Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ivan-sincek/malware-apk
Are your bug bounty reports getting rejected because you don't use a "malicious" PoC app to exploit the vulnerabilities? I've got you covered!
https://github.com/ivan-sincek/malware-apk
android bug-bounty content-provider deep-link deep-link-hijacking ethical-hacking file-content-provider implicit-intent implicit-intent-injection intent-injection java malware mobile-penetration-testing offensive-security penetration-testing security shared-preferences sqlite sqlite-content-provider task-hijacking
Last synced: 4 days ago
JSON representation
Are your bug bounty reports getting rejected because you don't use a "malicious" PoC app to exploit the vulnerabilities? I've got you covered!
- Host: GitHub
- URL: https://github.com/ivan-sincek/malware-apk
- Owner: ivan-sincek
- License: mit
- Created: 2024-07-10T12:04:25.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2024-08-24T10:19:56.000Z (about 1 month ago)
- Last Synced: 2024-08-24T11:29:29.557Z (about 1 month ago)
- Topics: android, bug-bounty, content-provider, deep-link, deep-link-hijacking, ethical-hacking, file-content-provider, implicit-intent, implicit-intent-injection, intent-injection, java, malware, mobile-penetration-testing, offensive-security, penetration-testing, security, shared-preferences, sqlite, sqlite-content-provider, task-hijacking
- Language: Java
- Homepage:
- Size: 2.71 MB
- Stars: 2
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Malware APK
As a bug hunter, are your bug bounty reports getting rejected because you don't use a "malicious" Proof of Concept (PoC) app to exploit the vulnerabilities?
As a security engineer, do you have trouble validating bug bounty reports and performing regression testing?
I've got you covered!
---
**Rooting your device is not required.**
For more tips and tricks check my [Android penetration testing cheat sheet](https://github.com/ivan-sincek/android-penetration-testing-cheat-sheet).
---
Built with Android Studio v2022.3.1 (64-bit) and tested on Samsung A5 (2017) with Android OS v8.0 (Oreo) and Samsung Galaxy Note20 Ultra with Android OS v13.0 (Tiramisu).
Made for educational purposes. I hope it will help!
Future plans:
* add an option to wrap/unwrap text in the log,
* add more types, including array types, for `Intent.putExtra()`,
* ~~improve the dropdown UI for `Intent.putExtra()`~~,
* unblock the back button after the overlay is created,
* hide the soft keyboard when focusing away from the edit text input,
* create the UI to chain multiple exploitation requests and actions after [deep link callback hijacking](#web),
* showcase PoCs for already disclosed intent injection bug bounty reports,
* add more tests.## Table of Contents
* [About the App](#about-the-app)
* [Usage](#usage)
* [File System](#file-system)
* [Implicit Intent](#implicit-intent)
* [Implicit Intent Injection](#implicit-intent-injection)
* [Web](#web)
* [Task Hijacking](#task-hijacking)
* [Tapjacking](#tapjacking)
* [Saving and Loading](#saving-and-loading)## About the App
APK Name: `Malware v1.3`
Package name: `com.kira.malware`
Min SDK: `26`
Target SDK: `32`
Exported activities:
* `com.kira.malware.activities.MainActivity`
* `com.kira.malware.activities.HiddenActivity`On the first launch, you might see a prompt asking you to grant the following permissions:
* `android.permission.INTERNET`
* `android.permission.POST_NOTIFICATIONS`
* `android.permission.READ_EXTERNAL_STORAGE`
* `android.permission.WRITE_EXTERNAL_STORAGE`
* `android.permission.SYSTEM_ALERT_WINDOW`
* `android.settings.action.MANAGE_OVERLAY_PERMISSION`URIs for internal QA testing purposes:
* `kira://hidden`
* `content://com.kira.malware.TestSQLiteProvider`
* `content://com.kira.malware.TestFileProvider/files/somefile.txt`## Usage
### File System
**Tip #1:** Read or overwrite files from other apps.
**Tip #2:** Read world-readable shared preferences from other apps.
Figure 1 - File System
### Implicit Intent
**Tip #1:** Test a \[pending\] implicit intent.
**Tip #2:** Perform a DoS on a \[pending\] implicit intent.
**Tip #3:** Test a deep link.
**Tip #4:** Hijack a deep link by specifying it in `AndroidManifest.xml` under [HiddenActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/AndroidManifest.xml#L48) and rebuild the APK.
```xml
```
**Tip #5:** Perform a dictionary attack (battering ram) on a deep link by inserting the `` placeholder in the URI.
Figure 2 - Implicit Intent
### Implicit Intent Injection
**Tip #1:** Access a protected component using an exported (proxy) intent.
**Tip #2:** It is common to access a private file or SQLite content provider.
An example on how to access a protected file content provider using an exported (proxy) intent:
```fundamental
Proxy Intent Package Name: com.someapp.dev
Proxy Intent Class Name: com.someapp.dev.ProxyActivity
Proxy Intent Action: com.someapp.dev.PROXY_ACTIVITY_ACTION
Proxy Intent Flags: // see the below image
Proxy Intent Put Extras: somekey \wTarget Intent URI: content://com.someapp.dev.TargetFileProvider/files/somefile.txt
Target Intent Action: android.intent.action.SEND
Target Intent Flags: // see the below image
Target Intent Put Extras: ContentResolverController \w fileProvider
android.intent.extra.TEXT \w somevalue
```Figure 3 - Implicit Intent Injection
`Intent.putExtra()` logic can be found in [controllers/IntentPutExtrasController.java](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/controllers/IntentPutExtrasController.java#L247) and [controllers/ImplicitIntentController.java](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/controllers/ImplicitIntentController.java#L36).
The following applies only to the `proxy` intent:
* If the value is of type `string` and equals to `` string, the whole value will be replaced with `Intent` object and `Intent.putParcelable()` will be used.
* If the value is of type `string` and contains `` string, all matching parts will be replaced with `Intent.toUri(Intent.URI_INTENT_SCHEME)` string.
* If the value is of type `string` and contains `` string, all matching parts will be replaced with `Intent.toUri(Intent.URI_ALLOW_UNSAFE)` string.Callback logic to access a file or SQLite content provider can be found in [activities/HiddenActivity.java](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/activities/HiddenActivity.java#L40).
The following applies only to the `target` intent:
* To use the file content provider callback, add `ContentResolverController \w fileProvider` extra.
* To use the SQLite content provider callback, add `ContentResolverController \w sqliteProvider` extra.### Web
**Tip #1:** Initiate a deep link callback from a website to hijack it.
**Tip #2:** Create further exploitation steps inside the code using [OkHttp](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/controllers/WebController.java#L154), [intents](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/controllers/ImplicitIntentController.java#L128), etc., and rebuild the APK.
Figure 4 - Web
### Task Hijacking
**Tip #1:** To hijack a task, modify the task affinity in `AndroidManifest.xml` under [MainActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/AndroidManifest.xml#L29) and rebuild the APK.
Figure 5 - Task Hijacking
### Tapjacking
Tip #1: Test if other apps can detect an overlay.
Tip #2: Detect an overlay by checking [MotionEvent.FLAG_WINDOW_IS_OBSCURED and MotionEvent.FLAG_WINDOW_IS_PARTIALLY_OBSCURED](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/fragments/TapHijackingFragment.java#L53) flags - this solution works only on older Android versions.
Read more about tapjacking and how to detect it [here](https://developer.android.com/privacy-and-security/risks/tapjacking).
Figure 6 - Tapjacking
### Saving and Loading
**Tip #1:** Save and load the UI state at any time.
Figure 7 - Saving and Loading