code

Wednesday, November 7, 2018

Trojaning an Android app



Continuing my previous post about Android app reverse engineering and Smali editing, this time, I want to see if I can edit a snippet code in an activity of some app (which name I won't disclose here:) let's just say it's a popular bank's app in Israel), which is responsible for sending login credentials to some server for authentication, and then saving them somewhere for later use.

As before, we start with unpacking the apk with apktool.
After that's done, we need to find the Smali file, holding the values we want to save.
For this app, it's the user and password of the user, that'll be sent in the HTTP request in order to authenticate to the server.
In order to do that, I started the app and found the text for the login activity button, it was a simple 'login' string. Then, I've searched the app's 'strings.xml' file – just to verify I can find it there as well.

After that, you can search that string in the all the unpacked Smali files, you can use jd-gui for that or maybe write a small Python script that implements this search if you want.
Here's an example:


Among others, the file UserLoginActivity.smali was returned from my script.
In the file, I've found a method called 'loginToServer()', which checked some other values, and if they weren't met, an HTTP request to the server with the user's credentials was sent.
In order to save the user's credentials, I'm going to hook loginToServer(), call the android logging method (which will save them locally on the Android logcat file) and then continue execution to the rest of the original method. This obviously can be replaced with a HTTP request of our own, that will be sent to our remote server, with the user's credentials.
The first step is to add a local variable for our logging tag string. At the beginning of any Smali method name, a ' .locals' parameter can be found with a number after it, like so:

.locals 5

So, we'll change this value to 6 in order to add 1 more local for our log tag strings.
Next, we'll assign our tag string to the added local:

const-string v5, "The login for this user is: "

Then, call the Android Log() method with d (=debug) parameter:

invoke-static {v5, v4}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I

The whole code will like this:


And here's how it looks like on logcat file, after I ran the app and logged in:



That's all for now, until next time :)

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Mastering Problem-Solving and Cultivating a Research Mindset in the ChatGPT Era (and why you still need to RTFM)

  In this post I'll present a technical problem (some will say it's probably a bug more than it is a feature) I had with a VR app, h...