Manual For Mobile Security
Lab 2 Mobile Malware Attack : Trojan
Download 354.78 Kb.
|
- Navigate this page:
- IntentReciever
- AndroidManifest.xml
Lab 2 Mobile Malware Attack : Trojan
Developing the Android Trojan
Demo
Lab 3 Mobile Malware Defenense This lab discusses a Trojan defense application from scratch which demonstrates the concept of mobile Malware Defense on Android platform. The main functionality of the defense application is that it sends notification to the user reminding him that few malicious applications installed on his mobile are sending text messages without his consciousness. Consider the flowchart shown below for better understanding. 
Consider the following steps:
Notice The method discussed here is only used for demonstrating a general idea of Mobile Malware Defense. Readers should perform gracefully based on hacking ethics and should not spread or utilize the code in this lab to harm other Android phone users to gain their own benefits. A more thorough specification of hacking ethics can be found here https://sites.google.com/site/mobilesecuritylabware/7-mobile-short-messaging/mobile-short-messaging-labs/lab-2-attack-secret-sms-attack/lab-activity/ethical-hacking Please read them carefully. Code Fragements
Demo
Mobile Spyware Detecting and Removing spyware by tool In this lab we are introduced to detection and removal of Android spyware via the use of off-the-shelf protection tools. In this lab we first install a real-world Android “Spyware” and then install the anti-spyware to detect and remove the spyware.
The app can be downloaded from http://android.downloadatoz.com/apps/com.gizmoquip.smstracker,68074.html
http://mobileapk.tk/anti-spy-mobile-pro-v1-9-1-apk/ 
“Penetration Test and Analysis” on spyware Threat/Attack This lab discusses the use of a malicious Android Application to demonstrate and simulate a spyware (malware) on the android mobile device. The malicious Android application (spyware) can catch user’s contact list from the Android mobile phone, and sends a malicious message to the contacts without user’s conscious, Student can analyse this spyware in this lab. Notice The attack method discussed here is only used for demonstrating a general idea of spyware. Readers should perform gracefully based on hacking ethics and should not spread or utilize the code in the lab to harm other Android phones users to gain their own benefits. A more thorough specification of hacking ethics can be found here. Code Fragments Let us assume that the malicious application has been installed on a victim’s Android phone carelessly. When the user clicks the button the spyware can catch the user’s contact list. To utilize the contact list on the phone, the malicious code must request the permissions accordingly in AndroidManifest.xml as the following code fragment. 
The below fragment code shows how to get contact list information by code: 
Demo To test the Demo we open two emulators on the eclipse. Emulator1 The API serves as the victim which unknowingly installs and runs the malicious application. Emulator2 Hello world runs as one of the users on the victims contact list on the emulator1. The emulator1’s contact list screen is shown below: 
The spyware on emulator1 runs as shown below: 
When the user clicks the button on emultor1, the other side on Emulator 2 receives a message as shown below: 
https://sites.google.com/site/mobilesecuritylabware/5-mobile-spyware/spyware-reverse-engineering-lab/1-spyware-attact-lab/lab-activity/Simple_Malware.apk?attredirects=0&d=1 Defence Reverse Engineering analysis Reverse engineering is the most popular malware analysis method specified in android development. This lab provides a malware application and teaches students how to analyse the application and how to protect the mobile device by using reverse engineering from the malware application. We first take a look at some general information about reverse engineering. Reverse engineering is a method to take apart an object to see how it works in order to duplicate or enhance the object, it is a practise taken from older industries, and is now frequently used on computer hardware and software. Software reverse engineering involves reversing a program’s machine code (string 0’s and 1’s that are sent to the logic processor) back into the source code that it was written in, using program language statements. There are many tools that implement reverse engineering in android development. It can fully decompile the apps thus making the code readable and understandable. XdaDeveloperBrut.all has been working on a decompiler for android apps for a while. He had found the first workaround for enabling google maps navigation outside US by decompiling Google maps for android. The tool is called APKTool and is opensource. Another called dex2jar, developed by a Chinese student will translate dex to jar file. The next step would be to use jd-gui, the source code is readable as dex2jar makes some optimizations. An alternative option is use to Smali (http://code.google.com/p/smali/), which provides BAKSMALI which is most excellent reverse-engineering tool for DEX files. The tool was developed by JesusFreke, who is famous for making popular ROMs for android. The next portion of this manual covers the lab which would give detail by using one of the above tools in reverse engineering. LAB ACTIVITY In this lab, a simple malware was given to the students to give a general idea (Reverse Engineering) of analysing this kind of spyware. This lab also gives a Auto-analysis method by checking the result of decompiling. Part1: Decompile APK to JavaCode This part of the lab requires to two tools to be downloaded dex2jar and JD_GUI Dex2jar is a tool to transit classes.dex by converting .apk extention into .jar file . JD-GUI is a decompiler tool. The tools dex2jar and JD_GUI can be downloaded from the links below Dex2jar: http://laichao.googlecode.com/files/dex2jar-0.0.7-SNAPSHOT.zip JD_GUI: http://laichao.googlecode.com/files/jdgui.zip The first step in this part of the lab is to convert is to change the extension of the apk file from .apk to .zip, and unpack it, by doing which we get the classes.dex. Then unpack the dex2jar, and place the classes.dex into dex2jar folder. 
The next step is to run JD-GUI (jd-gui.exe), open classes.dex.dex2jar.jar, where we can see the code as shown below 
Part2: Decompile apkfile to get AndroidManifest.xml The apktool can be downloaded from the link given below: http://code.google.com/p/android-apktool/downloads/list download apktool 1.5.2.tar.bz2 and apktool-install-windows-r05-ibot.tar.bz2 The next step is to upack the two downloaded files, we then get the three following files: aapt.exe, apktool.bat, apktool.jar . Copy the apktool.jar into the folder containing aapt.exe and apktool.bat. Then using the command prompt go to the folder containing the above mentioned three files and run the following command to get the .xml file Apktool.bat d c:\*.apk c:\* 
The AndoridManifest.xml file gets generated 
Code The general working idea of the application was written as the following: The spyware has been analysed by a kind of rules, where every rule aims to one specific spyware (malware), in this lab we serve one of the rules, but the rule can be added for aiming to another spyware (malware). 
Code:
The result of analysis of the spyware is as shown below: :
6. Secure Mobile App Development Lab1: Android coding Vulnerabilities lab This lab tries to help students to get familiar with coding vulnerabilities of android programming, which include buffer overflow, input validation, SQL injection etc with other programming languages and platforms. There are some unique coding vulnerability in android programming that we need to be aware of. Ignoring these coding vulnerabilities will cause disastrous security issues. Tips for android coding vulnerabilities
Lab Activities The diagram below shows an intent object which contains sensitive information (username and password in this example) is passed from one activity to another in order to start an Activity. However, since a malware has higher priority level in the InterntFilter, It has intercepted the Intent, parsed the Intent object, and then obtain the secret information (username and password). So, in Android programming, we need to keep in mind that sensitive information cannot be passed through an Intent object (please refer to Tip 5). 
Fig Basic idea of intent Passing and interception This lab shows an implicit intent object passed from one activity object to another activity object with vulnerability.
Android_intentActivity.java // Android_intentActivity.java: // passing an Intent to another Activity package android.androidintent; import android.app.Activity; import android.content.Intent; import android.os.Bundle; import android.view.View; import android.widget.EditText; public class Android_intentActivity extends Activity { EditText e1,e2; /** Called when the activity is first created. */ @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); e1=(EditText)findViewById(R.id.editText1); e2=(EditText)findViewById(R.id.editText2); }
public void on_submit(View v){ Intent intent=new Intent(); Bundle bun = new Bundle(); bun.putString("Username", e1.getText().toString()); bun.putString("Password", e2.getText().toString()); intent.setAction("android.androidintent.IntentReciever"); intent.putExtras(bun); Android_intentActivity.this.startActivity(intent); } }
// IntentReceiver.java: // Intent intercepted and sensitive information extracted
package android.androidintent; import android.app.Activity; import android.content.Intent; import android.os.Bundle; import android.util.Log; import android.widget.TextView;
public class IntentReciever extends Activity { /** Called when the activity is first created. */ TextView t1,t2; @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main1); Bundle bun = getIntent().getExtras(); String result1 = bun.getString("Username"); String result2 = bun.getString("Password"); t1=(TextView)findViewById(R.id.textView1); t2=(TextView)findViewById(R.id.textView2); t1.setText("Username:"+result1); t2.setText("Password:"+result2); Log.d("Username",result1); Log.d("Password",result2); }
} AndroidManifest.xml android:versionCode="1" android:versionName="1.0" > android:icon="@drawable/ic_launcher"
android:label="@string/app_name" > android:name=".Android_intentActivity" android:label="@string/app_name" >
Results Demo Activity1: Username/Password typed and intent object created 
Malware Activity: Intent Intercepted and Sensitive Information Extracted 
Solution This lab requires us to learn, how to safely pass data between different activity objects. You will need to design a mechanism, which can pass data safely between different activities, without having to wrapping sensitive data within an intent object. The goal being to avoid an intent object being intercepted by malicious activity. There are different ways to achieve this goal, such as SQLLite, intent object creation etc. Please design your own mechanism and implement your solution. Lab2: Android Activities with intent Security Concern In this lab, we will use a malicious Android application we wrote to demonstrate a kind of intent security problem on Android platform. The malicious Android application can get the intent information from “Intent app” if the Show Activity has same action name and other characters are also the same with hack activity in Intent Filters. At the same time, the main activity intents according to the action name and other characters in the intent filter. The following diagram shows the basic idea of this security problem. 
Fig Intent app has intent Filters in shown activity. This lab utilizes android attack application that we developed to give user a brief demonstration on how hackers get the data the activities sent in other applications. Special Notice The attack method discussed here is only used for demonstrating a general idea of Intent attacks. Readers should perform gracefully based on hacking ethics and should not spread or utilize the code in this lab to harm other Android phone users to gain their own benefits. A more thorough specification of hacking ethics can be found here and here. Please read them carefully. Code Fragments The Android Manifest.xml of a common login application, may define an activity like this: 
The below activity is for getting the user information of username and password which the user inputs in the previous activity and presses the login button. The activity can be called using: 
Next we need to create a hack app with the following activity 
The code in the main activity java file of the hack app would have: 
If this hack app runs on an android phone together with the previous common app, after the user inputs the user name and password and presses button to active the intent function and try to login, the hack app will also get the information input by the user. Demo: First we input the username and password and click Login 
The correct login activity that we want is shown below 
The information shown in the hacker’s app is as shown in the below screen shot 
Defense In this lab, an android application is updated to defend the intent security problem on android platform. The malicious android application never gets the intent information from “Intent app”, even though the show activity has same action name and other characters are also the same with hack activity in intent filters. The main activity intents according to the class name and the package name. The below diagram shows the basic idea of this solution 
The lab utilizes android attack application that we developed to give user a brief demonstration on how to avoid attack hackers to get the data the activities sent in applications Code fragment We need to be aware of the below code lines created in the previous lab 
SetClassName() for explicit intent is used, instead of using setAction() to reach implicit intent 
As the explicit intent will go straight to the activity we want and ignore the intent filters, the hack app will never get the information sent in intent function. Version 1: Code: TestIntentActivity.java
package android.testintent; import android.app.Activity; import android.content.Intent; import android.os.Bundle; import android.view.View; import android.view.View.OnClickListener; import android.widget.Button; import android.widget.EditText; public class TestIntentActivity extends Activity { /** Called when the activity is first created. */ String name; String password; @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); final Button logb=(Button)findViewById(R.id.logb); final EditText Uname=(EditText)findViewById(R.id.uname); final EditText Pword=(EditText)findViewById(R.id.pword); // final String name; // final String password; logb.setOnClickListener(new OnClickListener() { public void onClick(View v) { name=Uname.getText().toString(); password=Pword.getText().toString(); Intent intent = new Intent(); intent.putExtra("username", name); intent.putExtra("password", password); // intent.setAction("android.testintent.Login"); // intent.addCategory(Intent.CATEGORY_DEFAULT); intent.setClassName("android.testintent","android.testintent.Login"); startActivity(intent); }
}
package android.testintent; import android.app.Activity; import android.os.Bundle; import android.widget.TextView; public class Login extends Activity { @Override
android:versionCode="1" android:versionName="1.0"> android:theme="@android:style/Theme.NoTitleBar" /> android:label="Login" >
The first step is to give username and password as input and click on login
This is the login activity that we want and no information sent to the hack app. 
Android_intentactivity.java package android.androidintent; import android.app.Activity; import android.content.Intent; import android.os.Bundle; import android.view.View; import android.widget.EditText; public class Android_intentActivity extends Activity { EditText e1,e2; /** Called when the activity is first created. */ @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); e1=(EditText)findViewById(R.id.editText1); e2=(EditText)findViewById(R.id.editText2); } public void onClick(View v){ Intent intent = new Intent(this,Android_intentActivity.class); intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK); Bundle bun = new Bundle(); bun.putString("Username", e1.getText().toString()); bun.putString("Password", e2.getText().toString()); intent.setClass(this, IntentReciever.class); intent.putExtras(bun); Android_intentActivity.this.startActivity(intent); } }
|
