monitor](#accessibility-monitor)\n    * [Notification Monitor](#notification-monitor)\n    * [Clipboard](#clipboard)\n    * [State Manager](#state-manager)\n    * [Settings](#settings)\n\n## About the App\n\nVersion: `5.1`\n\nAPK name: `Malware APK`\n\nPackage name: `com.kira.malware`\n\nMin. SDK: `29` (Android 10)\n\nTarget SDK: `35`\n\nExported activities:\n\n* `com.kira.malware.activities.MainActivity`\n* `com.kira.malware.activities.HiddenActivity`\n\nPermissions required:\n\n* `android.permission.READ_EXTERNAL_STORAGE`\n* `android.permission.WRITE_EXTERNAL_STORAGE`\n* `android.permission.QUERY_ALL_PACKAGES`\n* `android.permission.INTERNET`\n* `android.permission.SYSTEM_ALERT_WINDOW`\n* `android.permission.BIND_ACCESSIBILITY_SERVICE`\n* `android.permission.BIND_NOTIFICATION_LISTENER_SERVICE`\n* `android.permission.POST_NOTIFICATIONS`\n\nURIs for internal quality assurance:\n\n* `kira://hidden`\n* `content://com.kira.malware.TestFileProvider/files/test.txt`\n* `content://com.kira.malware.TestSQLiteProvider`\n* `javascript:alert(JavaScriptBridge.test())`\n\n## Usage\n\n### File System\n\n**#1:** Read and modify files of another app.\n\n**#2:** Read world-readable shared preferences of another app.\n\n**#3:** To access files of another app, modify the [sharedUserId](https://developer.android.com/guide/topics/manifest/manifest-element#uid) in this app's [AndroidManifest.xml](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/AndroidManifest.xml#L4), then rebuild the APK - this works only if another app has the shared user ID defined.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/malware-apk/blob/main/img/file_system.png\" alt=\"File System\" height=\"600em\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 1 - File System\u003c/p\u003e\n\n### Process\n\n**#1:** Not all devices or root tools store the `su` (switch user) binary in the same location.\n\n**#2:** Run CLI tools such as `/system/bin/logcat` or start a reverse shell with user `/bin/sh` or root `/bin/su` privileges.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/malware-apk/blob/main/img/running_cli_tools.png\" alt=\"Running CLI Tools\" height=\"600em\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 2 - Running CLI Tools\u003c/p\u003e\n\n### Enumeration\n\n**#1:** Read the manifest file of another app.\n\n**#2:** List protected or exported components of another app.\n\n**#3:** Request a custom permission defined by another app by declaring it in this app's `AndroidManifest.xml`, then rebuild the APK - this works only if the permission's protection level is not `signature`.\n\n```xml\n\u003cpermission\n    android:name=\"com.someapp.dev.CUSTOM_PERMISSION\"\n    android:protectionLevel=\"normal\" /\u003e\n\u003cuses-permission android:name=\"com.someapp.dev.CUSTOM_PERMISSION\" /\u003e\n```\n\n**#4:** List system or user installed packages.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/malware-apk/blob/main/img/enumeration.png\" alt=\"Enumeration\" height=\"600em\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 3 - Enumeration\u003c/p\u003e\n\n### Intent\n\n**#1:** Test an intent filter of another app.\n\n**#2:** Send an intent to another app to directly bypass its biometric / security.\n\n**#3:** Send an intent to another app to indirectly bypass its biometric / security by triggering its push notification manager, then manually opening the received push notification.\n\n**#4:** Send an intent to another app to poison its widget.\n\n**#5:** Send a \\[pending\\] intent to another app multiple times to cause Denial of Service (DoS).\n\n**#6:** Send a mutable pending intent to another app to extract subsequently added intent extras.\n\n**#7:** Access a protected component, such as a file or SQLite content provider of another app, by exploiting the app's exported (proxy) component.\n\n**#8:** Test a deep link of another app.\n\n**#9:** Perform a battering ram attack on a deep link or content provider URI of another app by adding `\u003c/payload\u003e` placeholder in the intent's URI.\n\n**#10:** You can send an intent to `HiddenActivity` for inspection before sending it to another app.\n\n**#11:** Test a file content provider for path traversal via `../`, and for arbitrary file read / write.\n\n**#12:** Test an SQLite content provider for SQL injection via projection and selection.\n\nProjection SQLi example:\n\n```sql\n* from sqlite_master--\n```\n\nSelection SQLi example:\n\n```sql\n1=1) OR 2=2--\n```\n\n---\n\nThe following applies only to the `proxy intent` extras:\n\n* If the value is a string equal to `\u003c/target-pending-intent\u003e`:\n    * the entire value will be replaced with an `PendingIntent` object of `target intent`,\n    * and `Intent.putParcelable()` will be used.\n* If the value is a string equal to `\u003c/target-intent\u003e`:\n    * the entire value will be replaced with an `Intent` object of `target intent`,\n    * and `Intent.putParcelable()` will be used.\n* If the value is a string containing `\u003c/target-intent-uri\u003e`:\n    * all matching parts will be replaced with `Intent.toUri(Intent.URI_INTENT_SCHEME)` of `target intent`.\n* If the value is a string containing `\u003c/target-intent-uri-unsafe\u003e`:\n    * all matching parts will be replaced with `Intent.toUri(Intent.URI_ALLOW_UNSAFE)` of `target intent`.\n\nThe following applies to both the `proxy intent` and `target intent` extras, but only if they are launching [com.kira.malware.activities.HiddenActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/activities/HiddenActivity.java):\n\n* To use the file content provider read callback:\n    * add an intent extra with the type `string`,\n    * key `HiddenActivity`,\n    * and value `\u003c/file-provider-read\u003e`.\n* To use the file content provider write callback:\n    * add an intent extra with the type `array list`,\n    * key `HiddenActivity`,\n    * value `\u003c/file-provider-write\u003e`,\n    * and required source file.\n* To use the SQLite content provider query callback:\n    * add an intent extra with the type `string`,\n    * key `HiddenActivity`,\n    * and value `\u003c/sqlite-provider-query\u003e`.\n* To use the SQLite content provider query with filtering callback:\n    * add an intent extra with the type `array list`,\n    * key `HiddenActivity`,\n    * value `\u003c/sqlite-provider-query-filter\u003e`,\n    * and optional projection and selection.\n* To auto-close the callback activity on error:\n    * add an intent extra with the type `string`,\n    * key `HiddenActivityClose`,\n    * and value `\u003c/close-on-error\u003e`.\n* To auto-close the callback activity on success:\n    * add an intent extra with the type `string`,\n    * key `HiddenActivityClose`,\n    * and value `\u003c/close-on-success\u003e`.\n\nWhen testing intent injections, you will often need to specify [com.kira.malware.activities.HiddenActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/activities/HiddenActivity.java) as the `target intent` class name, and scope the file or SQLite content provider intent extra to the same `target intent`, as shown in the images below.\n\n---\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/malware-apk/blob/main/img/deep_link_fuzzing.png\" alt=\"Deep Link Fuzzing\" height=\"600em\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 4 - Deep Link Fuzzing\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/malware-apk/blob/main/img/pending_intent_injection_1.png\" alt=\"Pending Intent Injection P1\" height=\"600em\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 5 - Pending Intent Injection P1\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/malware-apk/blob/main/img/pending_intent_injection_2.png\" alt=\"Pending Intent Injection P2\" height=\"600em\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 6 - Pending Intent Injection P2\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/malware-apk/blob/main/img/intent_injection_1.png\" alt=\"Intent Injection P1\" height=\"600em\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 7 - Intent Injection P1\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/malware-apk/blob/main/img/intent_injection_2.png\" alt=\"Intent Injection P2\" height=\"600em\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 8 - Intent Injection P2\u003c/p\u003e\n\n### Broadcast Monitor\n\n**#1:** Listen for a broadcast intent from another app and extract sensitive information from the intent extras.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/malware-apk/blob/main/img/broadcast_monitor.png\" alt=\"Broadcast Monitor\" height=\"600em\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 9 - Broadcast Monitor\u003c/p\u003e\n\n### Web\n\n**#1:** Verify whether misconfigured asset links allow [app link](https://developer.android.com/training/app-links/verify-applinks) hijacking - this applies only to intent filters with `autoVerify` attribute.\n\n**#2:** Hijack a deep link of another app by specifying it in this app's `AndroidManifest.xml` under [HiddenActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/AndroidManifest.xml#L66), then rebuild the APK.\n\n```xml\n\u003cdata\n    android:host=\"hidden\"\n    android:scheme=\"kira\" /\u003e\n```\n\n**#3:** Initiate a deep link callback from a website to hijack the flow of another app.\n\n**#4:** Leverage existing web browser sessions to hijack the authenticated flow of another app.\n\n**#5:** Hijack the `OAuth` flow and complete it by automating the remaining steps.\n\n**#6:** All values extracted from a deep link or response body are URL-decoded and only URL-encoded when inserted into the URL query string (after `?`) of another request.\n\n**Each time you launch the app, make sure to open the `Web` section to activate the deep link callback flow.**\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/malware-apk/blob/main/img/web.png\" alt=\"Web\" height=\"600em\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 10 - Web\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/malware-apk/blob/main/img/deep_link_callback.png\" alt=\"Deep Link Callback\" height=\"600em\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 11 - Deep Link Callback\u003c/p\u003e\n\n### Task Hijacking\n\n**#1:** Changing the task affinity at runtime is not possible.\n\n**#2:** To hijack a task of another app, modify the task affinity in this app's `AndroidManifest.xml` under [MainActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/AndroidManifest.xml#L48), then rebuild the APK\n\nRead more about the taskjacking [here](https://developer.android.com/privacy-and-security/risks/strandhogg).\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/malware-apk/blob/main/img/taskjacking.png\" alt=\"Taskjacking\" height=\"600em\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 12 - Taskjacking\u003c/p\u003e\n\n### Tap Hijacking\n\n**#1**: Test if another app can detect an overlay.\n\n**#2**: Detect an overlay by checking [MotionEvent.FLAG_WINDOW_IS_OBSCURED and MotionEvent.FLAG_WINDOW_IS_PARTIALLY_OBSCURED](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/fragments/TapHijackingFragment.java#L35) flags - this solution works only on older Android versions.\n\nRead more about tapjacking [here](https://developer.android.com/privacy-and-security/risks/tapjacking).\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/malware-apk/blob/main/img/tapjacking.png\" alt=\"Tapjacking\" height=\"600em\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 13 - Tapjacking\u003c/p\u003e\n\n### Accessibility Monitor\n\n**#1**: Extract sensitive information from the UI of another app by abusing the accessibility service.\n\nRead more about the solution [here](https://developer.android.com/reference/android/view/View#attr_android:importantForAccessibility).\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/malware-apk/blob/main/img/accessibility_monitor.png\" alt=\"Accessibility Monitor\" height=\"600em\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 14 - Accessibility Monitor\u003c/p\u003e\n\n### Notification Monitor\n\n**#1**: Extract sensitive information from a push notification of another app by abusing the notification service.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/malware-apk/blob/main/img/notification_monitor.png\" alt=\"Notification Monitor\" height=\"600em\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 15 - Notification Monitor\u003c/p\u003e\n\n### Clipboard\n\n**#1**: Set the clipboard.\n\n**#2**: Dump the clipboard and look for sensitive information.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/malware-apk/blob/main/img/clipboard.png\" alt=\"Clipboard\" height=\"600em\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 16 - Clipboard\u003c/p\u003e\n\n### State Manager\n\n**#1:** Save and load UI states at any time.\n\n**#2:** Download and share UI state files with others, and upload UI state files shared by others at any time.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/malware-apk/blob/main/img/state_manager.png\" alt=\"State Manager\" height=\"600em\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 17 - State Manager\u003c/p\u003e\n\n### Settings\n\n**#1:** Additional system controls and UI customizations.\n\n**#2:** Biometric unlock prompts only once at launch. Clear all tasks to enable it again.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/malware-apk/blob/main/img/settings.png\" alt=\"Settings\" height=\"600em\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 18 - Settings\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fivan-sincek%2Fmalware-apk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fivan-sincek%2Fmalware-apk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fivan-sincek%2Fmalware-apk/lists"}