Repository files navigation

As a bug hunter, are your bug bounty reports getting rejected because you don't use a "malicious" Proof of Concept (PoC) app to exploit the vulnerabilities?

As a security engineer, do you have trouble validating bug bounty reports and performing regression testing?

I've got you covered!

Rooting your device is not required.

For more tips and tricks check myAndroid penetration testing cheat sheet.

Built with Android Studio v2022.3.1 (64-bit) and tested on Samsung A5 (2017) with Android OS v8.0 (Oreo) and Samsung Galaxy Note20 Ultra with Android OS v13.0 (Tiramisu).

Made for educational purposes. I hope it will help!

Future plans:

• add an option to wrap/unwrap text in the log,
• add more types, including array types, forIntent.putExtra(),
• improve the dropdown UI forIntent.putExtra(),
• unblock the back button after the overlay is created,
• hide the soft keyboard when focusing away from the edit text input,
• create the UI to chain multiple exploitation requests and actions afterdeep link callback hijacking,
• showcase PoCs for already disclosed intent injection bug bounty reports,
• add more tests.

• About the App
• Usage
  • File System
  • Implicit Intent
  • Implicit Intent Injection
  • Web
  • Task Hijacking
  • Tapjacking
  • Saving and Loading

APK Name:Malware v1.3

Package name:com.kira.malware

Min SDK:26

Target SDK:32

Exported activities:

• com.kira.malware.activities.MainActivity
• com.kira.malware.activities.HiddenActivity

On the first launch, you might see a prompt asking you to grant the following permissions:

• android.permission.INTERNET
• android.permission.POST_NOTIFICATIONS
• android.permission.READ_EXTERNAL_STORAGE
• android.permission.WRITE_EXTERNAL_STORAGE
• android.permission.SYSTEM_ALERT_WINDOW
• android.settings.action.MANAGE_OVERLAY_PERMISSION

URIs for internal QA testing purposes:

• kira://hidden
• content://com.kira.malware.TestSQLiteProvider
• content://com.kira.malware.TestFileProvider/files/somefile.txt

Tip #1: Read or overwrite files from other apps.

Tip #2: Read world-readable shared preferences from other apps.

Figure 1 - File System

Tip #1: Test a [pending] implicit intent.

Tip #2: Perform a DoS on a [pending] implicit intent.

Tip #3: Test a deep link.

Tip #4: Hijack a deep link by specifying it inAndroidManifest.xml underHiddenActivity and rebuild the APK.

<dataandroid:scheme="somescheme"android:host="somehost"/>

Tip #5: Perform a dictionary attack (battering ram) on a deep link by inserting the</injection> placeholder in the URI.

Figure 2 - Implicit Intent

Tip #1: Access a protected component using an exported (proxy) intent.

Tip #2: It is common to access a private file or SQLite content provider.

An example on how to access a protected file content provider using an exported (proxy) intent:

Proxy Intent Package Name: com.someapp.devProxy Intent Class Name:   com.someapp.dev.ProxyActivityProxy Intent Action:       com.someapp.dev.PROXY_ACTIVITY_ACTIONProxy Intent Flags:        // see the below imageProxy Intent Put Extras:   somekey \w </target-to-uri-unsafe>Target Intent URI:         content://com.someapp.dev.TargetFileProvider/files/somefile.txtTarget Intent Action:      android.intent.action.SENDTarget Intent Flags:       // see the below imageTarget Intent Put Extras:  ContentResolverController \w fileProvider                           android.intent.extra.TEXT \w somevalue

Figure 3 - Implicit Intent Injection

Intent.putExtra() logic can be found incontrollers/IntentPutExtrasController.java andcontrollers/ImplicitIntentController.java.

The following applies only to theproxy intent:

• If the value is of typestring and equals to</target> string, the whole value will be replaced withIntent object andIntent.putParcelable() will be used.
• If the value is of typestring and contains</target-to-uri> string, all matching parts will be replaced withIntent.toUri(Intent.URI_INTENT_SCHEME) string.
• If the value is of typestring and contains</target-to-uri-unsafe> string, all matching parts will be replaced withIntent.toUri(Intent.URI_ALLOW_UNSAFE) string.

Callback logic to access a file or SQLite content provider can be found inactivities/HiddenActivity.java.

The following applies only to thetarget intent:

• To use the file content provider callback, addContentResolverController \w fileProvider extra.
• To use the SQLite content provider callback, addContentResolverController \w sqliteProvider extra.

Tip #1: Initiate a deep link callback from a website to hijack it.

Tip #2: Create further exploitation steps inside the code usingOkHttp,intents, etc., and rebuild the APK.

Figure 4 - Web

Tip #1: To hijack a task, modify the task affinity inAndroidManifest.xml underMainActivity and rebuild the APK.

Figure 5 - Task Hijacking

Tip #1: Test if other apps can detect an overlay.

Tip #2: Detect an overlay by checkingMotionEvent.FLAG_WINDOW_IS_OBSCURED and MotionEvent.FLAG_WINDOW_IS_PARTIALLY_OBSCURED flags - this solution works only on older Android versions.

Read more about tapjacking and how to detect ithere.

Figure 6 - Tapjacking

Tip #1: Save and load the UI state at any time.

Figure 7 - Saving and Loading