Malware APK

As a bug hunter, are your bug bounty reports getting rejected because you don't use a "malicious" Proof of Concept (PoC) app to exploit the vulnerabilities?

As a security engineer, do you have trouble validating bug bounty reports and performing regression testing?

I've got you covered!

---

Rooting your device is not required.

For more tips and tricks check my Android penetration testing cheat sheet.

---

Built with Android Studio v2022.3.1 (64-bit) and tested on Samsung A5 (2017) with Android OS v8.0 (Oreo) and Samsung Galaxy Note20 Ultra with Android OS v13.0 (Tiramisu).

Made for educational purposes. I hope it will help!

Future plans:

• add an option to wrap/unwrap text in the log,
• add more types, including array types, for Intent.putExtra(),
• improve the dropdown UI for Intent.putExtra(),
• unblock the back button after the overlay is created,
• hide the soft keyboard when focusing away from the edit text input,
• create the UI to chain multiple exploitation requests and actions after deep link callback hijacking,
• showcase PoCs for already disclosed intent injection bug bounty reports,
• add more tests.

Table of Contents

• About the App
• Usage
  • File System
  • Implicit Intent
  • Implicit Intent Injection
  • Web
  • Task Hijacking
  • Tapjacking
  • Saving and Loading

About the App

APK Name: Malware v1.3

Package name: com.kira.malware

Min SDK: 26

Target SDK: 32

Exported activities:

• com.kira.malware.activities.MainActivity
• com.kira.malware.activities.HiddenActivity

On the first launch, you might see a prompt asking you to grant the following permissions:

• android.permission.INTERNET
• android.permission.POST_NOTIFICATIONS
• android.permission.READ_EXTERNAL_STORAGE
• android.permission.WRITE_EXTERNAL_STORAGE
• android.permission.SYSTEM_ALERT_WINDOW
• android.settings.action.MANAGE_OVERLAY_PERMISSION

URIs for internal QA testing purposes:

• kira://hidden
• content://com.kira.malware.TestSQLiteProvider
• content://com.kira.malware.TestFileProvider/files/somefile.txt

Usage

File System

Tip #1: Read or overwrite files from other apps.

Tip #2: Read world-readable shared preferences from other apps.

Figure 1 - File System

Implicit Intent

Tip #1: Test a [pending] implicit intent.

Tip #2: Perform a DoS on a [pending] implicit intent.

Tip #3: Test a deep link.

Tip #4: Hijack a deep link by specifying it in AndroidManifest.xml under HiddenActivity and rebuild the APK.

<data
    android:scheme="somescheme"
    android:host="somehost"
/>

Tip #5: Perform a dictionary attack (battering ram) on a deep link by inserting the </injection> placeholder in the URI.

Figure 2 - Implicit Intent

Implicit Intent Injection

Tip #1: Access a protected component using an exported (proxy) intent.

Tip #2: It is common to access a private file or SQLite content provider.

An example on how to access a protected file content provider using an exported (proxy) intent:

Proxy Intent Package Name: com.someapp.dev
Proxy Intent Class Name:   com.someapp.dev.ProxyActivity
Proxy Intent Action:       com.someapp.dev.PROXY_ACTIVITY_ACTION
Proxy Intent Flags:        // see the below image
Proxy Intent Put Extras:   somekey \w </target-to-uri-unsafe>

Target Intent URI:         content://com.someapp.dev.TargetFileProvider/files/somefile.txt
Target Intent Action:      android.intent.action.SEND
Target Intent Flags:       // see the below image
Target Intent Put Extras:  ContentResolverController \w fileProvider
                           android.intent.extra.TEXT \w somevalue

Figure 3 - Implicit Intent Injection

Intent.putExtra() logic can be found in controllers/IntentPutExtrasController.java and controllers/ImplicitIntentController.java.

The following applies only to the proxy intent:

• If the value is of type string and equals to </target> string, the whole value will be replaced with Intent object and Intent.putParcelable() will be used.
• If the value is of type string and contains </target-to-uri> string, all matching parts will be replaced with Intent.toUri(Intent.URI_INTENT_SCHEME) string.
• If the value is of type string and contains </target-to-uri-unsafe> string, all matching parts will be replaced with Intent.toUri(Intent.URI_ALLOW_UNSAFE) string.

Callback logic to access a file or SQLite content provider can be found in activities/HiddenActivity.java.

The following applies only to the target intent:

• To use the file content provider callback, add ContentResolverController \w fileProvider extra.
• To use the SQLite content provider callback, add ContentResolverController \w sqliteProvider extra.

Web

Tip #1: Initiate a deep link callback from a website to hijack it.

Tip #2: Create further exploitation steps inside the code using OkHttp, intents, etc., and rebuild the APK.

Figure 4 - Web

Task Hijacking

Tip #1: To hijack a task, modify the task affinity in AndroidManifest.xml under MainActivity and rebuild the APK.

Figure 5 - Task Hijacking

Tapjacking

Tip #1: Test if other apps can detect an overlay.

Tip #2: Detect an overlay by checking MotionEvent.FLAG_WINDOW_IS_OBSCURED and MotionEvent.FLAG_WINDOW_IS_PARTIALLY_OBSCURED flags - this solution works only on older Android versions.

Read more about tapjacking and how to detect it here.

Figure 6 - Tapjacking

Saving and Loading

Tip #1: Save and load the UI state at any time.

Figure 7 - Saving and Loading