IMPORTANT NOTE: The below information is for educational and research
purposes only and to illustrate how insecure the Android platform is.
You would also come to see, how most of the present Android
anti-malwares fail to detect threats in the current scenario. Also,
infecting other persons computer/mobile devices with a malicious
application without his permission is an punishable crime.
Their exist a lot of tools to exploit the security
holes in normal PC environment, but there have been really less tools
for the Android environment, which at the same time is expandable. By
expandable, i’m trying to say, that the users who use the framework,
could build there own modules and share with the security community.
Android Framework for Exploitation is an open-source project which we
have developed in order to increase mobile security research, check for
application based and platform based vulnerabilities, as well as write
plugins for the framework and share it with the community. Subho Halder
and me (
Aditya Gupta)
have developed a framework known as Android Framework for Exploitation,
which we released in BlackHat Abu Dhabi in December 2012. The aim of
this framework is to help the mobile security community to analyze
applications, exploit vulnerabilities, build POCs, and share their own
modules with other users.
One of the interesting features of this framework is the ability to
build malwares, botnets and even inject malwares in existing legitimate
applications. This is just to show that how ineffective our current
mobile anti malwares are against these type of infected version of
legitimate applications, as at the time of writing, none of the anti
malwares for Android detected the malware sample.
Some of the features which we’ll be looking into this post is :
1. Creating a malware
2. Creating a botnet
3. Injecting malicious codes in a legitimate application
4. Analyzing vulnerable applications
Before we go further, let us have a look at the file structure of AFE.
Once you download AFE, you will be having a structure similar to the one given below.
The Input will be containing all the input apk(s) for any processing,
such as crypting the apk to make it undetectable from anti malwares, or
inserting the apk in any other legitimate apk or so on.
Creating a malware
AFE gives the users to create malwares for their devices with prebuilt
templates. You could also modify the source code of the malware, and
modify the GUI of the application apk as you want.
To create a malware, first of all you have to launch AFE by typing in ./afe.
To get help at any point of time, just type in ? and hit enter.
Note : This tool is made natively for *nix based systems. If you’re
running Windows, you could use it by installing Cygwin. Also make sure
you’ve all the dependencies such as Python and the android sdk
installed.
Once you are inside menu, type in run [the module name] to execute a particular module.
In this case, the module is named malware.
Once you type in run malware
Just type in your local IP address in the Set Reverse IP option. Once
you set your reverse IP (same as LHOST), you’ll have the option of
Stealer.
There are 3-predefined stealers, and you can add more yourself. The 3 already existing ones include –
• Call Logs
• Contacts
• Messages
Here’s a video of it.
Creating a Botnet
To create a botnet, you have to launch AFE as mentioned earlier. and go
on to create a botnet, similar to as we did in the last demo. Once
you’ve created and installed the botnet in any android based smartphone,
you could control it by sending SMS from any phone to the infected
phone, and getting the response back using SMS itself. Also, this whole
process will go on in the background, so the user won’t be able to know
if any kind of malicious activity is being performed.
Some of the sms based commands are :
toast: To display a particular message on the screen
infect: To spread the botnet to any other device by sending a sms from already infected device
browse : automatically open a URL on the victim’s phone
shell : The most useful command. Could be used to execute any shell based commands. For
example, xysec shell cat /proc/version
Note: All the commands should be appended with the keyword ‘xysec’ -
this could be changed by modifying the source of the botnet. This is to
make sure the SMS which has been send as a command won’t be displayed in
the notification of the victim.
Analyzing Application for Leaking Content Providers
One of the most important components of Android applications while working with application data is Content Providers.
To get the content providers of the application, you could either
reverse the application manually, or look for the content providers, or
you could use tool such as Apktool, and parse information based on the
filter of content://
To find content providers with the help of AFE, you need to place the application you want to analyse in the Input folder.
Once we select the application, it will automatically present us with the list of content providers present in the application.
After finding out the permission of the content providers, and if it is
set as exported without any permission checking, the application is
vulnerable to leaking content providers vulnerability.
To make a POC of this vulnerability, we could use the content provider
(vulnerable one) and make another application parsing this content
provider. Following is a sample code snippet we made:
We would in further update the Github repo located at https://github.com/xysec/AFE/ to make POCs automatically.
Injecting malicious codes in legitimate application
Using AFE, you could inject malicious codes in legitimate applications.
This is to demonstrate how easy it is for malware authors to create
infected version of the legitimate applications, and how anti-malwares
should improve their detection strategy to distinguish between fake and
legitimate applications.
To create the application:
- Select the malware to be injected,
- Choose the target apk
- Type inject
Once we select our target application, it will inject all the services
and permissions from our malware (which we have already created) and
even sign the newly create application with our key.
The newly created file will be stored in /Output as the name of [originalapp].apk and [originalapp]_signed.apk.
Creating Plugins for AFE
AFE is an extendable framework, which could be integrated with user made plugins.
To create a plugin, you need to go to the modules directory and create a directory with the name of your plugin name.
Let us take an example of a plugin named as DB Stealer. This plugin,
grabs all the database files (.db) from the device or emulator, and
saves it on the system. The code for this plugin has been written in
PHP.
There are 3 necessary files :
Run.sh
dbstealer.php
dbstealer.info
Run.sh is the initializing code, which will load up the entire code
(written in any language, in this case php), and will execute it.
The second file, dbstealer.php is the main code of the plugin. It is loaded from run.sh with the code php dbstealer.php.
The third file dbstealer.info will contain the information about the
plugin, which will be displayed when the user will type in info
dbstealer from the afe prompt.
Hope you guys enjoyed the post. Feel free to mail us at
security@xysec.com for any bug issues/suggestions/trainings/ideas!
