Hacker, Researcher and Author.

Pentesting Android With Android Exploitation Framework


  
IMPORTANT NOTE: The below information is for educational and research purposes only and to illustrate how insecure the Android platform is. You would also come to see, how most of the present Android anti-malwares fail to detect threats in the current scenario. Also, infecting other persons computer/mobile devices with a malicious application without his permission is an punishable crime.
Their exist a lot of tools to exploit the security holes in normal PC environment, but there have been really less tools for the Android environment, which at the same time is expandable. By expandable, i’m trying to say, that the users who use the framework, could build there own modules and share with the security community.

Android Framework for Exploitation is an open-source project which we have developed in order to increase mobile security research, check for application based and platform based vulnerabilities, as well as write plugins for the framework and share it with the community. Subho Halder and me (Aditya Gupta) have developed a framework known as Android Framework for Exploitation, which we released in BlackHat Abu Dhabi in December 2012. The aim of this framework is to help the mobile security community to analyze applications, exploit vulnerabilities, build POCs, and share their own modules with other users.

One of the interesting features of this framework is the ability to build malwares, botnets and even inject malwares in existing legitimate applications. This is just to show that how ineffective our current mobile anti malwares are against these type of infected version of legitimate applications, as at the time of writing, none of the anti malwares for Android detected the malware sample.

Some of the features which we’ll be looking into this post is :

1. Creating a malware
2. Creating a botnet
3. Injecting malicious codes in a legitimate application
4. Analyzing vulnerable applications

Before we go further, let us have a look at the file structure of AFE.
Once you download AFE, you will be having a structure similar to the one given below.



The Input will be containing all the input apk(s) for any processing, such as crypting the apk to make it undetectable from anti malwares, or inserting the apk in any other legitimate apk or so on.

Creating a malware

AFE gives the users to create malwares for their devices with prebuilt templates. You could also modify the source code of the malware, and modify the GUI of the application apk as you want.

To create a malware, first of all you have to launch AFE by typing in ./afe.

To get help at any point of time, just type in ? and hit enter.



Note : This tool is made natively for *nix based systems. If you’re running Windows, you could use it by installing Cygwin. Also make sure you’ve all the dependencies such as Python and the android sdk installed.

Once you are inside menu, type in run [the module name] to execute a particular module.
In this case, the module is named malware.

Once you type in run malware

Just type in your local IP address in the Set Reverse IP option. Once you set your reverse IP (same as LHOST), you’ll have the option of Stealer.



There are 3-predefined stealers, and you can add more yourself. The 3 already existing ones include –

• Call Logs
• Contacts
• Messages

Here’s a video of it.
Creating a Botnet
To create a botnet, you have to launch AFE as mentioned earlier. and go on to create a botnet, similar to as we did in the last demo.  Once you’ve created and installed the botnet in any android based smartphone, you could control it by sending SMS from any phone to the infected phone, and getting the response back using SMS itself. Also, this whole process will go on in the background, so the user won’t be able to know if any kind of malicious activity is being performed.

Some of the sms based commands are : 

toast:  To display a particular message on the screen
infect: To spread the botnet to any other device by sending a sms from already infected device
browse : automatically open a URL on the victim’s phone
shell : The most useful command. Could be used to execute any shell based commands. For example, xysec shell cat /proc/version

Note: All the commands should be appended with the keyword ‘xysec’ - this could be changed by modifying the source of the botnet. This is to make sure the SMS which has been send as a command won’t be displayed in the notification of the victim.

Analyzing Application for Leaking Content Providers

One of the most important components of Android applications while working with application data is Content Providers.

To get the content providers of the application, you could either reverse the application manually, or look for the content providers, or you could use tool such as Apktool, and parse information based on the filter of content://

To find content providers with the help of AFE, you need to place the application you want to analyse in the Input folder.



Once we select the application, it will automatically present us with the list of content providers present in the application.



After finding out the permission of the content providers, and if it is set as exported without any permission checking, the application is vulnerable to leaking content providers vulnerability.

To make a POC of this vulnerability, we could use the content provider (vulnerable one) and make another application parsing this content provider. Following is a sample code snippet we made:



We would in further update the Github repo located at https://github.com/xysec/AFE/ to make POCs automatically.
Injecting malicious codes in legitimate application


Using AFE, you could inject malicious codes in legitimate applications. This is to demonstrate how easy it is for malware authors to create infected version of the legitimate applications, and how anti-malwares should improve their detection strategy to distinguish between fake and legitimate applications.

To create the application:

  • Select the malware to be injected,
  • Choose the target apk
  • Type inject



Once we select our target application, it will inject all the services and permissions from our malware (which we have already created) and even sign the newly create application with our key.



The newly created file will be stored in /Output as the name of [originalapp].apk and [originalapp]_signed.apk.


Creating Plugins for AFE

AFE is an extendable framework, which could be integrated with user made plugins.

To create a plugin, you need to go to the modules directory and create a directory with the name of your plugin name.

Let us take an example of a plugin named as DB Stealer. This plugin, grabs all the database files (.db) from the device or emulator, and saves it on the system. The code for this plugin has been written in PHP.



There are 3 necessary files :

Run.sh
dbstealer.php
dbstealer.info

Run.sh is the initializing code, which will load up the entire code (written in any language, in this case php), and will execute it.

The second file, dbstealer.php is the main code of the plugin. It is loaded from run.sh with the code php dbstealer.php.




The third file dbstealer.info will contain the information about the plugin, which will be displayed when the user will type in info dbstealer from the afe prompt.



Hope you guys enjoyed the post. Feel free to mail us at security@xysec.com for any bug issues/suggestions/trainings/ideas!

7 comments:

  1. Seems to be a great tutorial. Unfortunally I don't have any time to read it at the moment because I'm in a hurry, but definetly will read it tomorrow. The only small thing I noticed was that the video was missing below "Here’s a video of it.". :)

    Rynaldo. :)

    ReplyDelete
  2. Yeah !!
    Nyc tUt brO:)
    HOping for sme preventive measures tOo:)

    ReplyDelete
  3. Nice [TUT] and info about android malwares..............

    ReplyDelete
  4. Nice info and update about androids malwares...

    ReplyDelete
  5. I got an error
    cp: cannot stat `./bin/xysecv3-debug.apk': No such file or directory
    How fix that please!

    ReplyDelete

© 2016 All Rights Reserved by RHA Info Sec. Top

Contact Form

Name

Email *

Message *

Powered by Blogger.