As a bug hunter, are your bug bounty reports getting rejected because you don't use a "malicious" Proof of Concept (PoC) app to exploit the vulnerabilities?
As a security engineer, do you have trouble validating bug bounty reports and performing regression testing?
I've got you covered!
Rooting your device is not required.
For more tips and tricks check my Android penetration testing cheat sheet.
Built with Android Studio v2022.3.1 (64-bit) and tested on Samsung A5 (2017) with Android OS v8.0 (Oreo) and Samsung Galaxy Note20 Ultra with Android OS v13.0 (Tiramisu).
Made for educational purposes. I hope it will help!
Future plans:
Intent.putExtra()
,Intent.putExtra()
APK Name: Malware v1.3
Package name: com.kira.malware
Min SDK: 26
Target SDK: 32
Exported activities:
com.kira.malware.activities.MainActivity
com.kira.malware.activities.HiddenActivity
On the first launch, you might see a prompt asking you to grant the following permissions:
android.permission.INTERNET
android.permission.POST_NOTIFICATIONS
android.permission.READ_EXTERNAL_STORAGE
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.SYSTEM_ALERT_WINDOW
android.settings.action.MANAGE_OVERLAY_PERMISSION
URIs for internal QA testing purposes:
kira://hidden
content://com.kira.malware.TestSQLiteProvider
content://com.kira.malware.TestFileProvider/files/somefile.txt
Tip #1: Read or overwrite files from other apps.
Tip #2: Read world-readable shared preferences from other apps.
Tip #1: Test a [pending] implicit intent.
Tip #2: Perform a DoS on a [pending] implicit intent.
Tip #3: Test a deep link.
Tip #4: Hijack a deep link by specifying it in AndroidManifest.xml
under HiddenActivity and rebuild the APK.
<data
android:scheme="somescheme"
android:host="somehost"
/>
Tip #5: Perform a dictionary attack (battering ram) on a deep link by inserting the </injection>
placeholder in the URI.
Tip #1: Access a protected component using an exported (proxy) intent.
Tip #2: It is common to access a private file or SQLite content provider.
An example on how to access a protected file content provider using an exported (proxy) intent:
Proxy Intent Package Name: com.someapp.dev
Proxy Intent Class Name: com.someapp.dev.ProxyActivity
Proxy Intent Action: com.someapp.dev.PROXY_ACTIVITY_ACTION
Proxy Intent Flags: // see the below image
Proxy Intent Put Extras: somekey \w </target-to-uri-unsafe>
Target Intent URI: content://com.someapp.dev.TargetFileProvider/files/somefile.txt
Target Intent Action: android.intent.action.SEND
Target Intent Flags: // see the below image
Target Intent Put Extras: ContentResolverController \w fileProvider
android.intent.extra.TEXT \w somevalue
Intent.putExtra()
logic can be found in controllers/IntentPutExtrasController.java and controllers/ImplicitIntentController.java.
The following applies only to the proxy
intent:
string
and equals to </target>
string, the whole value will be replaced with Intent
object and Intent.putParcelable()
will be used.string
and contains </target-to-uri>
string, all matching parts will be replaced with Intent.toUri(Intent.URI_INTENT_SCHEME)
string.string
and contains </target-to-uri-unsafe>
string, all matching parts will be replaced with Intent.toUri(Intent.URI_ALLOW_UNSAFE)
string.Callback logic to access a file or SQLite content provider can be found in activities/HiddenActivity.java.
The following applies only to the target
intent:
ContentResolverController \w fileProvider
extra.ContentResolverController \w sqliteProvider
extra.Tip #1: Initiate a deep link callback from a website to hijack it.
Tip #2: Create further exploitation steps inside the code using OkHttp, intents, etc., and rebuild the APK.
Tip #1: To hijack a task, modify the task affinity in AndroidManifest.xml
under MainActivity and rebuild the APK.
Tip #1: Test if other apps can detect an overlay.
Tip #2: Detect an overlay by checking MotionEvent.FLAG_WINDOW_IS_OBSCURED and MotionEvent.FLAG_WINDOW_IS_PARTIALLY_OBSCURED flags - this solution works only on older Android versions.
Read more about tapjacking and how to detect it here.
Tip #1: Save and load the UI state at any time.