Auto-Trojaning the Walmart App

Summary

The Autotroj script is a way to find the important parts of almost any app. The Walmart app is used merely as an example.

Android App

In Genymotion, in Google Play, search for and download this app:

Logging In

Open the app. In the top left corner, click the three-dash icon.

Click "SIGN IN".

You see a sign in screen, as shown below.

The goal of this project is to quickly find what smali files are used for the login process, to create a trojan that will log the password.

Finding ADB

On your host machine, open a Terminal window.

Execute these commands, which are correct for Ubuntu Linux machines. If you are using a Mac or Windows, you need to adjust the second command to the correct SDK path:

cd cd Android/Sdk/platform-tools
./adb devices -l

Note that the last character is a lower case L, not the numeral one.

You should see a device listed, as shown below.

Pulling and Unpacking the APK File

From the sdk/platform-tools directory, execute these commands:

./adb shell pm list packages | grep walm ./adb shell pm path com.walmart.android
./adb pull /data/app//data/app/com.walmart.android-1.apk

Move the file to a convenient working directory, such as ~/Downloads.

Decoding the APK with apktool

If you don't have apktool, get it here:

https://bitbucket.org/iBotPeaches/apktool/downloads

In the Terminal, from the sdk/platform-tools directory, execute these commands:

cd ~/Downloads
java -jar apktool_2.0.0rc3.jar d com.walmart.android-1.apk

Downloading Autotroj.py

Right-click this link and save the file in your Downloads directory:

autotroj.tar

Adding Trojans to the Walmart App

In the Terminal, execute these commands:

cd ~/Downloads tar -xf autotroj.tar cd com.walmart.android-1
python ../autotroj.py

When it asks "Enter relative path to smali files (Ex: com.bank/smali):", type

smali

When it asks "files to exclude (Ex: google/android) (* for none):", type

*

When it asks "More files to exclude (Ex: google/android) (* for none):", type

*

Every smali file in the app scrolls by as it is processed.

Rebuilding and Signing the App

In the Terminal, execute these commands:

java -jar ../../apktool_2.0.0rc3.jar b .
jarsigner -keystore ../p9cert.jks dist/*.apk proj9key

Running the Trojaned App

Drag the APK file from the "dist" subdirectory and drop it on your Genymotion phone.

Install it and navigate to the "SIGN IN" screen.

Then, in a Terminal window, navigate to your sdk/platform-tools directory and execute this commands to c display the log:

./adb logcat

Notice that even before you log in, a "squareup/picasso" process keeps running, filling the log with junk we don't care about, as shown below.

To see the log without that junk, press Ctrl+C to stop the scrolling and execute these commands to clear the old log entries, and display the new log entries, filtering out the junk.

Note: "grep -v PATTERN" removes all lines containing PATTERN

./adb logcat -c
./adb logcat | grep -v squareup

When you log in, there is still a log of junk. Add greps to remove the uninteresting stuff as needed. Here's what I ended up with:

Note: "grep -iv PATTERN" removes all lines containing PATTERN, without matching case.

./adb logcat | grep -v squareup | grep -iv crash | grep -iv widget | grep -iv support

Using that command, I was able to find some files relating to Login and Authentication that are called during login, which are likely places to add Trojan code, as shown below.

Posted 7-15-15 by Sam Bowne