Awesome

Malware APK

As a bug hunter, are your bug bounty reports getting rejected because you don't use a "malicious" Proof of Concept (PoC) app to exploit the vulnerabilities?

As a security engineer, do you have trouble validating bug bounty reports and performing regression testing?

I've got you covered!

Rooting your device is not required.

For more tips and tricks check my Android penetration testing cheat sheet.

Built with Android Studio v2022.3.1 (64-bit) and tested on Samsung A5 (2017) with Android OS v8.0 (Oreo) and Samsung Galaxy Note20 Ultra with Android OS v13.0 (Tiramisu).

Made for educational purposes. I hope it will help!

Future plans:

add an option to wrap/unwrap text in the log,
add more types, including array types, for Intent.putExtra(),
~~improve the dropdown UI for Intent.putExtra()~~,
unblock the back button after the overlay is created,
hide the soft keyboard when focusing away from the edit text input,
create the UI to chain multiple exploitation requests and actions after deep link callback hijacking,
showcase PoCs for already disclosed intent injection bug bounty reports,
add more tests.

About the App
Usage

About the App

APK Name: Malware v1.3

Package name: com.kira.malware

Min SDK: 26

Target SDK: 32

Exported activities:

com.kira.malware.activities.MainActivity
com.kira.malware.activities.HiddenActivity

On the first launch, you might see a prompt asking you to grant the following permissions:

android.permission.INTERNET
android.permission.POST_NOTIFICATIONS
android.permission.READ_EXTERNAL_STORAGE
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.SYSTEM_ALERT_WINDOW
android.settings.action.MANAGE_OVERLAY_PERMISSION

URIs for internal QA testing purposes:

kira://hidden
content://com.kira.malware.TestSQLiteProvider
content://com.kira.malware.TestFileProvider/files/somefile.txt

Usage

File System

Tip #1: Read or overwrite files from other apps.

Tip #2: Read world-readable shared preferences from other apps.

<img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/file_system.jpg" alt="File System" height="600em"> Figure 1 - File System

Implicit Intent

Tip #1: Test a [pending] implicit intent.

Tip #2: Perform a DoS on a [pending] implicit intent.

Tip #3: Test a deep link.

Tip #4: Hijack a deep link by specifying it in AndroidManifest.xml under HiddenActivity and rebuild the APK.

<data
    android:scheme="somescheme"
    android:host="somehost"
/>

Tip #5: Perform a dictionary attack (battering ram) on a deep link by inserting the </injection> placeholder in the URI.

<img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/implicit_intent.jpg" alt="Implicit Intent" height="600em"> Figure 2 - Implicit Intent

Implicit Intent Injection

Tip #1: Access a protected component using an exported (proxy) intent.

Tip #2: It is common to access a private file or SQLite content provider.

An example on how to access a protected file content provider using an exported (proxy) intent:

Proxy Intent Package Name: com.someapp.dev
Proxy Intent Class Name:   com.someapp.dev.ProxyActivity
Proxy Intent Action:       com.someapp.dev.PROXY_ACTIVITY_ACTION
Proxy Intent Flags:        // see the below image
Proxy Intent Put Extras:   somekey \w </target-to-uri-unsafe>

Target Intent URI:         content://com.someapp.dev.TargetFileProvider/files/somefile.txt
Target Intent Action:      android.intent.action.SEND
Target Intent Flags:       // see the below image
Target Intent Put Extras:  ContentResolverController \w fileProvider
                           android.intent.extra.TEXT \w somevalue

<img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/implicit_intent_injection.jpg" alt="Implicit Intent Injection" height="600em"> Figure 3 - Implicit Intent Injection

Intent.putExtra() logic can be found in controllers/IntentPutExtrasController.java and controllers/ImplicitIntentController.java.

The following applies only to the proxy intent:

If the value is of type string and equals to </target> string, the whole value will be replaced with Intent object and Intent.putParcelable() will be used.
If the value is of type string and contains </target-to-uri> string, all matching parts will be replaced with Intent.toUri(Intent.URI_INTENT_SCHEME) string.
If the value is of type string and contains </target-to-uri-unsafe> string, all matching parts will be replaced with Intent.toUri(Intent.URI_ALLOW_UNSAFE) string.

Callback logic to access a file or SQLite content provider can be found in activities/HiddenActivity.java.

The following applies only to the target intent:

To use the file content provider callback, add ContentResolverController \w fileProvider extra.
To use the SQLite content provider callback, add ContentResolverController \w sqliteProvider extra.

Web

Tip #1: Initiate a deep link callback from a website to hijack it.

Tip #2: Create further exploitation steps inside the code using OkHttp, intents, etc., and rebuild the APK.

<img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/web.jpg" alt="Web" height="600em"> Figure 4 - Web

Task Hijacking

Tip #1: To hijack a task, modify the task affinity in AndroidManifest.xml under MainActivity and rebuild the APK.

<img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/task_hijacking.jpg" alt="Task Hijacking" height="600em"> Figure 5 - Task Hijacking

Tapjacking

Tip #1: Test if other apps can detect an overlay.

Tip #2: Detect an overlay by checking MotionEvent.FLAG_WINDOW_IS_OBSCURED and MotionEvent.FLAG_WINDOW_IS_PARTIALLY_OBSCURED flags - this solution works only on older Android versions.

Read more about tapjacking and how to detect it here.

<img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/tapjacking.jpg" alt="Tapjacking" height="600em"> Figure 6 - Tapjacking

Saving and Loading

Tip #1: Save and load the UI state at any time.

<img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/saving.jpg" alt="Saving and Loading Your PoCs" height="600em"> Figure 7 - Saving and Loading