Hacking Android for Fun and Profit

######################################## ##
# Author: G13
# Twitter: @ g13net
# Email: g13net@gmail.com
######################################## ##

##### 0 × 0 ToC #####

0 × 1 Intro
0 × 2 Dalvik Primer
0 × 3 Case Studies
0 × 4 Additional Notes
0 × 5 Resources

##### 0 × 1 Intro #####

Android is a mobile OS owned by Google. Android allows developers to write applications ("apps") for the OS and distribute them through
The Google Play Store. These apps can be free or need to be purchased. Free apps typically have ads in them to give the developer additional
Revenue. This paper will dive into patching disassembled Android apps for our benefit.

##### 0 × 2 Dalvik Primer #####

Android apps are generally written in Java. when the app is compiled, the Java byte-code is converted into Dalvik bytecode (. dex files ). this conversion allows the apps to be run in the Dalvik VM environment that is used by Android.

Once an app is disassembled, we are presented with Dalvik Opcodes, see the below example

# Code Snip ##

Iput-object p3, p0, Lb;-> a: Ljava/io/Writer;

. Line 44
And-int/lit8 v0, p2, 0 × 4

If-eqz v0,: cond_0

Move v0, v2

: Goto_0 www.2cto.com
Iput-boolean v0, p0, Lb;-> B: Z

. Line 46
And-int/lit8 v0, p2, 0 × 1

If-eqz v0,: cond_1

# End Snip ##

The if-xxx opcodes are conditional opcodes. the: cond_1 specifies the jump point in the code when the condition is matched. 'Move 'moves the value of one register to another. for more details on opcode references, see section 0 × 5 References for a link.

##### 0 × 3 Case Studies #####

#### 0x3a Coloring Book for Kids ####

App Name: Coloring Book for Kids
Goal: Remove Ads

For this app, we don't need to dive into Dalvik code. We just have to inspect the contents of the layout files. Once the app is disassembled, look in
Res/layout/main. xml file. This XML file describes where different widgets will be placed on the screen. After review of the file we will come into using SS
This section:

# Code Snip ##

<RelativeLayout android: orientation = "vertical" android: id = "@ id/colorsLayout" android: layout_width = "fill_parent" android: layout_height = "fill_parent"
Xmlns: android = "http://schemas.android.com/apk/res/android"
Xmlns: ads = "http://schemas.android.com/apk/lib/com.google.ads”>
<GridView android: gravity = "center" android: id = "@ id/colorView" android: layout_width = "fill_parent" android: layout_height = "fill_parent" android: horizontalSpacing = "15.0dip" android: verticalSpacing = "0.0dip" android: stretchMode = "columnWidth" android: columnWidth = "30366dip" android: numColumns = "auto_fit" android: layout_abve = "@ id/colorsAdMob"
Xmlns: android = "http://schemas.android.com/apk/res/android”/>
<Com. google. ads. adView android: id = "@ id/colorsAdMob" android: layout_width = "fill_parent" android: layout_height = "fill_parent" android: layout_alignParentBottom = "true" ads: adUnitId = "a14d5ae1ff5b91c" ads: adSize = "BANNER" ads: testDevices = "TEST_EMULATOR, TEST_DEVICE_ID" ads: loadAdOnCreate = "true"/>
</RelativeLayout>

# End Snip ##

If we change the android: layout_width and android: layout_height attributes to be "0px" the ad will not be viewable on the screen. the only downside to this approach is that the ad code will still run; so the app will still send your information off to the provider for statistics. the changed code will look like this:

# Code Snip ##

<RelativeLayout android: orientation = "vertical" android: id = "@ id/colorsLayout" android: layout_width = "fill_parent" android: layout_height = "fill_parent"
Xmlns: android = "http://schemas.android.com/apk/res/android"
Xmlns: ads = "http://schemas.android.com/apk/lib/com.google.ads”>
<GridView android: gravity = "center" android: id = "@ id/colorView" android: layout_width = "0px" android: layout_height = "0px" android: horizontalSpacing = "15.0dip" android: verticalSpacing = "0.0dip" android: stretchMode = "columnWidth" android: columnWidth = "30366dip" android: numColumns = "auto_fit" android: layout_abve = "@ id/colorsAdMob"
Xmlns: android = "http://schemas.android.com/apk/res/android”/>
<Com. google. ads. adView android: id = "@ id/colorsAdMob" android: layout_width = "0px" android: layout_height = "0px" android: layout_alignParentBottom = "true" ads: adUnitId = "a14d5ae1ff5b91c" ads: adSize = "BANNER" ads: testDevices = "TEST_EMULATOR, TEST_DEVICE_ID" ads: loadAdOnCreate = "true"/>
</RelativeLayout>

# End Snip ##

#### 0x3b Solitaire ####

App Name: Solitaire by equalityware
Goal: Remove Ads

To remove the ads from this app, we will have to modify some Dalvik code. whenever a new round is dealt, an ad screen will pop up to the user. the user then has to "dismiss" the ad before they are returned to the game.

I first started greping through the smali files looking for common keywords: displayad, viewad, getad. I came authentication ss the following line in the com/mobilityware/solitaire/Solitaire. smali file:

# Code Snip ##

02204: invoke-virtual {v0}, Lcom/mobilityware/solitaire/AdControl;-> displayAd () Z

# End Snip ##

The 'invoke-virtual' opcode calla virtual method. in this case it is calling the displayAd function in com/mobilityware/solitaire/AdControl. if we comment out this call, the ads will not be displayed:

# Code Snip ##

02204: # invoke-virtual {v0}, Lcom/mobilityware/solitaire/AdControl;-> displayAd () Z

# Code Snip ##

#### 0x3c Chess Free ####

App Name: Chess Free by aifacloud
Goal: Remove Ads

The ads in Chess are displayed while a user is playing the game. chess Free uses a different ad engine than the previous apps. for this app, I decided to take a different approach: prevent the ad system from processing ads.

After running logcat on the phone, noticed that there were callto "adRequestWebView" being made. after greping through the files, in google/ads/c. smali I found the following lines of code:

# Code Snip ##

01: try_start_0
02 iget-object v0, p0, Lcom/google/ads/c;-> f: Landroid/webkit/WebView;
03
04 if-eqz v0,: cond_0
05
06 iget-object v0, p0, Lcom/google/ads/c;-> c: Lcom/google/ads/B;
07
08 if-nez v0,: cond_1
09
10: cond_0
11 const-string v0, "adRequestWebView was null while trying to load an ad ."
12
13 invoke-static {v0}, Lcom/google/ads/util/a;-> e (Ljava/lang/String;) V
14
15 sget-object v0, Lcom/google/ads/AdRequest $ ErrorCode;-> INTERNAL_ERROR: Lcom/google/ads/AdRequest $ ErrorCode

# End Snip ##

In the above code, there is a test on v0 to see if it is zero and if it is to jump to the: cond_0 statement. if: cond_0 is hit, the function throws an error that the ad cocould not load; this seems like a great place to introduce some of our own logic!

If we can set the value of v0 to be '0' before it hits the condition in line 04, the cond_0 section will be hit. we can introduce this value by using the 'const' statement. we will introduce "const v0, 0 × 0" before the "if-eqz v0,: cond_0" statement to ensure that cond_0 will be hit. see in the below code:

# Code Snip ##

01: try_start_0
02 iget-object v0, p0, Lcom/google/ads/c;-> f: Landroid/webkit/WebView;
03
04 const v0, 0x0
05
06 if-eqz v0,: cond_0
07
08 iget-object v0, p0, Lcom/google/ads/c;-> c: Lcom/google/ads/B;
09
10 if-nez v0,: cond_1
11
12: cond_0
13 const-string v0, "adRequestWebView was null while trying to load an ad ."

# End Snip ##

Now with the value introduced, the ads will not load during the game.

##### 0 × 4 Additional Notes #####

This paper did not discuss how to disassemble an Android application and reassemble it after the changes have been made. there are numerous resources available that discuss how to reverse engineer Android applications. in the Resources section I have attached ded a link to a tool that has made the job way easier.

##### 0 × 5 Resources #####

Http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html

Http://www.virtuousrom.com/p/ten-studio.html

 

©Offensive Security 2011