This vulnerability does not affect people who are using the genuine app from the Google Play Store. It would only harm people who are tricked into installing a modified app from a Web site, email, etc.
The Proof of Concept code below merely logs the ATM Card number and PIN, where other apps on the phone can see it, but there's nothing preventing a better programmer from sending that data, and all the other data the app has, out over the Net.
Bank of America should add integrity-checking to their server-side code. Obfuscating their smali code would also be an improvement.
Pull the APK file from the device with adb, as shown below.
Decode the APK file with apktool, as shown below.
Use grep to locate interesting files as shown below.
Modify the AtmDebitDetailsActivity.smali.smali file in three places to steal the card number and PIN, as shown below.
Build the APK and sign it, as shown below.
In the emulator, uninstall the BofA app.
Drag the APK file from the dist/ directory and drop it on the emulator to install it.
Launch the app.
Click on "Enroll in Online & Mobile Banking"
Click on "Get Started"
Click on "ATM or Debit Card"
Enter a fake card #, PIN, and Last 4. Click Continue
The ATM number and PIN are in the logs, as shown below.
But it's still vulnerable. Here's the enrollment page for a business card user:
Here's where I put the Trojan code:
Here are the stolen credentials:
I put the same Trojan in the code.
This version has a different patter of clicks to reach the vulnerable part of the code.
On the main page, click "Need help with your ID, Passcode,or enrollment?".
Then click "Enroll in Online and Mobile Banking", "Get Started", and "ATM or Debit Card".
The result is the same; entering credentials here:
Causes them to leak into the log:
The app was updated on Feb. 25. I re-tested it on 3-11-15 but this vulnerability was still the same.
I re-tested it on 5-22-15 but this vulnerability was still the same.
I re-tested it on 6-14-15 but this vulnerability was still the same.
For a while I thought they had fixed it but I was in error.
I met a BofA security officer at B-SidesLV in 2015 and he said they don't care about this and they don't plan to fix it.