Proj 5x: Bank of America Code Modification (25 pts)

What You Need for This Project

An unrooted Bluestacks Android emulator or a real Android device to test the app on (a rooted emulator like Genymotion will NOT work)
Android Debug Bridge running on Kali, connected to Bluestacks
You should have that already set up from previous projects

Purpose

To add Trojan code to the Bank of America Android app and steal confidential information, putting it into the log, as a proof of concept.

Responsible Disclosure

I notified Bank of America about this in 2015 but they did not fix it.

Installing the App

On your Bluestacks emulator, in Google Play, install this app:

Archived Copy
If they update the app, and you want the instructions below to work exactly as written, use this archived copy.

Pulling the APK File from the Phone

On your Kali machine, execute these commands:

adb shell pm list packages bof adb shell pm path com.infonow.bofa adb pull /data/app/com.infonow.bofa-1.apk

The file downloads into Kali, as shown below.

Decompiling the Android App

On your Kali machine, execute this command:

apktool d -f -r com.infonow.bofa-1.apk

The file unpacks, as shown below.

Finding the PIN Input Module

On your Kali machine, execute this command:

grep setAtmPin -r .

The module we want to modify appears, highlighted in the image below.

On your Kali machine, execute this command:

nano ./com.infonow.bofa-1/smali_classes5/com/bofa/ecom/servicelayer/model/MDAUserVerificationDetails.smali

In nano, press Ctrl+W

Enter the search string setAtmPin as shown below.

Press Enter to perform the search.

The routine that gathers the user's ATM card PIN appears, as shown below.

Adding Trojan Code

Adjust the code as shown below, to log the PIN. All the modified or added lines are outlined in green.

Type Ctrl+X, Y, Enter to save the file.

Repacking the App

Execute this command to repackage the APK file.

apktool b com.infonow.bofa-1

There was a "brut.common" error at the end, as shown below, but it seems OK to just ignore it.

Troubleshooting
If apktool returns errors, as shown below:
I think this error comes from a Java version conflict.
The simplest fix I found is to just extract a fresh Kali 2019.1 64-bit VM and use it instead of a machine that has been used for other projects.
Use the apktool that comes with Kali, and add adb with these commands:
apt update apt install android-tools-adb -y
If you get a "E: Could not get lock /var/lib/dpkg/lock-frontend" error, restart Kali.

Making a Code Signing Certificate

Android won't run unsigned apps, so we need a signing certificate.

Execute this command:

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

A prompt asks for a "keystore password". Enter password twice.

Then a series of question asks for your name, etc. You can press Enter for each question except the last one, which you must answer yes to, as shown below.

Signing the APK

Execute this command:

jarsigner -sigalg SHA1withRSA \ -digestalg SHA1 -keystore my-release-key.keystore \ com.infonow.bofa-1/dist/com.infonow.bofa-1.apk alias_name

Enter the password of password when you are prompted to.

The app is signed, as shown below.

Uninstalling the Original App

On your Bluestacks virtual Android device, open Settings and tap these items.

Apps & notifications
Bank of America
Uninstall
OK

Installing the Modified App

On Kail, execute this command:

adb install com.infonow.bofa-1/dist/com.infonow.bofa-1.apk

The process succeeds, as shown below.

Monitoring the Log

On Kali, execute this command:

adb logcat | grep TROJ

The terminal pauses, waiting for matching log entries, as shown below.

Entering a PIN

On your Bluestacks virtual Android device, perform these steps:

At the lower left, click Home (the icon shaped like an envelope)
At the lower center, click the circular icon with six dots.
Click BofA. The phone turns sideways and the print becomes tiny.
At the bottom, click Accept
At the bottom, click "Sign in or enroll"
In the center, click Enroll
At the bottom, click "GET STARTED"
At the top, click "ATM or Debit Card"
Enter data into the fields, as shown below. Remember what you put in as a PIN; I used 2222
At the bottom, click CONTINUE

The PIN appears in the log, as shown below.

Saving a Screen Image (15 pts)

Make sure you can see the stolen PIN, as shown above.

Save a full-desktop image. On a Mac, press Shift+Commmand+3. On a PC, press Shift+PrntScrn and paste into Paint.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 5xa", replacing "YOUR NAME" with your real name.

Challenge: Steal SSN (10 pts)

Add Trojan code to the app that steals the SSN during account registration, as shown below.

Capture an image of the log including a SSN, as shown above.

Turning in your Project

Email the image to to cnit.128sam@gmail.com with the subject line: Proj 5x from YOUR NAME

Posted 1-28-19
Challenge for SSN added 1-29-19
Unrooted device requirement added 3-1-19
Troubledshooting added 3-1-19