Major Upgrade v5.0

Author: ivan-sincek

README.md

@@ -6,7 +6,7 @@ As a security engineer, do you struggle with validating bug bounty reports, perf
 
 I've got you covered - all from the comfort of your own device!
 
-[YouTube: Malware APK v4.5 - Proxy Intent Injection PoC](https://www.youtube.com/shorts/gI1WlW9FRZ8)
+[YouTube: Malware APK v5.0 - Proxy Intent Injection PoC](https://youtube.com/shorts/hMcJ4JhPhnQ)
 
 ---
 
@@ -50,7 +50,7 @@ Future plans:
 
 ## About the App
 
-Version: `4.9`
+Version: `5.0`
 
 APK name: `Malware APK`
 
@@ -76,11 +76,12 @@ Permissions required:
 * `android.permission.BIND_NOTIFICATION_LISTENER_SERVICE`
 * `android.permission.POST_NOTIFICATIONS`
 
-URIs for internal QA testing:
+URIs for internal quality assurance:
 
 * `kira://hidden`
 * `content://com.kira.malware.TestFileProvider/files/test.txt`
 * `content://com.kira.malware.TestSQLiteProvider`
+* `javascript:alert(JavaScriptBridge.test())`
 
 ## Usage
 
@@ -90,7 +91,7 @@ URIs for internal QA testing:
 
 **#2:** Read world-readable shared preferences of another app.
 
-**#3:** To read files of another app, modify the `sharedUserId` in this app's `AndroidManifest.xml`, then rebuild the APK - this works only if another app has the shared user ID defined, also make sure to fully uninstall this app first, or reinstall might fail
+**#3:** To access files of another app, modify the [sharedUserId](https://developer.android.com/guide/topics/manifest/manifest-element#uid) in this app's [AndroidManifest.xml](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/AndroidManifest.xml#L4), then rebuild the APK - this works only if another app has the shared user ID defined.
 
 <p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/file_system.png" alt="File System" height="600em"></p>
 
@@ -100,7 +101,7 @@ URIs for internal QA testing:
 
 **#1:** Not all devices or root tools store the `su` (switch user) binary in the same location.
 
-**#2:** Run CLI tools like `/system/bin/logcat` or start a reverse shell with user `/bin/sh` or root `/bin/su` privileges.
+**#2:** Run CLI tools such as `/system/bin/logcat` or start a reverse shell with user `/bin/sh` or root `/bin/su` privileges.
 
 <p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/running_cli_tools.png" alt="Running CLI Tools" height="600em"></p>
 
@@ -131,31 +132,25 @@ URIs for internal QA testing:
 
 **#1:** Test an intent filter of another app.
 
-**#2:** Send an intent to another app to bypass its biometrics / security.
+**#2:** Send an intent to another app to directly bypass its biometric / security.
 
-**#3:** Send an intent to another app to bypass its biometrics / security by triggering its push notification manager, then manually opening the received push notification.
+**#3:** Send an intent to another app to indirectly bypass its biometric / security by triggering its push notification manager, then manually opening the received push notification.
 
 **#4:** Send an intent to another app to poison its widget.
 
 **#5:** Send a \[pending\] intent to another app multiple times to cause Denial of Service (DoS).
 
 **#6:** Send a mutable pending intent to another app to extract subsequently added intent extras.
 
-**#7:** Access a protected component, such as a file or SQLite content provider of another app, by exploiting its exported (proxy) component.
+**#7:** Access a protected component, such as a file or SQLite content provider of another app, by exploiting the app's exported (proxy) component.
 
 **#8:** Test a deep link of another app.
 
-```xml
-<data
-    android:host="hidden"
-    android:scheme="kira" />
-```
-
-**#9:** Perform a battering ram attack on a deep link or content provider URI of another app by adding `</payload>` placeholder into the intent's URI.
+**#9:** Perform a battering ram attack on a deep link or content provider URI of another app by adding `</payload>` placeholder in the intent's URI.
 
-**#10:** You can send an intent to `HiddenActivity` for inspection before sending it to the target.
+**#10:** You can send an intent to `HiddenActivity` for inspection before sending it to another app.
 
-**#11:** Test a file content provider for path traversal via `../`, and for arbitrary file read/write.
+**#11:** Test a file content provider for path traversal via `../`, and for arbitrary file read / write.
 
 **#12:** Test an SQLite content provider for SQL injection via projection and selection.
 
@@ -215,7 +210,7 @@ The following applies to both the `proxy intent` and `target intent` extras, but
     * key `HiddenActivityClose`,
     * and value `</close-on-success>`.
 
-When testing intent injections, you will often need to specify [com.kira.malware.activities.HiddenActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/activities/HiddenActivity.java) as the `target intent` class name, and set the file or SQLite content provider intent extra to the same `target intent`, as shown in the images below.
+When testing intent injections, you will often need to specify [com.kira.malware.activities.HiddenActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/activities/HiddenActivity.java) as the `target intent` class name, and scope the file or SQLite content provider intent extra to the same `target intent`, as shown in the images below.
 
 ---
 
@@ -241,18 +236,24 @@ When testing intent injections, you will often need to specify [com.kira.malware
 
 ### Broadcast Monitor
 
-**#1:** Listen for a broadcast intent from another app and extract sensitive information from its extras.
+**#1:** Listen for a broadcast intent from another app and extract sensitive information from the intent extras.
 
 <p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/broadcast_monitor.png" alt="Broadcast Monitor" height="600em"></p>
 
 <p align="center">Figure 9 - Broadcast Monitor</p>
 
 ### Web
 
-**#1:** Verify whether misconfigured asset links allow [app link](https://developer.android.com/training/app-links/verify-applinks) hijacking — this applies only on intent filters with `autoVerify` attribute.
+**#1:** Verify whether misconfigured asset links allow [app link](https://developer.android.com/training/app-links/verify-applinks) hijacking - this applies only to intent filters with `autoVerify` attribute.
 
 **#2:** Hijack a deep link of another app by specifying it in this app's `AndroidManifest.xml` under [HiddenActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/AndroidManifest.xml#L66), then rebuild the APK.
 
+```xml
+<data
+    android:host="hidden"
+    android:scheme="kira" />
+```
+
 **#3:** Initiate a deep link callback from a website to hijack the flow of another app.
 
 **#4:** Leverage existing web browser sessions to hijack the authenticated flow of another app.
@@ -267,15 +268,15 @@ When testing intent injections, you will often need to specify [com.kira.malware
 
 <p align="center">Figure 10 - Web</p>
 
-<p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/deep_link_callback_flow.png" alt="Deep Link Callback Flow" height="600em"></p>
+<p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/deep_link_callback.png" alt="Deep Link Callback" height="600em"></p>
 
-<p align="center">Figure 11 - Deep Link Callback Flow</p>
+<p align="center">Figure 11 - Deep Link Callback</p>
 
 ### Task Hijacking
 
 **#1:** Changing the task affinity at runtime is not possible.
 
-**#2:** To hijack a task of another app, modify the task affinity in this app's `AndroidManifest.xml` under [MainActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/AndroidManifest.xml#L48), then rebuild the APK.
+**#2:** To hijack a task of another app, modify the task affinity in this app's `AndroidManifest.xml` under [MainActivity](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/AndroidManifest.xml#L48), then rebuild the APK
 
 Read more about the taskjacking [here](https://developer.android.com/privacy-and-security/risks/strandhogg).
 
@@ -287,7 +288,7 @@ Read more about the taskjacking [here](https://developer.android.com/privacy-and
 
 **#1**: Test if another app can detect an overlay.
 
-**#2**: Detect an overlay by checking [MotionEvent.FLAG_WINDOW_IS_OBSCURED and MotionEvent.FLAG_WINDOW_IS_PARTIALLY_OBSCURED](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/fragments/TapHijackingFragment.java#L33) flags - this solution works only on older Android versions.
+**#2**: Detect an overlay by checking [MotionEvent.FLAG_WINDOW_IS_OBSCURED and MotionEvent.FLAG_WINDOW_IS_PARTIALLY_OBSCURED](https://github.com/ivan-sincek/malware-apk/blob/main/src/Malware/app/src/main/java/com/kira/malware/fragments/TapHijackingFragment.java#L35) flags - this solution works only on older Android versions.
 
 Read more about tapjacking [here](https://developer.android.com/privacy-and-security/risks/tapjacking).
 
@@ -297,17 +298,17 @@ Read more about tapjacking [here](https://developer.android.com/privacy-and-secu
 
 ### Accessibility Monitor
 
-**#1**: Extract sensitive information from another app's UI by abusing the accessibility service.
+**#1**: Extract sensitive information from the UI of another app by abusing the accessibility service.
 
-Read more about the solution [here](https://developer.android.com/reference/android/view/View#attr_android:importantForAccessibility);
+Read more about the solution [here](https://developer.android.com/reference/android/view/View#attr_android:importantForAccessibility).
 
 <p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/accessibility_monitor.png" alt="Accessibility Monitor" height="600em"></p>
 
 <p align="center">Figure 14 - Accessibility Monitor</p>
 
 ### Notification Monitor
 
-**#1**: Extract sensitive information from another app's notification by abusing the notification service.
+**#1**: Extract sensitive information from a push notification of another app by abusing the notification service.
 
 <p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/notification_monitor.png" alt="Notification Monitor" height="600em"></p>
 
@@ -325,17 +326,19 @@ Read more about the solution [here](https://developer.android.com/reference/andr
 
 ### State Manager
 
-**#1:** Save and load the UI state at any time.
+**#1:** Save and load UI states at any time.
 
-**#2:** Download and share UI state files with others, and upload files shared by others at any time.
+**#2:** Download and share UI state files with others, and upload UI state files shared by others at any time.
 
 <p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/state_manager.png" alt="State Manager" height="600em"></p>
 
 <p align="center">Figure 17 - State Manager</p>
 
 ### Settings
 
-**#1:** Additional system controls and UI customizations, minimizing the need to rebuild the APK.
+**#1:** Additional system controls and UI customizations.
+
+**#2:** Biometric unlock prompts only once at launch. Clear all tasks to enable it again.
 
 <p align="center"><img src="https://github.com/ivan-sincek/malware-apk/blob/main/img/settings.png" alt="Settings" height="600em"></p>