As a bug hunter, are your bug bounty reports getting rejected because you don't use a "malicious" Proof of Concept (PoC) app to exploit the vulnerabilities?
As a security engineer, do you have trouble validating bug bounty reports and performing regression testing?
I've got you covered!
Rooting your device is not required.
For more tips and tricks check my Android penetration testing cheat sheet.
Built with Android Studio v2022.3.1 (64-bit) and tested on Samsung A5 (2017) with Android OS v8.0 (Oreo) and Samsung Galaxy Note20 Ultra with Android OS v13.0 (Tiramisu).
Made for educational purposes. I hope it will help!
Future plans:
- add an option to wrap/unwrap text in the log,
- add more types, including array types, for
Intent.putExtra()
, improve the dropdown UI for,Intent.putExtra()
- unblock the back button after the overlay is created,
- hide the soft keyboard when focusing away from the edit text input,
- create the UI to chain multiple exploitation requests and actions after deep link callback hijacking,
- showcase PoCs for already disclosed intent injection bug bounty reports,
- add more tests.
APK Name: Malware v1.3
Package name: com.kira.malware
Min SDK: 26
Target SDK: 32
Exported activities:
com.kira.malware.activities.MainActivity
com.kira.malware.activities.HiddenActivity
On the first launch, you might see a prompt asking you to grant the following permissions:
android.permission.INTERNET
android.permission.POST_NOTIFICATIONS
android.permission.READ_EXTERNAL_STORAGE
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.SYSTEM_ALERT_WINDOW
android.settings.action.MANAGE_OVERLAY_PERMISSION
URIs for internal QA testing purposes:
kira://hidden
content://com.kira.malware.TestSQLiteProvider
content://com.kira.malware.TestFileProvider/files/somefile.txt
Tip #1: Read or overwrite files from other apps.
Tip #2: Read world-readable shared preferences from other apps.
Figure 1 - File System
Tip #1: Test a [pending] implicit intent.
Tip #2: Perform a DoS on a [pending] implicit intent.
Tip #3: Test a deep link.
Tip #4: Hijack a deep link by specifying it in AndroidManifest.xml
under HiddenActivity and rebuild the APK.
<data
android:scheme="somescheme"
android:host="somehost"
/>
Tip #5: Perform a dictionary attack (battering ram) on a deep link by inserting the </injection>
placeholder in the URI.
Figure 2 - Implicit Intent
Tip #1: Access a protected component using an exported (proxy) intent.
Tip #2: It is common to access a private file or SQLite content provider.
An example on how to access a protected file content provider using an exported (proxy) intent:
Proxy Intent Package Name: com.someapp.dev
Proxy Intent Class Name: com.someapp.dev.ProxyActivity
Proxy Intent Action: com.someapp.dev.PROXY_ACTIVITY_ACTION
Proxy Intent Flags: // see the below image
Proxy Intent Put Extras: somekey \w </target-to-uri-unsafe>
Target Intent URI: content://com.someapp.dev.TargetFileProvider/files/somefile.txt
Target Intent Action: android.intent.action.SEND
Target Intent Flags: // see the below image
Target Intent Put Extras: ContentResolverController \w fileProvider
android.intent.extra.TEXT \w somevalue
Figure 3 - Implicit Intent Injection
Intent.putExtra()
logic can be found in controllers/IntentPutExtrasController.java and controllers/ImplicitIntentController.java.
The following applies only to the proxy
intent:
- If the value is of type
string
and equals to</target>
string, the whole value will be replaced withIntent
object andIntent.putParcelable()
will be used. - If the value is of type
string
and contains</target-to-uri>
string, all matching parts will be replaced withIntent.toUri(Intent.URI_INTENT_SCHEME)
string. - If the value is of type
string
and contains</target-to-uri-unsafe>
string, all matching parts will be replaced withIntent.toUri(Intent.URI_ALLOW_UNSAFE)
string.
Callback logic to access a file or SQLite content provider can be found in activities/HiddenActivity.java.
The following applies only to the target
intent:
- To use the file content provider callback, add
ContentResolverController \w fileProvider
extra. - To use the SQLite content provider callback, add
ContentResolverController \w sqliteProvider
extra.
Tip #1: Initiate a deep link callback from a website to hijack it.
Tip #2: Create further exploitation steps inside the code using OkHttp, intents, etc., and rebuild the APK.
Figure 4 - Web
Tip #1: To hijack a task, modify the task affinity in AndroidManifest.xml
under MainActivity and rebuild the APK.
Figure 5 - Task Hijacking
Tip #1: Test if other apps can detect an overlay.
Tip #2: Detect an overlay by checking MotionEvent.FLAG_WINDOW_IS_OBSCURED and MotionEvent.FLAG_WINDOW_IS_PARTIALLY_OBSCURED flags - this solution works only on older Android versions.
Read more about tapjacking and how to detect it here.
Figure 6 - Tapjacking
Tip #1: Save and load the UI state at any time.
Figure 7 - Saving and Loading