Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/ivan-sincek/malware-apk

Are your bug bounty reports getting rejected because you don't use a "malicious" PoC app to exploit the vulnerabilities? I've got you covered!
https://github.com/ivan-sincek/malware-apk

android bug-bounty content-provider deep-link deep-link-hijacking ethical-hacking file-content-provider implicit-intent implicit-intent-injection intent-injection java malware mobile-penetration-testing offensive-security penetration-testing security shared-preferences sqlite sqlite-content-provider task-hijacking

Last synced: 4 days ago
JSON representation

Are your bug bounty reports getting rejected because you don't use a "malicious" PoC app to exploit the vulnerabilities? I've got you covered!

Awesome Lists containing this project

README 

        
# Malware APK



As a bug hunter, are your bug bounty reports getting rejected because you don't use a "malicious" Proof of Concept (PoC) app to exploit the vulnerabilities?



As a security engineer, do you have trouble validating bug bounty reports and performing regression testing?



I've got you covered!



---



**Rooting your device is not required.**



For more tips and tricks check my [Android penetration testing cheat sheet](https://github.com/ivan-sincek/android-penetration-testing-cheat-sheet).



---



Built with Android Studio v2022.3.1 (64-bit) and tested on Samsung A5 (2017) with Android OS v8.0 (Oreo) and Samsung Galaxy Note20 Ultra with Android OS v13.0 (Tiramisu).



Made for educational purposes. I hope it will help!



Future plans:



* add an option to wrap/unwrap text in the log,

* add more types, including array types, for `Intent.putExtra()`,

* ~~improve the dropdown UI for `Intent.putExtra()`~~,

* unblock the back button after the overlay is created,

* hide the soft keyboard when focusing away from the edit text input,

* create the UI to chain multiple exploitation requests and actions after [deep link callback hijacking](#web),

* showcase PoCs for already disclosed intent injection bug bounty reports,

* add more tests.



## Table of Contents



* [About the App](#about-the-app)

* [Usage](#usage)

    * [File System](#file-system)

    * [Implicit Intent](#implicit-intent)

    * [Implicit Intent Injection](#implicit-intent-injection)

    * [Web](#web)

    * [Task Hijacking](#task-hijacking)

    * [Tapjacking](#tapjacking)

    * [Saving and Loading](#saving-and-loading)



## About the App



APK Name: `Malware v1.3`



Package name: `com.kira.malware`



Min SDK: `26`



Target SDK: `32`



Exported activities:



* `com.kira.malware.activities.MainActivity`

* `com.kira.malware.activities.HiddenActivity`



On the first launch, you might see a prompt asking you to grant the following permissions:



* `android.permission.INTERNET`

* `android.permission.POST_NOTIFICATIONS`

* `android.permission.READ_EXTERNAL_STORAGE`

* `android.permission.WRITE_EXTERNAL_STORAGE`

* `android.permission.SYSTEM_ALERT_WINDOW`

* `android.settings.action.MANAGE_OVERLAY_PERMISSION`



URIs for internal QA testing purposes:



* `kira://hidden`

* `content://com.kira.malware.TestSQLiteProvider`

* `content://com.kira.malware.TestFileProvider/files/somefile.txt`



## Usage



### File System



**Tip #1:** Read or overwrite files from other apps.



**Tip #2:** Read world-readable shared preferences from other apps.



File System



Figure 1 - File System



### Implicit Intent



**Tip #1:** Test a \[pending\] implicit intent.



**Tip #2:** Perform a DoS on a \[pending\] implicit intent.



**Tip #3:** Test a deep link.



**Tip #4:** Hijack a deep link by specifying it in `AndroidManifest.xml` under [HiddenActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/AndroidManifest.xml#L48) and rebuild the APK.



```xml



```



**Tip #5:** Perform a dictionary attack (battering ram) on a deep link by inserting the `` placeholder in the URI.



Implicit Intent



Figure 2 - Implicit Intent



### Implicit Intent Injection



**Tip #1:** Access a protected component using an exported (proxy) intent.



**Tip #2:** It is common to access a private file or SQLite content provider.



An example on how to access a protected file content provider using an exported (proxy) intent:



```fundamental

Proxy Intent Package Name: com.someapp.dev

Proxy Intent Class Name:   com.someapp.dev.ProxyActivity

Proxy Intent Action:       com.someapp.dev.PROXY_ACTIVITY_ACTION

Proxy Intent Flags:        // see the below image

Proxy Intent Put Extras:   somekey \w 



Target Intent URI:         content://com.someapp.dev.TargetFileProvider/files/somefile.txt

Target Intent Action:      android.intent.action.SEND

Target Intent Flags:       // see the below image

Target Intent Put Extras:  ContentResolverController \w fileProvider

                           android.intent.extra.TEXT \w somevalue

```



Implicit Intent Injection



Figure 3 - Implicit Intent Injection



`Intent.putExtra()` logic can be found in [controllers/IntentPutExtrasController.java](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/controllers/IntentPutExtrasController.java#L247) and [controllers/ImplicitIntentController.java](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/controllers/ImplicitIntentController.java#L36).



The following applies only to the `proxy` intent:



* If the value is of type `string` and equals to `` string, the whole value will be replaced with `Intent` object and `Intent.putParcelable()` will be used.

* If the value is of type `string` and contains `` string, all matching parts will be replaced with `Intent.toUri(Intent.URI_INTENT_SCHEME)` string.

* If the value is of type `string` and contains `` string, all matching parts will be replaced with `Intent.toUri(Intent.URI_ALLOW_UNSAFE)` string.



Callback logic to access a file or SQLite content provider can be found in [activities/HiddenActivity.java](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/activities/HiddenActivity.java#L40).



The following applies only to the `target` intent:



* To use the file content provider callback, add `ContentResolverController \w fileProvider` extra.

* To use the SQLite content provider callback, add `ContentResolverController \w sqliteProvider` extra.



### Web



**Tip #1:** Initiate a deep link callback from a website to hijack it.



**Tip #2:** Create further exploitation steps inside the code using [OkHttp](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/controllers/WebController.java#L154), [intents](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/controllers/ImplicitIntentController.java#L128), etc., and rebuild the APK.



Web



Figure 4 - Web



### Task Hijacking



**Tip #1:** To hijack a task, modify the task affinity in `AndroidManifest.xml` under [MainActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/AndroidManifest.xml#L29) and rebuild the APK.



Task Hijacking



Figure 5 - Task Hijacking



### Tapjacking



Tip #1: Test if other apps can detect an overlay.



Tip #2: Detect an overlay by checking [MotionEvent.FLAG_WINDOW_IS_OBSCURED and MotionEvent.FLAG_WINDOW_IS_PARTIALLY_OBSCURED](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/fragments/TapHijackingFragment.java#L53) flags - this solution works only on older Android versions.



Read more about tapjacking and how to detect it [here](https://developer.android.com/privacy-and-security/risks/tapjacking).



Tapjacking



Figure 6 - Tapjacking



### Saving and Loading



**Tip #1:** Save and load the UI state at any time.



Saving and Loading Your PoCs



Figure 7 - Saving and Loading