Dropdown UI & Dictionary Attack

.gitattributes

@@ -0,0 +1,2 @@
+# Auto detect text files and perform LF normalization
+* text=auto

.gitignore

@@ -0,0 +1,33 @@
+# Gradle files
+.gradle/
+build/
+
+# Local configuration file (sdk path, etc)
+local.properties
+
+# Log/OS Files
+*.log
+
+# Android Studio generated files and folders
+captures/
+.externalNativeBuild/
+.cxx/
+*.apk
+output.json
+
+# IntelliJ
+*.iml
+.idea/
+misc.xml
+deploymentTargetDropDown.xml
+render.experimental.xml
+
+# Keystore files
+*.jks
+*.keystore
+
+# Google Services (e.g. APIs or Firebase)
+google-services.json
+
+# Android Profiling
+*.hprof

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Ivan Šincek
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,186 @@
+# Malware APK
+
+As a bug hunter, are your bug bounty reports getting rejected because you don't use a "malicious" Proof of Concept (PoC) app to exploit the vulnerabilities?
+
+As a security engineer, do you have trouble validating bug bounty reports and performing regression testing?
+
+I've got you covered!
+
+---
+
+**Rooting your device is not required.**
+
+For more tips and tricks check my [Android penetration testing cheat sheet](https://github.com/ivan-sincek/android-penetration-testing-cheat-sheet).
+
+---
+
+Built with Android Studio v2022.3.1 (64-bit) and tested on Samsung A5 (2017) with Android OS v8.0 (Oreo) and Samsung Galaxy Note20 Ultra with Android OS v13.0 (Tiramisu).
+
+Made for educational purposes. I hope it will help!
+
+Future plans:
+
+* add an option to wrap/unwrap text in the log,
+* add more types, including array types, for `Intent.putExtra()`,
+* ~~improve the dropdown UI for `Intent.putExtra()`~~,
+* unblock the back button after the overlay is created,
+* hide the soft keyboard when focusing away from the edit text input,
+* create the UI to chain multiple exploitation requests and actions after [deep link callback hijacking](#web),
+* showcase PoCs for already disclosed intent injection bug bounty reports,
+* add more tests.
+
+## Table of Contents
+
+* [About the App](#about-the-app)
+* [Usage](#usage)
+    * [File System](#file-system)
+    * [Implicit Intent](#implicit-intent)
+    * [Implicit Intent Injection](#implicit-intent-injection)
+    * [Web](#web)
+    * [Task Hijacking](#task-hijacking)
+    * [Tapjacking](#tapjacking)
+    * [Saving and Loading](#saving-and-loading)
+
+## About the App
+
+APK Name: `Malware v1.3`
+
+Package name: `com.kira.malware`
+
+Min SDK: `26`
+
+Target SDK: `32`
+
+Exported activities:
+
+* `com.kira.malware.activities.MainActivity`
+* `com.kira.malware.activities.HiddenActivity`
+
+On the first launch, you might see a prompt asking you to grant the following permissions:
+
+* `android.permission.INTERNET`
+* `android.permission.POST_NOTIFICATIONS`
+* `android.permission.READ_EXTERNAL_STORAGE`
+* `android.permission.WRITE_EXTERNAL_STORAGE`
+* `android.permission.SYSTEM_ALERT_WINDOW`
+* `android.settings.action.MANAGE_OVERLAY_PERMISSION`
+
+URIs for internal QA testing purposes:
+
+* `kira://hidden`
+* `content://com.kira.malware.TestSQLiteProvider`
+* `content://com.kira.malware.TestFileProvider/files/somefile.txt`
+
+## Usage
+
+### File System
+
+**Tip #1:** Read or overwrite files from other apps.
+
+**Tip #2:** Read world-readable shared preferences from other apps.
+
+<p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/file_system.jpg" alt="File System" height="600em"></p>
+
+<p align="center">Figure 1 - File System</p>
+
+### Implicit Intent
+
+**Tip #1:** Test a \[pending\] implicit intent.
+
+**Tip #2:** Perform a DoS on a \[pending\] implicit intent.
+
+**Tip #3:** Test a deep link.
+
+**Tip #4:** Hijack a deep link by specifying it in `AndroidManifest.xml` under [HiddenActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/AndroidManifest.xml#L48) and rebuild the APK.
+
+**Tip #5:** Perform a dictionary attack (battering ram) on a deep link by inserting the `</injection>` placeholder in the URI.
+
+```xml
+<data
+    android:scheme="somescheme"
+    android:host="somehost"
+/>
+```
+
+<p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/implicit_intent.jpg" alt="Implicit Intent" height="600em"></p>
+
+<p align="center">Figure 2 - Implicit Intent</p>
+
+### Implicit Intent Injection
+
+**Tip #1:** Access a protected component using an exported (proxy) intent.
+
+**Tip #2:** It is common to access a private file or SQLite content provider.
+
+An example on how to access a protected file content provider using an exported (proxy) intent:
+
+```fundamental
+Proxy Intent Package Name: com.someapp.dev
+Proxy Intent Class Name:   com.someapp.dev.ProxyActivity
+Proxy Intent Action:       com.someapp.dev.PROXY_ACTIVITY_ACTION
+Proxy Intent Flags:        // see the below image
+Proxy Intent Put Extras:   somekey \w </target-to-uri-unsafe>
+
+Target Intent URI:         content://com.someapp.dev.TargetFileProvider/files/somefile.txt
+Target Intent Action:      android.intent.action.SEND
+Target Intent Flags:       // see the below image
+Target Intent Put Extras:  ContentResolverController \w fileProvider
+                           android.intent.extra.TEXT \w somevalue
+```
+
+<p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/implicit_intent_injection.jpg" alt="Implicit Intent Injection" height="600em"></p>
+
+<p align="center">Figure 3 - Implicit Intent Injection</p>
+
+`Intent.putExtra()` logic can be found in [controllers/IntentPutExtrasController.java](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/controllers/IntentPutExtrasController.java#L247) and [controllers/ImplicitIntentController.java](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/controllers/ImplicitIntentController.java#L36).
+
+The following applies only to the `proxy` intent:
+
+* If the value is of type `string` and equals to `</target>` string, the whole value will be replaced with `Intent` object and `Intent.putParcelable()` will be used.
+* If the value is of type `string` and contains `</target-to-uri>` string, all matching parts will be replaced with `Intent.toUri(Intent.URI_INTENT_SCHEME)` string.
+* If the value is of type `string` and contains `</target-to-uri-unsafe>` string, all matching parts will be replaced with `Intent.toUri(Intent.URI_ALLOW_UNSAFE)` string.
+
+Callback logic to access a file or SQLite content provider can be found in [activities/HiddenActivity.java](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/activities/HiddenActivity.java#L40).
+
+The following applies only to the `target` intent:
+
+* To use the file content provider callback, add `ContentResolverController \w fileProvider` extra.
+* To use the SQLite content provider callback, add `ContentResolverController \w sqliteProvider` extra.
+
+### Web
+
+**Tip #1:** Initiate a deep link callback from a website to hijack it.
+
+**Tip #2:** Create further exploitation steps inside the code using [OkHttp](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/controllers/WebController.java#L154), [intents](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/controllers/ImplicitIntentController.java#L128), etc., and rebuild the APK.
+
+<p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/web.jpg" alt="Web" height="600em"></p>
+
+<p align="center">Figure 4 - Web</p>
+
+### Task Hijacking
+
+**Tip #1:** To hijack a task, modify the task affinity in `AndroidManifest.xml` under [MainActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/AndroidManifest.xml#L29) and rebuild the APK.
+
+<p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/task_hijacking.jpg" alt="Task Hijacking" height="600em"></p>
+
+<p align="center">Figure 5 - Task Hijacking</p>
+
+### Tapjacking
+
+Tip #1: Test if other apps can detect an overlay.
+
+Tip #2: Detect an overlay by checking [MotionEvent.FLAG_WINDOW_IS_OBSCURED and MotionEvent.FLAG_WINDOW_IS_PARTIALLY_OBSCURED](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/fragments/TapHijackingFragment.java#L53) flags - this solution works only on older Android versions.
+
+Read more about tapjacking and how to detect it [here](https://developer.android.com/privacy-and-security/risks/tapjacking).
+
+<p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/tapjacking.jpg" alt="Tapjacking" height="600em"></p>
+
+<p align="center">Figure 6 - Tapjacking</p>
+
+### Saving and Loading
+
+**Tip #1:** Save and load the UI state at any time.
+
+<p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/saving.jpg" alt="Saving and Loading Your PoCs" height="600em"></p>
+
+<p align="center">Figure 7 - Saving and Loading</p>

src/Malware/.gitignore

@@ -0,0 +1,15 @@
+*.iml
+.gradle
+/local.properties
+/.idea/caches
+/.idea/libraries
+/.idea/modules.xml
+/.idea/workspace.xml
+/.idea/navEditor.xml
+/.idea/assetWizardSettings.xml
+.DS_Store
+/build
+/captures
+.externalNativeBuild
+.cxx
+local.properties

src/Malware/app/.gitignore

@@ -0,0 +1 @@
+/build

src/Malware/app/build.gradle

@@ -0,0 +1,45 @@
+plugins {
+    id 'com.android.application'
+}
+
+android {
+    namespace 'com.kira.malware'
+    compileSdk 32
+
+    defaultConfig {
+        applicationId "com.kira.malware"
+        minSdk 26
+        targetSdk 32
+        versionCode 1
+        versionName "1.2"
+        testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
+    }
+
+    buildTypes {
+        release {
+            minifyEnabled false
+            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
+        }
+    }
+
+    compileOptions {
+        sourceCompatibility JavaVersion.VERSION_1_8
+        targetCompatibility JavaVersion.VERSION_1_8
+    }
+}
+
+dependencies {
+    implementation 'androidx.appcompat:appcompat:1.5.1'
+    implementation 'androidx.browser:browser:1.4.0'
+    implementation 'androidx.core:core:1.7.0'
+    implementation 'androidx.constraintlayout:constraintlayout:2.1.4'
+    implementation 'com.google.android.material:material:1.8.0'
+    implementation 'com.google.code.gson:gson:2.9.1'
+    implementation files('libs\\okhttp-4.10.0.jar')
+    implementation files('libs\\okio-2.9.0.jar')
+
+    testImplementation 'junit:junit:4.13.2'
+
+    androidTestImplementation 'androidx.test.espresso:espresso-core:3.5.1'
+    androidTestImplementation 'androidx.test.ext:junit:1.1.5'
+}

src/Malware/app/proguard-rules.pro

@@ -0,0 +1,21 @@
+# Add project specific ProGuard rules here.
+# You can control the set of applied configuration files using the
+# proguardFiles setting in build.gradle.
+#
+# For more details, see
+#   http://developer.android.com/guide/developing/tools/proguard.html
+
+# If your project uses WebView with JS, uncomment the following
+# and specify the fully qualified class name to the JavaScript interface
+# class:
+#-keepclassmembers class fqcn.of.javascript.interface.for.webview {
+#   public *;
+#}
+
+# Uncomment this to preserve the line number information for
+# debugging stack traces.
+#-keepattributes SourceFile,LineNumberTable
+
+# If you keep the line number information, uncomment this to
+# hide the original source file name.
+#-renamesourcefileattribute SourceFile

src/Malware/app/src/androidTest/java/com/kira/malware/ExampleInstrumentedTest.java

@@ -0,0 +1,26 @@
+package com.kira.malware;
+
+import android.content.Context;
+
+import androidx.test.platform.app.InstrumentationRegistry;
+import androidx.test.ext.junit.runners.AndroidJUnit4;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import static org.junit.Assert.*;
+
+/**
+ * Instrumented test, which will execute on an Android device.
+ *
+ * @see <a href="http://d.android.com/tools/testing">Testing documentation</a>
+ */
+@RunWith(AndroidJUnit4.class)
+public class ExampleInstrumentedTest {
+    @Test
+    public void useAppContext() {
+        // Context of the app under test.
+        Context appContext = InstrumentationRegistry.getInstrumentation().getTargetContext();
+        assertEquals("com.kira.malware", appContext.getPackageName());
+    }
+}