https://github.com/ivan-sincek/malware-apk
Are your bug bounty reports getting rejected because you don't use a "malicious" PoC app to exploit the vulnerabilities? I've got you covered!
https://github.com/ivan-sincek/malware-apk
android bug-bounty content-provider deep-link deep-link-hijacking ethical-hacking file-content-provider implicit-intent implicit-intent-injection intent-injection java malware mobile-penetration-testing offensive-security penetration-testing security shared-preferences sqlite sqlite-content-provider task-hijacking
Last synced: 15 days ago
JSON representation
Are your bug bounty reports getting rejected because you don't use a "malicious" PoC app to exploit the vulnerabilities? I've got you covered!
- Host: GitHub
- URL: https://github.com/ivan-sincek/malware-apk
- Owner: ivan-sincek
- License: mit
- Created: 2024-07-10T12:04:25.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2024-09-02T18:22:36.000Z (over 1 year ago)
- Last Synced: 2025-02-13T12:51:54.514Z (12 months ago)
- Topics: android, bug-bounty, content-provider, deep-link, deep-link-hijacking, ethical-hacking, file-content-provider, implicit-intent, implicit-intent-injection, intent-injection, java, malware, mobile-penetration-testing, offensive-security, penetration-testing, security, shared-preferences, sqlite, sqlite-content-provider, task-hijacking
- Language: Java
- Homepage:
- Size: 3.93 MB
- Stars: 5
- Watchers: 1
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Malware APK
As a bug hunter, are your bug bounty reports getting rejected because you don't use a "malicious" Proof of Concept (PoC) app to exploit the vulnerabilities?
As a security engineer, do you struggle with validating bug bounty reports, performing regression testing, and conduct penetration testing?
I've got you covered - all from the comfort of your own device!
[YouTube: Malware APK v5.0 - Proxy Intent Injection PoC](https://youtube.com/shorts/hMcJ4JhPhnQ)
---
**Rooting your device is not required.**
For more tips and tricks check my [Android Penetration Testing Cheat Sheet](https://github.com/ivan-sincek/android-penetration-testing-cheat-sheet).
---
Built with Android Studio v2024.3.2 (64-bit) (JDK 17) and tested on Samsung Galaxy Note S20 Ultra with Android OS v13.0 (Tiramisu).
Made for educational purposes. I hope it will help!
Future plans:
* add an option to bind to a service,
* add an option to specify intent categories,
* add an option to specify `null` in intent extras,
* add a content encoding and decoding section,
* add a log toolbar with search, copy, scroll to top, and more,
* add a project to easily compile native `.so` libraries for arbitrary code execution,
* add more UI customizations.
## Table of Contents
* [About the App](#about-the-app)
* [Usage](#usage)
* [File System](#file-system)
* [Process](#process)
* [Enumeration](#enumeration)
* [Intent](#intent)
* [Broadcast Monitor](#broadcast-monitor)
* [Web](#web)
* [Task Hijacking](#task-hijacking)
* [Tap Hijacking](#tap-hijacking)
* [Accessibility Monitor](#accessibility-monitor)
* [Notification Monitor](#notification-monitor)
* [Clipboard](#clipboard)
* [State Manager](#state-manager)
* [Settings](#settings)
## About the App
Version: `5.1`
APK name: `Malware APK`
Package name: `com.kira.malware`
Min. SDK: `29` (Android 10)
Target SDK: `35`
Exported activities:
* `com.kira.malware.activities.MainActivity`
* `com.kira.malware.activities.HiddenActivity`
Permissions required:
* `android.permission.READ_EXTERNAL_STORAGE`
* `android.permission.WRITE_EXTERNAL_STORAGE`
* `android.permission.QUERY_ALL_PACKAGES`
* `android.permission.INTERNET`
* `android.permission.SYSTEM_ALERT_WINDOW`
* `android.permission.BIND_ACCESSIBILITY_SERVICE`
* `android.permission.BIND_NOTIFICATION_LISTENER_SERVICE`
* `android.permission.POST_NOTIFICATIONS`
URIs for internal quality assurance:
* `kira://hidden`
* `content://com.kira.malware.TestFileProvider/files/test.txt`
* `content://com.kira.malware.TestSQLiteProvider`
* `javascript:alert(JavaScriptBridge.test())`
## Usage
### File System
**#1:** Read and modify files of another app.
**#2:** Read world-readable shared preferences of another app.
**#3:** To access files of another app, modify the [sharedUserId](https://developer.android.com/guide/topics/manifest/manifest-element#uid) in this app's [AndroidManifest.xml](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/AndroidManifest.xml#L4), then rebuild the APK - this works only if another app has the shared user ID defined.
Figure 1 - File System
### Process
**#1:** Not all devices or root tools store the `su` (switch user) binary in the same location.
**#2:** Run CLI tools such as `/system/bin/logcat` or start a reverse shell with user `/bin/sh` or root `/bin/su` privileges.
Figure 2 - Running CLI Tools
### Enumeration
**#1:** Read the manifest file of another app.
**#2:** List protected or exported components of another app.
**#3:** Request a custom permission defined by another app by declaring it in this app's `AndroidManifest.xml`, then rebuild the APK - this works only if the permission's protection level is not `signature`.
```xml
```
**#4:** List system or user installed packages.
Figure 3 - Enumeration
### Intent
**#1:** Test an intent filter of another app.
**#2:** Send an intent to another app to directly bypass its biometric / security.
**#3:** Send an intent to another app to indirectly bypass its biometric / security by triggering its push notification manager, then manually opening the received push notification.
**#4:** Send an intent to another app to poison its widget.
**#5:** Send a \[pending\] intent to another app multiple times to cause Denial of Service (DoS).
**#6:** Send a mutable pending intent to another app to extract subsequently added intent extras.
**#7:** Access a protected component, such as a file or SQLite content provider of another app, by exploiting the app's exported (proxy) component.
**#8:** Test a deep link of another app.
**#9:** Perform a battering ram attack on a deep link or content provider URI of another app by adding `` placeholder in the intent's URI.
**#10:** You can send an intent to `HiddenActivity` for inspection before sending it to another app.
**#11:** Test a file content provider for path traversal via `../`, and for arbitrary file read / write.
**#12:** Test an SQLite content provider for SQL injection via projection and selection.
Projection SQLi example:
```sql
* from sqlite_master--
```
Selection SQLi example:
```sql
1=1) OR 2=2--
```
---
The following applies only to the `proxy intent` extras:
* If the value is a string equal to ``:
* the entire value will be replaced with an `PendingIntent` object of `target intent`,
* and `Intent.putParcelable()` will be used.
* If the value is a string equal to ``:
* the entire value will be replaced with an `Intent` object of `target intent`,
* and `Intent.putParcelable()` will be used.
* If the value is a string containing ``:
* all matching parts will be replaced with `Intent.toUri(Intent.URI_INTENT_SCHEME)` of `target intent`.
* If the value is a string containing ``:
* all matching parts will be replaced with `Intent.toUri(Intent.URI_ALLOW_UNSAFE)` of `target intent`.
The following applies to both the `proxy intent` and `target intent` extras, but only if they are launching [com.kira.malware.activities.HiddenActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/activities/HiddenActivity.java):
* To use the file content provider read callback:
* add an intent extra with the type `string`,
* key `HiddenActivity`,
* and value ``.
* To use the file content provider write callback:
* add an intent extra with the type `array list`,
* key `HiddenActivity`,
* value ``,
* and required source file.
* To use the SQLite content provider query callback:
* add an intent extra with the type `string`,
* key `HiddenActivity`,
* and value ``.
* To use the SQLite content provider query with filtering callback:
* add an intent extra with the type `array list`,
* key `HiddenActivity`,
* value ``,
* and optional projection and selection.
* To auto-close the callback activity on error:
* add an intent extra with the type `string`,
* key `HiddenActivityClose`,
* and value ``.
* To auto-close the callback activity on success:
* add an intent extra with the type `string`,
* key `HiddenActivityClose`,
* and value ``.
When testing intent injections, you will often need to specify [com.kira.malware.activities.HiddenActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/activities/HiddenActivity.java) as the `target intent` class name, and scope the file or SQLite content provider intent extra to the same `target intent`, as shown in the images below.
---
Figure 4 - Deep Link Fuzzing
Figure 5 - Pending Intent Injection P1
Figure 6 - Pending Intent Injection P2
Figure 7 - Intent Injection P1
Figure 8 - Intent Injection P2
### Broadcast Monitor
**#1:** Listen for a broadcast intent from another app and extract sensitive information from the intent extras.
Figure 9 - Broadcast Monitor
### Web
**#1:** Verify whether misconfigured asset links allow [app link](https://developer.android.com/training/app-links/verify-applinks) hijacking - this applies only to intent filters with `autoVerify` attribute.
**#2:** Hijack a deep link of another app by specifying it in this app's `AndroidManifest.xml` under [HiddenActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/AndroidManifest.xml#L66), then rebuild the APK.
```xml
```
**#3:** Initiate a deep link callback from a website to hijack the flow of another app.
**#4:** Leverage existing web browser sessions to hijack the authenticated flow of another app.
**#5:** Hijack the `OAuth` flow and complete it by automating the remaining steps.
**#6:** All values extracted from a deep link or response body are URL-decoded and only URL-encoded when inserted into the URL query string (after `?`) of another request.
**Each time you launch the app, make sure to open the `Web` section to activate the deep link callback flow.**
Figure 10 - Web
Figure 11 - Deep Link Callback
### Task Hijacking
**#1:** Changing the task affinity at runtime is not possible.
**#2:** To hijack a task of another app, modify the task affinity in this app's `AndroidManifest.xml` under [MainActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/AndroidManifest.xml#L48), then rebuild the APK
Read more about the taskjacking [here](https://developer.android.com/privacy-and-security/risks/strandhogg).
Figure 12 - Taskjacking
### Tap Hijacking
**#1**: Test if another app can detect an overlay.
**#2**: Detect an overlay by checking [MotionEvent.FLAG_WINDOW_IS_OBSCURED and MotionEvent.FLAG_WINDOW_IS_PARTIALLY_OBSCURED](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/fragments/TapHijackingFragment.java#L35) flags - this solution works only on older Android versions.
Read more about tapjacking [here](https://developer.android.com/privacy-and-security/risks/tapjacking).
Figure 13 - Tapjacking
### Accessibility Monitor
**#1**: Extract sensitive information from the UI of another app by abusing the accessibility service.
Read more about the solution [here](https://developer.android.com/reference/android/view/View#attr_android:importantForAccessibility).
Figure 14 - Accessibility Monitor
### Notification Monitor
**#1**: Extract sensitive information from a push notification of another app by abusing the notification service.
Figure 15 - Notification Monitor
### Clipboard
**#1**: Set the clipboard.
**#2**: Dump the clipboard and look for sensitive information.
Figure 16 - Clipboard
### State Manager
**#1:** Save and load UI states at any time.
**#2:** Download and share UI state files with others, and upload UI state files shared by others at any time.
Figure 17 - State Manager
### Settings
**#1:** Additional system controls and UI customizations.
**#2:** Biometric unlock prompts only once at launch. Clear all tasks to enable it again.
Figure 18 - Settings