Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

More lenient AXML parsing: allow for non-standard attributes sizes and avoid index exceptions when decoding some strings #2210

Merged
merged 2 commits into from
Jul 3, 2024

Conversation

qfalconer
Copy link
Contributor

Almost all malicious APKs are now shipped with corrupted manifest. The corruption seep in where the official Android parse is more lenient, particularly the manifest present in these malware has one or more of the following:

  • The strings count in the string chunk is almost always invalid. Jadx is immune to this because it correctly ignores it and decode the string on demand, given an index.
  • The attributes size of the XML elements is greater than 20 (0x14). I've only seen 24 (0x18) being used, I don't know if Android extended the format (the extra DWORD seems to always be 0).
  • Every XML element has an android:tag referencing an invalid string index.

In this patch the attributes size of an XML element is now accounted for.
This size must be at least 20 (0x14) bytes but can be greater. Extra bytes are just skipped.

When decoding a string, if such decoding is impossible a placeholder string is returned instead of throwing an exception. Not all code paths has been inspected, though (just what was necessary to make jadx parse the corrupted manifests at hand).

The attached test-corrupted-manifest.zip is an empty APK (or ZIP, same thing) with just a corrupted manifest from a real BRATA malware campaign. This can be useful to test this PR.

mr-m1j0 added 2 commits July 3, 2024 16:20
… must be at least 20 (0x14) bytes but can be greater. Extra bytes are just skipped. When decoding a string, if such decoding is impossible a placeholder string is returned instead of throwing an exception. This is necessary because some malware purposely add android:tag attributes with invalid string index to throw parsers off. They also employ non-standard attribute sizes.
@skylot skylot merged commit fd5b397 into skylot:master Jul 3, 2024
5 checks passed
@skylot
Copy link
Owner

skylot commented Jul 3, 2024

@qfalconer nice fix! Thank you 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants