SunTrust Android App Vulnerability


SunTrust's servers don't check the integrity of their Android app when it connects to their servers. It is therefore easy to modify the app, adding trojan code that does malicious things. An attacker who can trick people into using the trojaned app can exploit them.

This vulnerability does not affect people who are using the genuine app from the Google Play Store. It would only harm people who are tricked into installing a modified app from a Web site, email, etc.

The Proof of Concept code below merely logs the user id and password, where other apps on the phone can see it, but there's nothing preventing a better programmer from sending that data, and all the other data the app has, out over the Net.

SunTrust should add integrity-checking to their server-side code. Obfuscating their smali code would also be an improvement, with a powerful obfuscator like DashO, not the worthless ProGuard.

Proof of Concept: Step by Step

Using the GenyMotion Android emulator, I installed the genuine App from the Google Play Store.

I connected the emulator through the Burp proxy and captured a login packet, showing that the username is sent as it is, but the password is encrypted by the app before transmission. (And then all data are encrypted again by HTTPS.)

I pulled the APK file from the device with adb, and decoded the APK file with apktool, as shown below.

Finding Vulnerable Code

It took me about a day to find the user id and password in the code, not because it was effectively obfuscated, but just because it is big and sprawling, with large third-party libraries containing unused functions.

Searching for "useragent" led me to the ny0k/ae.2.smali file, which prepares parameters for in the HTTPS POST packet.

Searching for "crypt" led led me to the com/konylabs/ffi/N_Encryption.smali file, which encrypts the password.

Adding Trojan Code

I edited this file,

making two changes:

I also edited this file,

making one change:

Repacking and Signing the APK File

I rebuilt the APK and signed it with a self-signed key.

That makes an APK file in a "dist" subdirectory.

Using the Trojaned App

I dragged the APK file into the emulator, installed it, and entered test credentials.

The user id and password are in the logs, as shown below.


I notified SunTrust on Feb. 25, 2015, as shown below.

I got a reply from a representative in the Fraud and Risk Management division:

I spoke to that person on the telephone and he agreed that this was a real problem, and said they intended to fix it, but couldn't say how long it would take.

Re-Test on 5-22-15

There's a new app version:

But nothing has been fixed, the same Trojan still works:

Updated with reply, 5-21-15
Updated with re-test 5-22-15