Initial Commit

.gitattributes

@@ -0,0 +1,2 @@
+# Auto detect text files and perform LF normalization
+* text=auto

.gitignore

@@ -0,0 +1,33 @@
+# Gradle files
+.gradle/
+build/
+
+# Local configuration file (sdk path, etc)
+local.properties
+
+# Log/OS Files
+*.log
+
+# Android Studio generated files and folders
+captures/
+.externalNativeBuild/
+.cxx/
+*.apk
+output.json
+
+# IntelliJ
+*.iml
+.idea/
+misc.xml
+deploymentTargetDropDown.xml
+render.experimental.xml
+
+# Keystore files
+*.jks
+*.keystore
+
+# Google Services (e.g. APIs or Firebase)
+google-services.json
+
+# Android Profiling
+*.hprof

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Ivan Šincek
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,174 @@
+# Malware APK
+
+As a bug hunter, are your bug bounty reports getting rejected because you don't use a "malicious" Proof of Concept (PoC) app to exploit the vulnerabilities?
+
+As a security engineer, do you have trouble validating bug bounty reports and performing regression testing?
+
+I've got you covered!
+
+---
+
+Rooting your device is not required.
+
+For more tips and tricks check my [Android penetration testing cheat sheet](https://github.com/ivan-sincek/android-penetration-testing-cheat-sheet).
+
+---
+
+Built with Android Studio v2022.3.1 (64-bit) and tested on Samsung A5 (2017) with Android OS v8.0 (Oreo) and Samsung Galaxy Note20 Ultra with Android OS v13.0 (Tiramisu).
+
+Made for educational purposes. I hope it will help!
+
+Future plans:
+
+* add an option to wrap/unwrap text in the log,
+* add more types, including array types, for `Intent.putExtra()`,
+* improve the dropdown UI for `Intent.putExtra()`,
+* showcase PoCs for already disclosed intent injection bug bounty reports,
+* add more tests.
+
+## Table of Contents
+
+* [About the App](#about-the-app)
+* [Usage](#usage)
+    * [File System Testing](#file-system-testing)
+    * [Implicit Intent Testing](#implicit-intent-testing)
+    * [Implicit Intent Injection Testing](#implicit-intent-injection-testing)
+    * [Web Testing](#web-testing)
+    * [Task Hijacking Testing](#task-hijacking-testing)
+    * [Tapjacking Testing](#tapjacking-testing)
+    * [Saving and Loading Your PoCs](#saving-and-loading-your-pocs)
+
+## About the App
+
+APK Name: `Malware v1.1`
+
+Package name: `com.kira.malware`
+
+Min SDK: `26`
+
+Target SDK: `32`
+
+Exported activities:
+
+* `com.kira.malware.activities.MainActivity`
+* `com.kira.malware.activities.HiddenActivity`
+
+On the first launch, you might see a prompt asking you to grant the following permissions:
+
+* `android.permission.INTERNET`
+* `android.permission.POST_NOTIFICATIONS`
+* `android.permission.READ_EXTERNAL_STORAGE`
+* `android.permission.WRITE_EXTERNAL_STORAGE`
+* `android.permission.SYSTEM_ALERT_WINDOW`
+
+URIs for internal QA testing purposes:
+
+* `kira://hidden`
+* `content://com.kira.malware.TestSQLiteProvider`
+* `content://com.kira.malware.TestFileProvider/files/somefile.txt`
+
+## Usage
+
+### File System Testing
+
+**Tip #1:** Read or overwrite files from other apps.
+
+**Tip #2:** Read world-readable shared preferences from other apps.
+
+<p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/file_system.jpg" alt="File System Testing" height="600em"></p>
+
+<p align="center">Figure 1 - File System Testing</p>
+
+### Implicit Intent Testing
+
+**Tip #1:** Test a \[pending\] implicit intent.
+
+**Tip #2:** Perform a DoS on a \[pending\] implicit intent.
+
+**Tip #3:** Test a deep link.
+
+**Tip #4:** Intercept a deep link by specifying it in `AndroidManifest.xml` under [HiddenActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/AndroidManifest.xml#L48) before building the APK.
+
+```xml
+<data
+    android:scheme="somescheme"
+    android:host="somehost"
+/>
+```
+
+<p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/implicit_intent.jpg" alt="Implicit Intent Testing" height="600em"></p>
+
+<p align="center">Figure 2 - Implicit Intent Testing</p>
+
+### Implicit Intent Injection Testing
+
+**Tip #1:** Access a protected component using an exported (proxy) intent.
+
+**Tip #2:** It is common to access a private file or SQLite content provider.
+
+An example on how to access a protected file content provider using an exported (proxy) intent:
+
+```fundamental
+Proxy Intent Package Name: com.someapp.dev
+Proxy Intent Class Name:   com.someapp.dev.ProxyActivity
+Proxy Intent Action:       com.someapp.dev.PROXY_ACTIVITY_ACTION
+Proxy Intent Flags:        // see the below image
+Proxy Intent Put Extras:   somekey \w </target-to-uri-unsafe>
+
+Target Intent URI:         content://com.someapp.dev.TargetFileProvider/files/somefile.txt
+Target Intent Action:      android.intent.action.SEND
+Target Intent Flags:       // see the below image
+Target Intent Put Extras:  ContentResolverController \w fileProvider
+                           android.intent.extra.TEXT \w sometext
+```
+
+<p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/implicit_intent_injection.jpg" alt="Implicit Intent Injection Testing" height="600em"></p>
+
+<p align="center">Figure 3 - Implicit Intent Injection Testing</p>
+
+`Intent.putExtra()` logic can be found in [controllers/IntentPutExtrasController.java](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/controllers/IntentPutExtrasController.java#L247) and [controllers/ImplicitIntentController.java](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/controllers/ImplicitIntentController.java#L36).
+
+* If the value is of type `string` and equals to `</target>` string, the whole value will be replaced with `Intent` object and `Intent.putParcelable()` will be used.
+* If the value is of type `string` and contains `</target-to-uri>` string, all matching parts will be replaced with `Intent.toUri(Intent.URI_INTENT_SCHEME)` string.
+* If the value is of type `string` and contains `</target-to-uri-unsafe>` string, all matching parts will be replaced with `Intent.toUri(Intent.URI_ALLOW_UNSAFE)` string.
+
+Callback logic to access a file or SQLite content provider can be found in [activities/HiddenActivity.java](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/activities/HiddenActivity.java#L40).
+
+* To use the file content provider callback, add `ContentResolverController \w fileProvider` extra to the `target` intent.
+* To use the SQLite content provider callback, add `ContentResolverController \w sqliteProvider` extra to the `target` intent.
+
+### Web Testing
+
+**Tip #1:** Initiate a deep link callback from a website.
+
+**Tip #2:** Create further exploitation steps inside the code using [OkHttp](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/controllers/WebController.java#L150), [intents](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/controllers/ImplicitIntentController.java#L128), etc., and rebuild the APK.
+
+<p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/web.jpg" alt="Web Testing" height="600em"></p>
+
+<p align="center">Figure 4 - Web Testing</p>
+
+### Task Hijacking Testing
+
+**Tip #1:** To hijack a task, modify the task affinity in `AndroidManifest.xml` under [MainActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/AndroidManifest.xml#L29) before building the APK.
+
+<p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/task_hijacking.jpg" alt="Task Hijacking Testing" height="600em"></p>
+
+<p align="center">Figure 5 - Task Hijacking Testing</p>
+
+### Tapjacking Testing
+
+Tip #1: Test if other apps can detect an overlay.
+
+Tip #2: Detect an overlay by checking [MotionEvent.FLAG_WINDOW_IS_OBSCURED](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/fragments/OverlayFragment.java#L53) and [MotionEvent.FLAG_WINDOW_IS_PARTIALLY_OBSCURED](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/fragments/OverlayFragment.java#L53) flags.
+
+<p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/tapjacking.jpg" alt="Tapjacking Testing" height="600em"></p>
+
+<p align="center">Figure 6 - Tapjacking Testing</p>
+
+### Saving and Loading Your PoCs
+
+**Tip #1:** Save and load the UI state at any time.
+
+<p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/saving.jpg" alt="Saving and Loading Your PoCs" height="600em"></p>
+
+<p align="center">Figure 7 - Saving and Loading Your PoCs</p>

src/Malware/.gitignore

@@ -0,0 +1,15 @@
+*.iml
+.gradle
+/local.properties
+/.idea/caches
+/.idea/libraries
+/.idea/modules.xml
+/.idea/workspace.xml
+/.idea/navEditor.xml
+/.idea/assetWizardSettings.xml
+.DS_Store
+/build
+/captures
+.externalNativeBuild
+.cxx
+local.properties

src/Malware/app/.gitignore

@@ -0,0 +1 @@
+/build

src/Malware/app/build.gradle

@@ -0,0 +1,45 @@
+plugins {
+    id 'com.android.application'
+}
+
+android {
+    namespace 'com.kira.malware'
+    compileSdk 32
+
+    defaultConfig {
+        applicationId "com.kira.malware"
+        minSdk 26
+        targetSdk 32
+        versionCode 1
+        versionName "1.1"
+        testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
+    }
+
+    buildTypes {
+        release {
+            minifyEnabled false
+            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
+        }
+    }
+
+    compileOptions {
+        sourceCompatibility JavaVersion.VERSION_1_8
+        targetCompatibility JavaVersion.VERSION_1_8
+    }
+}
+
+dependencies {
+    implementation 'androidx.appcompat:appcompat:1.5.1'
+    implementation 'androidx.browser:browser:1.4.0'
+    implementation 'androidx.core:core:1.7.0'
+    implementation 'androidx.constraintlayout:constraintlayout:2.1.4'
+    implementation 'com.google.android.material:material:1.8.0'
+    implementation 'com.google.code.gson:gson:2.9.1'
+    implementation files('libs\\okhttp-4.10.0.jar')
+    implementation files('libs\\okio-2.9.0.jar')
+
+    testImplementation 'junit:junit:4.13.2'
+
+    androidTestImplementation 'androidx.test.espresso:espresso-core:3.5.1'
+    androidTestImplementation 'androidx.test.ext:junit:1.1.5'
+}

src/Malware/app/proguard-rules.pro

@@ -0,0 +1,21 @@
+# Add project specific ProGuard rules here.
+# You can control the set of applied configuration files using the
+# proguardFiles setting in build.gradle.
+#
+# For more details, see
+#   http://developer.android.com/guide/developing/tools/proguard.html
+
+# If your project uses WebView with JS, uncomment the following
+# and specify the fully qualified class name to the JavaScript interface
+# class:
+#-keepclassmembers class fqcn.of.javascript.interface.for.webview {
+#   public *;
+#}
+
+# Uncomment this to preserve the line number information for
+# debugging stack traces.
+#-keepattributes SourceFile,LineNumberTable
+
+# If you keep the line number information, uncomment this to
+# hide the original source file name.
+#-renamesourcefileattribute SourceFile

src/Malware/app/src/androidTest/java/com/kira/malware/ExampleInstrumentedTest.java

@@ -0,0 +1,26 @@
+package com.kira.malware;
+
+import android.content.Context;
+
+import androidx.test.platform.app.InstrumentationRegistry;
+import androidx.test.ext.junit.runners.AndroidJUnit4;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import static org.junit.Assert.*;
+
+/**
+ * Instrumented test, which will execute on an Android device.
+ *
+ * @see <a href="http://d.android.com/tools/testing">Testing documentation</a>
+ */
+@RunWith(AndroidJUnit4.class)
+public class ExampleInstrumentedTest {
+    @Test
+    public void useAppContext() {
+        // Context of the app under test.
+        Context appContext = InstrumentationRegistry.getInstrumentation().getTargetContext();
+        assertEquals("com.kira.malware", appContext.getPackageName());
+    }
+}