Android hacking techniques

Marius BaratAlexandru Citea

Bitdefender Anti-Malware Laboratories, Romania

Nov 30th, 2013

Marius Barat Alexandru Citea Android hacking techniques Nov 30th, 2013 1 / 14

Agenda

1 MotivationGlobal devices evolutionOperating systems market share

2 Repackaging an APKWhat is a repackage?White hatGrey hatBlack hatAndroid repackaging. The on-device way

3 Applovin/Vulna vulnerability

4 Questions & Answers

Marius Barat Alexandru Citea Android hacking techniques Nov 30th, 2013 2 / 14

1. Motivation 1.1. Global devices evolution

Marius Barat Alexandru Citea Android hacking techniques Nov 30th, 2013 3 / 14

1. Motivation 1.2. Operating systems market share

International Data Corporation (IDC) - Smartphones OS statistics

Marius Barat Alexandru Citea Android hacking techniques Nov 30th, 2013 4 / 14

2. Repackaging an APK 2.1. What is a repackage?

Decompile or Disassemble the APK

Modify the smali/java code

Add new functionalities and new resources

Adjust permissions

Repack and Resign the APK

Tools: ApkTool, APK OneClick

Marius Barat Alexandru Citea Android hacking techniques Nov 30th, 2013 5 / 14

2. Repackaging an APK 2.2. White hat

Cheetah Theme for Facebook

Marius Barat Alexandru Citea Android hacking techniques Nov 30th, 2013 6 / 14

2. Repackaging an APK 2.2. White hat

Green W Socialize for Facebook

Marius Barat Alexandru Citea Android hacking techniques Nov 30th, 2013 7 / 14

2. Repackaging an APK 2.3. Grey hat

Add a new Advertising SDK

Change the Advertiser ID from the original app

Most used adware SDKs:

AirpushApperhandInMobiLeadbolt

Marius Barat Alexandru Citea Android hacking techniques Nov 30th, 2013 8 / 14

2. Repackaging an APK 2.4. Black hat

More than 1 percent of some 420,646 apps are stolen from otherdevelopers and re-engineered for illicit gains

Marius Barat Alexandru Citea Android hacking techniques Nov 30th, 2013 9 / 14

2. Repackaging an APK 2.4. Black hat

The original application developer loses a lot of money and client

The repackaged app is often distributed as a free app:

contains Advertising SDKscontains code for stealing sensitive data from the device

Marius Barat Alexandru Citea Android hacking techniques Nov 30th, 2013 10 / 14

2. Repackaging an APK 2.4. Black hat

Having enough permissions, even if the device is not rooted, sensitivedata can be stolen:

Mail accounts, passwords and mails are located in:Data/data/com.android.email/databases/EmailProvider.db

Facebook messages, contacts, photos urls are located in:Data/data/com.facebook.katana/databases in databases:contacts db2, threads db2

Marius Barat Alexandru Citea Android hacking techniques Nov 30th, 2013 11 / 14

2. Repackaging an APK 2.5. Android repackaging. The on-device way

Modify on-the-system apks to inject a payload

Repack and resign, replace the original apk

Possibly clean your own app of the payload (repackage yourself afterinjection without the malicious code)

The payload could represent anything. you can easily modifypermissions to give yourself more access

Do that without actually implementing the unpacker and root accessexploit yourself

Marius Barat Alexandru Citea Android hacking techniques Nov 30th, 2013 12 / 14

3. Applovin/Vulna vulnerability

Applovin/Vulna vulnerability

Advertising framework

Vulnerable versions: 2.0.74 through 5.0.3

The update process has no authentication mechanism

Update performed via HTTP protocol

The APK that the app uses for update can be replaced with a customone

Marius Barat Alexandru Citea Android hacking techniques Nov 30th, 2013 13 / 14

4. Questions & Answers

Marius Barat Alexandru Citea Android hacking techniques Nov 30th, 2013 14 / 14