As a bug hunter, are your bug bounty reports getting rejected because you don't use a "malicious" Proof of Concept (PoC) app to exploit the vulnerabilities?
As a security engineer, do you struggle validating bug bounty reports and performing regression testing?
I've got you covered!
Rooting your device is not required.
For more tips and tricks check my Android penetration testing cheat sheet.
Built with Android Studio v2022.3.1 (64-bit) and tested on Samsung A5 (2017) with Android OS v8.0 (Oreo) and Samsung Galaxy Note S20 Ultra with Android OS v13.0 (Tiramisu).
Made for educational purposes. I hope it will help!
Future plans:
add an option to wrap/unwrap text in the log,- add more types, including array types, for
Intent.putExtra(), improve the dropdown UI for,Intent.putExtra()- unblock the back button after the overlay is created,
- hide the soft keyboard when focusing away from the [edit] text input,
- create the UI to chain multiple exploitation steps after the successful deep link callback hijacking,
- showcase PoCs for already disclosed intent injection bug bounty reports,
- add more tests.
APK Name: Malware v1.4
Package name: com.kira.malware
Min SDK: 26
Target SDK: 32
Exported activities:
com.kira.malware.activities.MainActivitycom.kira.malware.activities.HiddenActivity
You may see prompts asking you to grant the following permissions:
android.permission.INTERNETandroid.permission.POST_NOTIFICATIONSandroid.permission.READ_EXTERNAL_STORAGEandroid.permission.WRITE_EXTERNAL_STORAGEandroid.permission.SYSTEM_ALERT_WINDOWandroid.permission.POST_NOTIFICATIONSandroid.settings.action.MANAGE_OVERLAY_PERMISSION
URIs for internal QA testing:
kira://hiddencontent://com.kira.malware.TestSQLiteProvidercontent://com.kira.malware.TestFileProvider/files/test.txt
Tip #1: Read and modify files from other apps.
Tip #2: Access world-readable shared preferences from other applications.
Figure 1 - File System
Tip #1: Test a [pending] implicit intent.
Tip #2: Perform a DoS on a [pending] implicit intent.
Tip #3: Test a deep link.
Tip #4: Hijack a deep link by specifying it in AndroidManifest.xml under HiddenActivity and rebuild the APK.
<data
android:scheme="somescheme"
android:host="somehost"
/>Tip #5: Perform a dictionary attack (battering ram) on a deep link by inserting the </injection> placeholder into the intent's URI.
Figure 2 - Implicit Intent
Tip #1: Access a protected component using an exported (proxy) intent.
Tip #2: Accessing a private file or SQLite content provider is a common use case.
An example on how to access a protected file content provider using an exported (proxy) intent:
Proxy Intent Package Name: com.someapp.dev
Proxy Intent Class Name: com.someapp.dev.ProxyActivity
Proxy Intent Action: com.someapp.dev.PROXY_ACTIVITY_ACTION
Proxy Intent Flags: // see the image below
Proxy Intent Put Extras: somekey \w </target-to-uri-unsafe>
Target Intent URI: content://com.someapp.dev.TargetFileProvider/files/somefile.txt
Target Intent Action: android.intent.action.SEND
Target Intent Flags: // see the image below
Target Intent Put Extras: ContentResolverController \w fileProvider
android.intent.extra.TEXT \w somevalue
Figure 3 - Implicit Intent Injection
Intent.putExtra() logic can be found in controllers/ImplicitIntentController.java and controllers/IntentPutExtrasController.java.
The following applies only to the proxy intent:
- If the value is a string equal to
</target>, the entire value will be replaced with anIntentobject, andIntent.putParcelable()will be used. - If the value is a string containing
</target-to-uri>, all matching parts will be replaced with the result ofIntent.toUri(Intent.URI_INTENT_SCHEME). - If the value is a string containing
</target-to-uri-unsafe>, all matching parts will be replaced with the result ofIntent.toUri(Intent.URI_ALLOW_UNSAFE).
Callback logic to access a file or SQLite content provider can be found in activities/HiddenActivity.java.
The following applies only to the target intent:
- To use the file content provider callback, add an intent extra with the key
ContentResolverControllerand the valuefileProvider. - To use the SQLite content provider callback, add an intent extra with the key
ContentResolverControllerand the valuesqliteProvider.
Tip #1: Initiate a deep link callback from a website to hijack it.
Tip #2: Create further exploitation steps inside the source code using OkHttp, intents, and other resources, then rebuild the APK. UI is not yet implemented.
Figure 4 - Web
Tip #1: To hijack a task, modify the task affinity in AndroidManifest.xml under MainActivity and rebuild the APK.
Figure 5 - Taskjacking
Tip #1: Test if other apps can detect an overlay.
Tip #2: Detect an overlay by checking MotionEvent.FLAG_WINDOW_IS_OBSCURED and MotionEvent.FLAG_WINDOW_IS_PARTIALLY_OBSCURED flags - this solution works only on older Android versions.
Read more about tapjacking and how to detect it here.
Figure 6 - Tapjacking
Tip #1: Save and restore the UI state at any time.
Figure 7 - Saving and Restoring