Repository files navigation

As a bug hunter, are your bug bounty reports getting rejected because you don't use a "malicious" Proof of Concept (PoC) app to exploit the vulnerabilities?

As a security engineer, do you struggle validating bug bounty reports and performing regression testing?

I've got you covered!

Rooting your device is not required.

For more tips and tricks check myAndroid penetration testing cheat sheet.

Built with Android Studio v2024.3.2 (64-bit) (JDK 17) and tested on Samsung Galaxy Note S20 Ultra with Android OS v13.0 (Tiramisu).

Made for educational purposes. I hope it will help!

Future plans:

• add array type support forIntent.putExtra(),
• allow copying of log text,
• hide the soft keyboard when focusing away from the [edit] text input,
• create the UI to chain multiple exploitation steps after successfuldeep link callback hijacking,
• showcase PoCs for already disclosed implicit intent injection bug bounty reports,
• add more tests / attacks.

• About the App
• Usage
  • File System
  • Implicit Intent
  • Implicit Intent Injection
  • Web
  • Taskjacking
  • Tapjacking
  • Miscellaneous
  • Saving and Restoring

APK name:Malware v1.8

Package name:com.kira.malware

Min SDK:26

Target SDK:35

Exported activities:

• com.kira.malware.activities.MainActivity
• com.kira.malware.activities.HiddenActivity

You may see prompts asking you to grant the following permissions:

• android.permission.QUERY_ALL_PACKAGES
• android.permission.INTERNET
• android.permission.READ_EXTERNAL_STORAGE
• android.permission.WRITE_EXTERNAL_STORAGE
• android.permission.POST_NOTIFICATIONS
• android.permission.SYSTEM_ALERT_WINDOW
• android.settings.action.MANAGE_OVERLAY_PERMISSION

URIs for internal QA testing:

• kira://hidden
• content://com.kira.malware.TestFileProvider/files/test.txt
• content://com.kira.malware.TestSQLiteProvider

Tip #1: Read and modify files from another app.

Tip #2: Access world-readable shared preferences from another app.

Figure 1 - File System

Tip #1: Test an implicit intent.

Tip #2: Send an implicit intent to trigger a push notification in another app, then manually open it to bypass biometrics.

Tip #3: Send an implicit intent to poison a widget in another app.

Tip #4: Send an implicit [pending] intent multiple times to another app to cause a DoS.

Tip #5: Send a mutable pending intent to retrieve extra intent information from another app.

Tip #6: Test a deep link.

Tip #7: Hijack a deep link by specifying it in this app'sAndroidManifest.xml underHiddenActivity, then rebuild the APK.

<dataandroid:host="hidden"android:scheme="kira" />

Tip #8: Perform a dictionary attack (battering ram) on a deep link by inserting</injection> placeholder into the intent's URI.Ignoring the pending intent.

The following applies only to theintent extras:

• If the value is a string equal to</pending>, the entire value will be replaced with anPendingIntent object ofpending intent, andIntent.putParcelable() will be used.

Intent.putExtra() logic can be found incontrollers/ImplicitIntentController.java andcontrollers/IntentPutExtrasController.java.

Figure 2 - Implicit Intent

Figure 3 - Dictionary Attack

Tip #1: Access a protected component in another app by abusing its exported (proxy) implicit intent filter.

Tip #2: Accessing a protected file or SQLite content provider is a common exploit technique.

The following applies only to theproxy intent extras:

• If the value is a string equal to</target>, the entire value will be replaced with anIntent object oftarget intent, andIntent.putParcelable() will be used.
• If the value is a string containing</target-to-uri>, all matching parts will be replaced withIntent.toUri(Intent.URI_INTENT_SCHEME) oftarget intent.
• If the value is a string containing</target-to-uri-unsafe>, all matching parts will be replaced withIntent.toUri(Intent.URI_ALLOW_UNSAFE) oftarget intent.

Intent.putExtra() logic can be found incontrollers/ImplicitIntentController.java andcontrollers/IntentPutExtrasController.java.

The following applies only to thetarget intent extras:

• To use the file content provider callback, add an intent extra with the keyContentProviderController and valuefileProvider.
• To use the SQLite content provider callback, add an intent extra with the keyContentProviderController and valuesqliteProvider.

Callback logic to access a file or SQLite content provider can be found inactivities/HiddenActivity.java.

Figure 4 - Implicit Intent Injection

Tip #1: Initiate a deep link callback from a website to hijack the flow of another app.

Tip #2: Create further exploitation steps inside the source code usingOkHttp,intents, and/or other components, then rebuild the APK.UI is not yet implemented.

Figure 5 - Web

Tip #1: To hijack a task from another app, modify the task affinity in this app'sAndroidManifest.xml underMainActivity, then rebuild the APK.

Figure 6 - Taskjacking

Tip #1: Test if another app can detect an overlay.

Tip #2: Detect an overlay by checkingMotionEvent.FLAG_WINDOW_IS_OBSCURED and MotionEvent.FLAG_WINDOW_IS_PARTIALLY_OBSCURED flag - this solution works only on older Android versions.

Read more about tapjacking and how to detect ithere.

Figure 7 - Tapjacking

Tip #1: List installed [system] packages.

Tip #2: Dump the clipboard data.

Tip #2: Extract sensitive information from another app's UI by abusing the accessibility service.

Figure 8 - Miscellaneous

Tip #1: Save and restore the UI state at any point.

Figure 9 - Saving and Restoring