{"id":2404,"date":"2024-09-25T17:50:29","date_gmt":"2024-09-25T17:50:29","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2404"},"modified":"2025-07-29T03:39:40","modified_gmt":"2025-07-29T03:39:40","slug":"if-theres-an-app-for-it-theres-a-hack-for-it","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/if-theres-an-app-for-it-theres-a-hack-for-it\/","title":{"rendered":"If there\u2019s an app for it, there\u2019s a hack for it"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img fetchpriority=\"high\" decoding=\"async\" width=\"500\" height=\"281\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/android.webp\" alt=\"\" class=\"wp-image-2406\" style=\"width:612px;height:auto\"\/><\/figure>\n<\/div>\n\n\n<p>For any function or service you can think of, there\u2019s most likely \u2018an app for that\u2019. In the rush to be first, app developers are often pushed to tight deadlines with a primary focus on user functionality.<br><br>Unfortunately, these considerations often jeopardise the application\u2019s security.<br><br>To illustrate the point, this post will be a little different than our usual articles \u2013 we\u2019re going to show you step-by-step how a recent Android application was hacked. We do so to show how easy it is, in the hopes any developers reading this put in the correct controls and keep security front-of-mind during the software development life cycle.<br><br>The app we\u2019ll be taking apart is Kaspersky\u2019s Android client. We\u2019ve received approval from Kaspersky to use this in our blog and the vulnerability has since been patched.<br><br>First, we\u2019ll start with some basics before we get into the nitty gritty:<br><br><strong>How to test Android applications?<\/strong><br><br>There are two analysis methods we can use for security testing:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Static Analysis<\/strong> \u2013 This checks the Android project source files for potential bugs and optimisation improvements for security, performance, usability, accessibility, etc.<\/li>\n<\/ul>\n\n\n\n<p>The key tools available for static analysis include:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>ApkAnalyser<\/li>\n\n\n\n<li>APKInspector<\/li>\n\n\n\n<li>Droid Intent Data Flow Analysis for Information Leakage<\/li>\n\n\n\n<li>DroidLegacy<\/li>\n\n\n\n<li>Several tools from PSU<\/li>\n\n\n\n<li>Smali CFG generator<\/li>\n\n\n\n<li>FlowDroid<\/li>\n\n\n\n<li>Android Decompiler \u2013 not free<\/li>\n\n\n\n<li>PSCout<\/li>\n\n\n\n<li>Amandroid<\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Dynamic Analysis<\/strong> \u2013 Dynamic analysis is the testing and evaluation of a program by executing data in real-time. The objective is to find errors in a program while it is running, rather than by repeatedly examining the code offline.<\/li>\n<\/ul>\n\n\n\n<p>The key tools available for dynamic analysis include:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Android DBI framework<\/li>\n\n\n\n<li>Androl4b-<\/li>\n\n\n\n<li>Drozer<\/li>\n\n\n\n<li>Xposed<\/li>\n\n\n\n<li>Android Hooker<\/li>\n\n\n\n<li>ProbeDroid<\/li>\n\n\n\n<li>Android Tamer<\/li>\n\n\n\n<li>DECAF<\/li>\n\n\n\n<li>CuckooDroid<\/li>\n\n\n\n<li>Crowdroid<\/li>\n<\/ol>\n\n\n\n<p>In addition to the above lists, there are also multiple online analysis tools which include:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>AndroTotal<\/li>\n\n\n\n<li>Dexter<\/li>\n\n\n\n<li>Tracedroid<\/li>\n\n\n\n<li>Visual Threat<\/li>\n\n\n\n<li>Mobile Malware Sandbox<\/li>\n\n\n\n<li>MobiSec Eacus<\/li>\n\n\n\n<li>Appknox &#8211; not free<\/li>\n\n\n\n<li>IBM Security AppScan Mobile Analyzer<\/li>\n\n\n\n<li>NVISO ApkScan<\/li>\n\n\n\n<li>Virustotal-max 128MB<\/li>\n<\/ol>\n\n\n\n<p><strong>How are Android hacks done?<\/strong><br><br>Essentially, hacking is a step-by-step process, like a cooking recipe. Each step must be completed before the next can begin. Below we list the necessary steps.<br><br>Step One:<br><br>First, we have to discover a specific vulnerability. The Open Web Application Security Project (OWASP), lists the 10 most common vulnerabilities:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Improper Platform Usage<\/li>\n\n\n\n<li>Insecure Data Storage<\/li>\n\n\n\n<li>Insecure Communication<\/li>\n\n\n\n<li>Insecure Authentication<\/li>\n\n\n\n<li>Insufficient Cryptography<\/li>\n\n\n\n<li>Insecure Authorisation<\/li>\n\n\n\n<li>Client Code Quality<\/li>\n\n\n\n<li>Code Tampering<\/li>\n\n\n\n<li>Reverse Engineering<\/li>\n\n\n\n<li>Extraneous Functionality<\/li>\n<\/ol>\n\n\n\n<p>Step Two:<br><br>The next step is to reverse engineer the Android Package Kit (APK). There are multiple tools available which allow reverse engineering a third party, closed, binary Android app. By doing so, we can decode resources almost to their original form, and rebuild them after making the desired modifications.<br><br>This step also makes working with an app easier because of the project-like file structure while enabling the automation of some repetitive tasks.<br><br>Some available tools include:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>dex2jar<\/li>\n\n\n\n<li>jdgui<\/li>\n\n\n\n<li>apktool<\/li>\n<\/ol>\n\n\n\n<p>Step Three:<br><br>Check permissions with analysers. If there are any insecure permissions on the app, these can lead to a security vulnerability which can be exploited.<br><br>Once an insecure permission has been identified, the APK file can then be modified as desired.<br><br>Some available tools include:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>MobSF<\/li>\n\n\n\n<li>drozer<\/li>\n\n\n\n<li>androwarn<\/li>\n\n\n\n<li>androbugs<\/li>\n<\/ol>\n\n\n\n<p>Step Four:<br><br>After the desired modifications are complete, the next step is to sign the APK file so it can be uploaded and aligned. The easiest way to do this is with apksigner.<br><br><strong>Hacking the Kaspersky Android client<\/strong><br><br>These are the basic steps. &nbsp;Now we\u2019ll see how these steps work in real life, applying them to the Kaspersky Android client. The end result will be bypassing &nbsp;client-side verification and unlocking all premium features without paying a cent.<br><br>For this particular hack, the primary tool we used was the Drozer mobile security framework, though there are several others that could also be applied:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Freedom<\/li>\n\n\n\n<li>Luckypatcher<\/li>\n\n\n\n<li>ADB<\/li>\n\n\n\n<li>Drozer<\/li>\n<\/ol>\n\n\n\n<p>Step One:<br><br>Install Kaspersky from the Play Store. Once installed, the free version includes limited operations. The premium functionality we\u2019ll be unlocking includes real-time protection, privacy protection and web protection.<br><br>Step Two:<br><br>Use the Drozer Framework to check the services which are running on the package. The necessary command is:<br><br>&#8220;run app.package.attacksurface com.kms.free&#8221;<br><br>This displays the Attack Surface we\u2019ll be working with:<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;15 activities exported<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;24 broadcast receivers exported<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0 content providers exported<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;5 services exported<br><br>The next command is:<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;run app.activity.info -a com.kms.free&#8221;<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Package: com.kms.free<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;com.kms.gui.KMSEnterCodeActivity<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Permission: null<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;com.kms.gui.ShareItActivity<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Permission: null<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;com.kms.antivirus.gui.AvScanResultActivity<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Permission: null<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;com.kms.antitheft.gui.DeviceAdminLockScreenActivity<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Permission: null<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;com.kms.antitheft.gui.LockInfoActivity<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Permission: null<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;com.kms.activation.gui.LicenseInfoActivity<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Permission: null<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;com.kms.antispam.gui.AntiSpamUserActionActivity<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Permission: null<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;com.kms.gui.KMS6ManageSpaceActivity<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Permission: null<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;com.kms.rateus.gui.KMSRateUsActivity<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Permission: null<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;com.kms.activation.gui.RenewalValidationFormActivity<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Permission: null<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;com.kms.ipm.gui.ShowIpmMessageActivity<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Permission: null<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;com.kms.ipm.gui.IpmLicenseNotificationActivity<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Permission: null<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;com.kms.activation.gui.LicenseBlockedActivity<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Permission: null<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;com.kms.permissions.gui.PermissionsActivity<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Permission: null<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;com.kms.free.PermissionsActivityLauncher<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Permission: null<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Target Activity: com.kms.permissions.gui.PermissionsActivity<br><br>Step Three:<br><br>Next, we\u2019ll run the below activity from the Drozer framework:<br><br>&#8220;com.kms.antitheft.gui.DeviceAdminLockScreenActivity&#8221;<br><br>Step Four:<br><br>Once the above activity executes, the client will automatically start on mobile. Once opened, click on \u2018Buy Premium\u2019 and it will be activated successfully without having to purchase the subscription. Now you have free access to the premium features real-time protection, privacy protection, and web protection.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>For any function or service you can think of, there&rsquo;s most likely &lsquo;an app for that&rsquo;. In the rush to be first, app developers are often pushed to tight deadlines with a primary focus on user functionality. Unfortunately, these considerations often jeopardise the application&rsquo;s security. To illustrate the point, this post will be a little [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2406,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2404","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2404"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2404\/revisions"}],"predecessor-version":[{"id":4251,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2404\/revisions\/4251"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2406"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}