Skip to content

Are your bug bounty reports getting rejected because you don't use a "malicious" PoC app to exploit the vulnerabilities? I've got you covered!

License

Notifications You must be signed in to change notification settings

ivan-sincek/malware-apk

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Malware APK

As a bug hunter, are your bug bounty reports getting rejected because you don't use a "malicious" Proof of Concept (PoC) app to exploit the vulnerabilities?

As a security engineer, do you have trouble validating bug bounty reports and performing regression testing?

I've got you covered!


Rooting your device is not required.

For more tips and tricks check my Android penetration testing cheat sheet.


Built with Android Studio v2022.3.1 (64-bit) and tested on Samsung A5 (2017) with Android OS v8.0 (Oreo) and Samsung Galaxy Note20 Ultra with Android OS v13.0 (Tiramisu).

Made for educational purposes. I hope it will help!

Future plans:

  • add an option to wrap/unwrap text in the log,
  • add more types, including array types, for Intent.putExtra(),
  • improve the dropdown UI for Intent.putExtra(),
  • unblock the back button after the overlay is created,
  • hide the soft keyboard when focusing away from the edit text input,
  • create the UI to chain multiple exploitation requests and actions after deep link callback hijacking,
  • showcase PoCs for already disclosed intent injection bug bounty reports,
  • add more tests.

Table of Contents

About the App

APK Name: Malware v1.3

Package name: com.kira.malware

Min SDK: 26

Target SDK: 32

Exported activities:

  • com.kira.malware.activities.MainActivity
  • com.kira.malware.activities.HiddenActivity

On the first launch, you might see a prompt asking you to grant the following permissions:

  • android.permission.INTERNET
  • android.permission.POST_NOTIFICATIONS
  • android.permission.READ_EXTERNAL_STORAGE
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.SYSTEM_ALERT_WINDOW
  • android.settings.action.MANAGE_OVERLAY_PERMISSION

URIs for internal QA testing purposes:

  • kira://hidden
  • content://com.kira.malware.TestSQLiteProvider
  • content://com.kira.malware.TestFileProvider/files/somefile.txt

Usage

File System

Tip #1: Read or overwrite files from other apps.

Tip #2: Read world-readable shared preferences from other apps.

File System

Figure 1 - File System

Implicit Intent

Tip #1: Test a [pending] implicit intent.

Tip #2: Perform a DoS on a [pending] implicit intent.

Tip #3: Test a deep link.

Tip #4: Hijack a deep link by specifying it in AndroidManifest.xml under HiddenActivity and rebuild the APK.

<data
    android:scheme="somescheme"
    android:host="somehost"
/>

Tip #5: Perform a dictionary attack (battering ram) on a deep link by inserting the </injection> placeholder in the URI.

Implicit Intent

Figure 2 - Implicit Intent

Implicit Intent Injection

Tip #1: Access a protected component using an exported (proxy) intent.

Tip #2: It is common to access a private file or SQLite content provider.

An example on how to access a protected file content provider using an exported (proxy) intent:

Proxy Intent Package Name: com.someapp.dev
Proxy Intent Class Name:   com.someapp.dev.ProxyActivity
Proxy Intent Action:       com.someapp.dev.PROXY_ACTIVITY_ACTION
Proxy Intent Flags:        // see the below image
Proxy Intent Put Extras:   somekey \w </target-to-uri-unsafe>

Target Intent URI:         content://com.someapp.dev.TargetFileProvider/files/somefile.txt
Target Intent Action:      android.intent.action.SEND
Target Intent Flags:       // see the below image
Target Intent Put Extras:  ContentResolverController \w fileProvider
                           android.intent.extra.TEXT \w somevalue

Implicit Intent Injection

Figure 3 - Implicit Intent Injection

Intent.putExtra() logic can be found in controllers/IntentPutExtrasController.java and controllers/ImplicitIntentController.java.

The following applies only to the proxy intent:

  • If the value is of type string and equals to </target> string, the whole value will be replaced with Intent object and Intent.putParcelable() will be used.
  • If the value is of type string and contains </target-to-uri> string, all matching parts will be replaced with Intent.toUri(Intent.URI_INTENT_SCHEME) string.
  • If the value is of type string and contains </target-to-uri-unsafe> string, all matching parts will be replaced with Intent.toUri(Intent.URI_ALLOW_UNSAFE) string.

Callback logic to access a file or SQLite content provider can be found in activities/HiddenActivity.java.

The following applies only to the target intent:

  • To use the file content provider callback, add ContentResolverController \w fileProvider extra.
  • To use the SQLite content provider callback, add ContentResolverController \w sqliteProvider extra.

Web

Tip #1: Initiate a deep link callback from a website to hijack it.

Tip #2: Create further exploitation steps inside the code using OkHttp, intents, etc., and rebuild the APK.

Web

Figure 4 - Web

Task Hijacking

Tip #1: To hijack a task, modify the task affinity in AndroidManifest.xml under MainActivity and rebuild the APK.

Task Hijacking

Figure 5 - Task Hijacking

Tapjacking

Tip #1: Test if other apps can detect an overlay.

Tip #2: Detect an overlay by checking MotionEvent.FLAG_WINDOW_IS_OBSCURED and MotionEvent.FLAG_WINDOW_IS_PARTIALLY_OBSCURED flags - this solution works only on older Android versions.

Read more about tapjacking and how to detect it here.

Tapjacking

Figure 6 - Tapjacking

Saving and Loading

Tip #1: Save and load the UI state at any time.

Saving and Loading Your PoCs

Figure 7 - Saving and Loading