For any function or service you can think of, there’s most likely ‘an app for that’. In the rush to be first, app developers are often pushed to tight deadlines with a primary focus on user functionality.
Unfortunately, these considerations often jeopardise the application’s security.
To illustrate the point, this post will be a little different than our usual articles – we’re going to show you step-by-step how a recent Android application was hacked. We do so to show how easy it is, in the hopes any developers reading this put in the correct controls and keep security front-of-mind during the software development life cycle.
The app we’ll be taking apart is Kaspersky’s Android client. We’ve received approval from Kaspersky to use this in our blog and the vulnerability has since been patched.
First, we’ll start with some basics before we get into the nitty gritty:
How to test Android applications?
There are two analysis methods we can use for security testing:
- Static Analysis – This checks the Android project source files for potential bugs and optimisation improvements for security, performance, usability, accessibility, etc.
The key tools available for static analysis include:
- ApkAnalyser
- APKInspector
- Droid Intent Data Flow Analysis for Information Leakage
- DroidLegacy
- Several tools from PSU
- Smali CFG generator
- FlowDroid
- Android Decompiler – not free
- PSCout
- Amandroid
- Dynamic Analysis – Dynamic analysis is the testing and evaluation of a program by executing data in real-time. The objective is to find errors in a program while it is running, rather than by repeatedly examining the code offline.
The key tools available for dynamic analysis include:
- Android DBI framework
- Androl4b-
- Drozer
- Xposed
- Android Hooker
- ProbeDroid
- Android Tamer
- DECAF
- CuckooDroid
- Crowdroid
In addition to the above lists, there are also multiple online analysis tools which include:
- AndroTotal
- Dexter
- Tracedroid
- Visual Threat
- Mobile Malware Sandbox
- MobiSec Eacus
- Appknox – not free
- IBM Security AppScan Mobile Analyzer
- NVISO ApkScan
- Virustotal-max 128MB
How are Android hacks done?
Essentially, hacking is a step-by-step process, like a cooking recipe. Each step must be completed before the next can begin. Below we list the necessary steps.
Step One:
First, we have to discover a specific vulnerability. The Open Web Application Security Project (OWASP), lists the 10 most common vulnerabilities:
- Improper Platform Usage
- Insecure Data Storage
- Insecure Communication
- Insecure Authentication
- Insufficient Cryptography
- Insecure Authorisation
- Client Code Quality
- Code Tampering
- Reverse Engineering
- Extraneous Functionality
Step Two:
The next step is to reverse engineer the Android Package Kit (APK). There are multiple tools available which allow reverse engineering a third party, closed, binary Android app. By doing so, we can decode resources almost to their original form, and rebuild them after making the desired modifications.
This step also makes working with an app easier because of the project-like file structure while enabling the automation of some repetitive tasks.
Some available tools include:
- dex2jar
- jdgui
- apktool
Step Three:
Check permissions with analysers. If there are any insecure permissions on the app, these can lead to a security vulnerability which can be exploited.
Once an insecure permission has been identified, the APK file can then be modified as desired.
Some available tools include:
- MobSF
- drozer
- androwarn
- androbugs
Step Four:
After the desired modifications are complete, the next step is to sign the APK file so it can be uploaded and aligned. The easiest way to do this is with apksigner.
Hacking the Kaspersky Android client
These are the basic steps. Now we’ll see how these steps work in real life, applying them to the Kaspersky Android client. The end result will be bypassing client-side verification and unlocking all premium features without paying a cent.
For this particular hack, the primary tool we used was the Drozer mobile security framework, though there are several others that could also be applied:
- Freedom
- Luckypatcher
- ADB
- Drozer
Step One:
Install Kaspersky from the Play Store. Once installed, the free version includes limited operations. The premium functionality we’ll be unlocking includes real-time protection, privacy protection and web protection.
Step Two:
Use the Drozer Framework to check the services which are running on the package. The necessary command is:
“run app.package.attacksurface com.kms.free”
This displays the Attack Surface we’ll be working with:
15 activities exported
24 broadcast receivers exported
0 content providers exported
5 services exported
The next command is:
“run app.activity.info -a com.kms.free”
Package: com.kms.free
com.kms.gui.KMSEnterCodeActivity
Permission: null
com.kms.gui.ShareItActivity
Permission: null
com.kms.antivirus.gui.AvScanResultActivity
Permission: null
com.kms.antitheft.gui.DeviceAdminLockScreenActivity
Permission: null
com.kms.antitheft.gui.LockInfoActivity
Permission: null
com.kms.activation.gui.LicenseInfoActivity
Permission: null
com.kms.antispam.gui.AntiSpamUserActionActivity
Permission: null
com.kms.gui.KMS6ManageSpaceActivity
Permission: null
com.kms.rateus.gui.KMSRateUsActivity
Permission: null
com.kms.activation.gui.RenewalValidationFormActivity
Permission: null
com.kms.ipm.gui.ShowIpmMessageActivity
Permission: null
com.kms.ipm.gui.IpmLicenseNotificationActivity
Permission: null
com.kms.activation.gui.LicenseBlockedActivity
Permission: null
com.kms.permissions.gui.PermissionsActivity
Permission: null
com.kms.free.PermissionsActivityLauncher
Permission: null
Target Activity: com.kms.permissions.gui.PermissionsActivity
Step Three:
Next, we’ll run the below activity from the Drozer framework:
“com.kms.antitheft.gui.DeviceAdminLockScreenActivity”
Step Four:
Once the above activity executes, the client will automatically start on mobile. Once opened, click on ‘Buy Premium’ and it will be activated successfully without having to purchase the subscription. Now you have free access to the premium features real-time protection, privacy protection, and web protection.
