Project Cream (Beta) - Android Software/Hacking General [Developers Only]

Hello everybody,
I'm Alessandro and I'm a student in IT Security at University of Milan.
I'm doing a thesis about Android Malware and I'm building a system to automatize the analyze of every App in every Market.
This system use a lot of free opensource products that I'm trying to customize and integrate.
The base idea is to enumerate all App in every Market (offical and not), download every free app and get Apk, at this point there is a first step that involve our customized version of Androguard for static analysis, next step is an hybrid analysis in a customized Android running on emulator.
More in detail:
- We are trying to enumerate all App using Android market api code.google.com/p/android-market-api and we are currently at work
- We want to download every free App enumerated by previous step, I think is not possible to download directly Apk, so I assume that I must *download App in an emulator and save Apk by a backup utility, any suggest??
- Next step is to anakyze Apk with Androguard and publish report (MD5 of Apk, permission declared, services...) to Db - not yet started
- After androguard we have to install Apk in emulator running customized Android, and here we have a lot of difficulties.
First of all we want to install App silently, without human actions, this is not possible by default but did you think is possible to modify Android source code to allow this?
In addition I have built a customized kernel with SELinux support, next problem is that I have to add SELinux commands to BusyBox and cross-compile, anyone have already do this?
After that, we must create a scripts (maybe an App?) to run tcpdump and get suspect traffic data, get SELinux logs and made a sort of anomaly detection.
All this result must be sent to the same Db so we have a comparison between static and hybrid analysis for same App.
We are asking you a little help if anyone have already do one or more pieces of this system or if anyone wants to contribute in this project.
Thank you for all

Related

[app] [Think Tank] omnipatcher - patching apps the easy way

This thread is for discussion on how to implement omnipatcher for android.
Project site => http://android-omnipatcher.googlecode.com
Project owner is brut.all
An Android app that can automatically download and apply patches/fixes for installed apps. It makes possible to add features to closed source apps without distributing proprietary code.
Planned features (in more or less chronological order):
* apks patching
o res files adding, deleting, replacing - especially useful for themes designers
o applying smali patches
o bsdiff patching
o xml assets patching
o resources.arsc patching
* signing and zipaligning apks after patching
* automatic app version matching
* automatic downloading to SD card some dependencies like smali, baksmali, zipalign, etc.
* patching system apps
o with root permissions
o without root - by changing package name and installing it beside original app
* possibility to generate update.zip file to reinstall some critical apps
* online repository of users fixes
* tool that simplify or maybe fully automate generating of patches
[Reserved for future use]
[Reserved for future use]
Brut.all said:
I though Java has native zip support?
Click to expand...
Click to collapse
Ok, Metamorph is run from console, so it hasn't got access to Java's zip lib. We wouldn't have this problem.
Brut.all said:
Big, but not huge And so far it was evolving very rapidly
Beside of that it will be iterating project. First we need patcher with some of basic features. Minimalistic UI and configuration, libs and patches will be downloaded manually to SD. Then we will add some automation, new features and so on.
Click to expand...
Click to collapse
Yes, I think an iterative project is the best for this
Brut.all said:
I did it already, this was really esay And file is significantly smaller, because smali/baksmali are built with Maven and hence have doubled deps.
I don't understand... You mean (bak)smaling only needed files? It is possible, I checked it
Click to expand...
Click to collapse
I don't know how exactly baksmali work but I have some idea in mind that I have to check... will tell after reasearching some stuff ;-)
Brut.all said:
I though Java has native zip support?
Click to expand...
Click to collapse
Yes, java has built in support (at least on desktop)
It's very interesting!
I made majority of work needed to release the first version of Omnipatcher with basic functionality and then I took to all Android stuff: UI, etc. 2 days passed and I'm almost at the starting point :-/ I got -10 to Android enthusiasm :-/
Android Layouting is not always that easy :-/
I don't have too much time now because I have to finish my pre bachelor thesis (have final design review on Wednesday) but...
How can I help with it?
Hey -- looking this over, as a non-developer/programmer; I am curious: is there any chance that this program could work to apply patches to *.img files? (Specifically, I'm thinking about hot-swapping the kernel.)
IConrad01 said:
Hey -- looking this over, as a non-developer/programmer; I am curious: is there any chance that this program could work to apply patches to *.img files? (Specifically, I'm thinking about hot-swapping the kernel.)
Click to expand...
Click to collapse
Nope, because the intent of this app is decompiling apk's, patch it and compiling again to make the patching app itself legal because no proprietary content will be distributed... the user has to provide the proprietary app to the patching util.
What you want to do could be easily done with just a binary patcher like bsdiff.
rac2030 said:
Android Layouting is not always that easy :-/
I don't have too much time now because I have to finish my pre bachelor thesis (have final design review on Wednesday) but...
How can I help with it?
Click to expand...
Click to collapse
@brut.all If you want, we could open a wave for Brainstorming on the app and I can help you with the Android app stuff your having problems with?
I'm working on it alone because I write much faster in languages like Java, than in English ;-)
I want to get first basic (root only, sorry), but working version, clean up code, release it, update googlecode site a bit (TODOs in form of issues, some usage docs, etc.) and then I will open to community development. In a few days, I think
Nice, MetaMorph pretty much does alot of this, at least in regards to apk and jar patching. MetaMorph is in the market now. the only problem we have had so far is that market apps require them to be resigned when you edit their contents, so that is problematic.
Yep, someone told me about MetaMorph already, so I checked it out, cause I prefer team work than many parallel projects on the same topic.
However I concluded that MetaMorh has different assumptions: it was created as a theme designers tool mainly, so it emphasizes speed and simplicity.
I want to create all-in-one framework with many methods of patching (simple file replacement, bsdiff, smali, XML patching) and installation (in-place replacement, uninstall & install by package manager, generating update.zip), apk version control and possibility to distribute patches without containing proprietary stuff in them. And hence I have chosen Java in contrast to MetaMorph, which is a shell script.
And you have surprised me by info that MM is in the market. You wrote about MM app here, but you didn't write that you finished it... Is it just a front-end to shell script?
too bad this thread's dead

Learning about Android as an OS

I hope this isn't a stupid question. But I couldn't find any real info regarding this. And after reading the Mysteries of Science thread it seemed to me, there really isn't much information regarding such things. So:
I noticed that for almost all Linux based OS you can find in-depth descriptions on how the OS works on a basic level. For example where specific settings are stored.
The guides at android.com deal with app development, but don't specify how you use the OS as a root user. For example, if I want to change WLAN settings, there must be a way to do that without using the GUI or by using special classes but by editing a config file. Or where does Android store the startup settings, i.e. which apps to start at boot time or at specific system events. Or where do apps register as default app for viewing certain filetypes. There is a description how to code it, but not how Android stores that information and how it can be edited/viewed manually.
Since it's linux based I guess there are plain text config files for all those things. But where...? Was such information ever released by Google?
bur2000 said:
For example, if I want to change WLAN settings, there must be a way to do that without using the GUI or by using special classes but by editing a config file.
Click to expand...
Click to collapse
You can change network interface with 'ifconfig' command.
You can get ifconfig command by installing busybox.
There are commands that can be used, but this is still a bit liek try&error. So it seems there is no full documentation on how Android works?
Has Google ever addressed this, do they plan to release such documentation?

[LIBRARY][ROOT][2.3+] AnJaRoot Library - No more scripting to utilize SuperUser!

AnJaRoot stands for Android Java Root, and it's just that - a replacement for the previous generation of supersuer access on Android. The days of calling su to execute scripts in a limited environment are over, developers are now able to perform previously restricted actions directly from Java!
This is the official Developer Support Thread for the AnJaRoot Library - Please focus your post on the Library, everything about the app should go here.
For more informations about AnJaRoot, please visit main thread or go to http://www.anjaroot.net/.
Getting Started
To start using the AnJaRoot Library, download it from the main thread or from the homepage. You will need the AnJaRoot-Library.jar, optionally also the provided JavaDoc jar. Integrate it as a dependency in your app and you are ready to go!
Resources
I'ts always easier to start with a sample and some documentation at hand. I've started the AnJaRootTester project to serve as a reference for the library usage as well as testing if AnJaRoot is correctly running and installed on a device. While it's not the cleanest app the world has ever seen, it shows pretty good how to integrate AnJaRoot into your app.
You may also like the online library documentation.
Feel free to post anything which is related to the library itself and happy hacking!
Luminger said:
AnJaRoot stands for Android Java Root, and it's just that - a replacement for the previous generation of supersuer access on Android. The days of calling su to execute scripts in a limited environment are over, developers are now able to perform previously restricted actions directly from Java!
Click to expand...
Click to collapse
Nice! And very different from how I implemented Java code support in RootTools.
A question regarding your NOTES file: you write that setresuid() is inlined. Where is it inlined? If you use LD_PRELOAD, your own library will be hit first, and you can ask the compiler not to inline your code.
Yea, it turned out pretty simple I think
After reading the NOTES file again, I have to say that I was wrong on the comment placed there regarding inlines getresuid()/getresgid() calls.
You are right, your library will be hit first when it comes to external symbol resolve. But this only works for dynamically linked symbols, not for anything which is inlined or comming directly from the executable. I'm currently evaluating switching to ptrace() to place my capset() hook as it would interop with Xposed without it even knowing - so it may become obsolete soon anyway.
I can remember that I poked around in the compiled libraries pulled from my device, searching for external symbols I could replace. I looked at the wrong files and assumed that the compiler inlined those calls. Looking back this conclusion is so wrong, it would be awful if the compile would inline calls to shared library symbols
AnJaRoot 1.1.0 is now compatible with Xposed. It can be downloaded from http://anjaroot.net or the main AnJaRoot thread here at XDA.
You have to reinstall it via the provided update.zip to get Xposed compatibility. The library change is upward compatible, updating is recommended but not needed.

Wayland server for Android

ABANDONED
Hi! Does anyone here use Linux desktop distributions in chroot environment on Android device?
I am developing wayland protocol server for Android devices. If anyone is interested in checking my project, latest version of apk is always available here:
ftp://ftp.drivehq.com/mogryph/sparkle/
Currently I am only focused on running Xwayland as client. Also apk supports audio output.
Simplest instruction:
1. Android 6 or newer required, busybox required, root required
2. Prepare linux distribution in directory, image or on partition. Make sure you have Xwayland installed in it. Make sure you specify which DE to run (or at least xterm) in ~/.xinitrc
3. Install and start sparkle.apk
4. Press "edit user.sh", uncomment (remove #) line starting with start_generic_container. Change rest of this line to match your device:
first arg - image or partition where distribution is installed. If distribution is installed in directory and mouting is not needed, leave this arg unchanged.
second arg - mount point or directory with distribution. If you use mounting (first arg), this arg can be left unchanged.
third arg - name of the user which will be used to start Xwayland and DE. Its better to specify non-root. Also this is the user who must have .xinitrc in his home dir (see step 2).
5. Save user.sh and click "Start".
6. Any problems and crashes will be reflected in the log.
If you want audio output:
1. Compile and install driver from pcm_sparkle.tar.gz in your distribtion
2. cp 1.asoundrc ~/.asoundrc
If you have blinking problem, change upload_mode from 1 to 2 in settings. If you have bad performance, setting no_damage to true may help, but in most cases no_damage=false is better. Fastest upload mode is 0 (if it works).
If you don't trust me and don't want to give sparkle root permissions (I perfectly understand this) you don't have to. Also you can do without busybox.
But in this case, you need to understand and do a lot of things. Check sparkle's user.sh to get idea about what needs to be done. Basically:
1. You need to make /data/data/com.sion.sparkle/files accessible from inside chroot container. You can use bind bound.
2. Make sure you have tmpfs mounted over /tmp in container.
3. You may need to change selinux context on /tmp to match sparkle's context or disable SELinux.
4. You need to create new directory in /tmp, symlink sparkle's wayland socket from /data/data/com.sion.sparkle/files/wayland-0 to this dir. And export XDG_RUNTIME_DIR to point to this dir. Dir must be (ch)owned by user who will be running Xwayland and DE.
5. After all this, you can try to start Xwayland and your DE.
new version
New version
rgho.st/8Fbz64Rxj
Added x86 and x86_64 support. Actually it is rewritten almost from scratch but x86 support is the only thing others can notice...
Hello! This project is interesting. I tried you app and it works on my Xiaomi Redmi Note 4X(chromium and glmark from chrooted environment works very well)! Can you publish source code on Github, because it really interesting project?
Also I'm interested, please post it on github!
Did you put this up on github or move this thread? Looks very interesting.
1
Argh, sorry, I decided to abandon this project. You are free to delete thread. Also no copyleft-licensed components were used so I don't have to bother releasing sources.
Hentacler said:
Argh, sorry, I decided to abandon this project. You are free to delete thread. Also no copyleft-licensed components were used so I don't have to bother releasing sources.
Click to expand...
Click to collapse
Check your PM please!
1
Hello again.
For last two weeks I was rewriting it from scratch (yes. again... yes, third time).
Probably need another week to make it stable.
Currently I am not sure it runs on any device except my own 5-year old phone (LineageOS 14).
I will maintain last version here:
ftp://ftp.drivehq.com/mogryph/sparkle/
There is no English documentation, but you can see script "user.sh" to get idea about how to start xwayland. In most cases it should be enough to edit few lines in that script to make it work on another device. If you execute this script on your device with "install" argument, it is supposed to place itself into sparkle's directory and sparkle is supposed to run it ("start" function) automatically. Sparkle doesn't request root unless script does.
Here is video of sparkle working:
https://www.youtube.com/watch?v=tOSFYxCF7Q8
But it seems that KDE + video recording was too much for my old phone
Still, if you going to see video, don't close it until 2:00 where I turned of composition which caused lags.
Also on device everything looks much smoother than on video, even after 2:00.
When I watch fullscreen (1280x720) video on my device, sparkle + xwayland together add just 5% of CPU load (20% load of single core).
Thats it I guess... I tried to to discuss sparkle on 4pda.ru (russian forums), but got very bad reception. "xsdl is perfect, dont reinvent the wheel" they say. So I started to hate humanity and I decided to make sparkle personal project. Also this is last time I am solving reCAPTCHA to leave post on XDA.
Still alive
We are still alive. I've changed first post to reflect actual state. Now sparkle supports audio, auto-mouting containers and is lot more stable.
Yet there are still many things I want to improve in sparkle's core before adding new functions.
Also there are few demo videos on ftp.
Amazing!
Working great on my redmi 6 pro. Stock miui 9.9.3 rom. With linuxdeploy and sparkle from your ftp. No lag on visual and sound. My Linux distribution is alpinelinux arm64 arch.
Since first time I see your posting on 4pda. I'm interested in it. And finally it's on xda.
Thanks dev.
---------- Post added at 02:52 AM ---------- Previous post was at 02:44 AM ----------
For anyone interested in the topic. Please follow the instructions in documentation from ftp. And Translate it to eng from rus.
This sounds amazing! Just curious, is it related to https://github.com/twaik/sparkle ?
I now have it working very well on my Samsung Tab S3 using Xwayland and a tiling window manager. Firefox runs amazingly well!
Is it meant to be used only with Xwayland or will it also work with native Wayland applications?
BTW, I think if you open sourced this project and promoted it a bit, it could become quite popular. It's basically the first way to run X11 GUI applications on Android devices at full speed. If you set up a donation link, you could also get compensated for your time and effort. I'll personally contribute $20 if it's open sourced, and I'm sure others will chip in as well.
robsmith11 said:
This sounds amazing! Just curious, is it related to https://github.com/twaik/sparkle ?
Click to expand...
Click to collapse
Thanks for feedback. Nice to hear that someone managed to start this thing
Twaik's repository is clone of my very very old version of sparkle. I made that version years ago when I was just starting to learn linux and C++. Sparkle was rewritten from scratch two or three times since that version. And (I believe) current version is much better.
Regarding making it open source... Few months ago I had to find real job. Can't spend much time on personal projects any more. But I have my own strange programming style and my own vision of what sparkle should be. Not sure I want others to paint on my picture. It's probably all because of Twaik! I hate how he used old open source version of sparkle. He did terrible things to it, outraging all my beliefs Sorry!
P.S.: Yesterday I've uploaded another apk to my ftp. The file is called "sparkle-testing.apk". This version is much newer and has many fixes. But I've also changed to many things since tested version including some fundamental changes. No guarantee it will run at all on other devices. Interest is mega low and I get no test reports at all.
Hi Hentacler, I've just found your project - it looks really promising. Unfortunately, the only link currently working on this thread is to github. Is this project still live?
I have a samsung galaxy note 10+, and am using it as a laptop replacement. In addition to the android apps using Samsung Dex (Samsung's desktop solution), I have several linux distributions installed inside a chroot using userLand - so far, its working great. I'd be keen to give you project a try if it's still live, and am happy to help out with testing from my device.
Re open source - while I like your project, I'm not super interested in investing time into something that's not open sourced - I appreciate your concerns about wanting to maintain the direction, but having transparent development is pretty important to me. Is Twaik's fork of your project a better place to go?
Cheers.
tillum said:
Hi Hentacler, I've just found your project - it looks really promising. Unfortunately, the only link currently working on this thread is to github. Is this project still live?
I have a samsung galaxy note 10+, and am using it as a laptop replacement. In addition to the android apps using Samsung Dex (Samsung's desktop solution), I have several linux distributions installed inside a chroot using userLand - so far, its working great. I'd be keen to give you project a try if it's still live, and am happy to help out with testing from my device.
Re open source - while I like your project, I'm not super interested in investing time into something that's not open sourced - I appreciate your concerns about wanting to maintain the direction, but having transparent development is pretty important to me. Is Twaik's fork of your project a better place to go?
Cheers.
Click to expand...
Click to collapse
ftp://ftp.drivehq.com/mogryph/sparkle/
Link to FTP should work and there you can get two versions:
sparkle.apk - old version, but confirmed to work by 3-4 people.
sparkle-testing.apk - latest version, but only briefly tested by me.
I don't ask anyone to invest anything... Sparkle doesn't request root access or any other dangerous permissions (unless you enable automatic container mounting and starting) so it's safe to try for anyone who wants.
Btw, somewhere between these two versions I've replaced BASH container initialization script with LUA version. That was probably a bad idea. LUA script is harder to start directly as root and hacks I used may not work (currently may even cause application freeze if root access is denied). Going to revert to BASH probably. But this only touches people who want sparkle to mount container and launch everything automatically on single button press.
p.s.: Why I need to solve captcha every time I post something?
Thanks for the new release! I've updated and everything seems to be working without any changes on my Samsung Tab S3 with chroot and Arch Arm Linux.
Your changes also solved the flickering for me! The old version would flicker the screen whenever my keyboard's trackpoint activated, but it's not flickering at all any more. Performance seems to be about the same.
I think this could be quite popular, but not many people know about it. Perhaps a post on Hacker News or Reddit would raise awareness.
I understand your position on open source and maintaining control. One idea if you haven't already considered it is releasing the code with a restrictive license that forbids any forks. But either way, I'm enjoying being to properly use X11 on my tablet.
BTW, have you tried any native Wayland compositors? I don't really understand the Wayland ecosystem that well. I gave Sway a brief try, but it didn't seem to work. I've only been using XWayland.
@Hentacler Thanks for your reply! Very keen to get this working, but having a few issues. I'm unsure how to configure the user.lua file - I'm using your latest apk.
I have a non-rooted device, and am running archlinux under termux. Works fine with xsdl. I have installed xorg-server-wayland for X11. I'd appreciate any advice you have.
@robsmith11 Are you able to share how you got this working on Arch? Thanks!!!!
tillum said:
@Hentacler Thanks for your reply! Very keen to get this working, but having a few issues. I'm unsure how to configure the user.lua file - I'm using your latest apk.
I have a non-rooted device, and am running archlinux under termux. Works fine with xsdl. I have installed xorg-server-wayland for X11. I'd appreciate any advice you have.
@robsmith11 Are you able to share how you got this working on Arch? Thanks!!!!
Click to expand...
Click to collapse
I am not sure it is possible to use sparkle without root...
Sparkle makes it's directory accessible for everyone (chmod 777). Before Android 8 or 9 this was enough and xwayland from termux was able to connect to sparkle. Here is how people used to start it:
export XDG_RUNTIME_DIR=/data/data/com.sion.sparkle/files
Xwayland
But newer versions of Android brought more restrictions and termux can no longer connect to sparkle. These new restrictions are implemented using SELinux if you know what it is. Applications now have different security contexts.
But that is not all. Newest versions of android brought even more terrible meaningless restrictions effectively "killing" applications like termux and many others.
In short, from now one applications are not allowed to execute code (binary) that comes from "untrusted" sources. Termux used to download a lot of such code from it's own repositories. And now it can't. We can't even unpack binaries from assets.
So I can only help with rooted devices.
P.S. Please forgive me, but I am leaving this website. Making people solve recaptcha every time they want to post something is unacceptable level of contempt.
My mail: [email protected]
Thanks for that, will have a play. I could always just root my device. Weird about recaptcha, not having this issue. Currently through termux I have access to the whole sdcard, and am able to download packages (and distros) in it - will have a play and see what else is possible.
@tillum
I basically just followed the instructions on the first post for using Sparkle without busybox. I didn't need to modify the Lua scripts.
I'm guessing SELinux may be a problem without root. I'll try setting it up without root when I have a chance later.

dSploit/cSploit continuation

Hello, if you know what cSploit is you also probably knows that it's buggy and outdated.
I have taken time to rebrand the software, mixing versions, and modifying code.
My goal was to fix the login cracker which was not giving status output since the C regex was broken, so I re implemented the original dSploit 1.0 fashion - each tried passwords are shown - and the progress bar is effective. Also did modify the java code and res to be able to fully use hydra (more options, and most importantly being able to pass http related plugins parameters).
Metasploit is outdated, and ruby 1.9 cannot run the lattest version; so I switched to version 2.7, which is running: we can install gems.
Issue is that when downloading the MSF and setting it up, the bundle doesn't return, and gives no output. I don't know what is happening here, there may be a prompt for administrator's password so I run 'bundle install' as root, but it doesn't change anything.
gem install bundler does succeed, but not bundle install, showing forever "downloading gems". This part is tricky and I need people to look upon it with fresh eyes (I spent too much time on the code).
I'm calling the project eSploit and renamed a lot of things like package name, since I have been working alone and that the cSploit project is utterly abandoned, but still is delivered on platforms like nethunter store despite the bugs and EOF notice. So don't judge me on taking it over since no one cares.
Status is:
Nmap: fully functionnal
Hydra: restore not working (restore file's path issue)
Exploit finder: Not working since the MSF doesn't update yet -see above- , and that is the milestone.
MITM: not tested, might just get rid of it.
There is a change of strategy in the way we will retrieve exploits, instead of contacting outbound server and pass it the result of the inspector, then seeking in the metasploit database for the CVE, we will just pass the inspector's result to metasploit. No difference, and the thing will be working on local networks without internet connection,
To be honest this is a bit like pinning a nail with a bulldozer, but for now there is no alternative.
Submodules are removed from git, instead there's a big working tree with all the dependencies.
Note that the openssl library originaly shipped with the package doesn't 'work' with most newer software, hence are we using 1.1.1l for ruby, and will either stick to the lattest for older softwares (like hydra 8.8) or update the programs, so now only nmap is working.
So you tell me what you think of it, and don't hesitate to report bugs on github, ask me questions about the architecture of the software (originally designed by simone margaritelly), and help me finding a solution to the main issue.
GitHub - e2002e/eSploit: cSploit - The most complete and advanced IT security professional toolkit on Android.
cSploit - The most complete and advanced IT security professional toolkit on Android. - GitHub - e2002e/eSploit: cSploit - The most complete and advanced IT security professional toolkit on Android.
github.com
This is very cool. It would be really cool if this is working. I hope that you can fix these Problems
cSploit, dSploit.. now eSploit i really like this program.
Any similarities with zANTI ?
I am very interested in this project! But the github page is offline Are you still working on this?
Hi people, I got to some reasoning that this was not needed, though being cool to have the metasploit framework for android, I remember now how younger I tried to hack into things without a proper vulnerability scanner. This results in frustration. You can't know just from an nmap scan what exploit to launch. This thing would be awesome with (for instance) greenbone. But as is it is like attacking tanks with guns.
So I dropped it and deleted the repository.
Thanks for your reactions.
What happen it's not available

Categories

Resources