From 12c8acc5fdcdd7b4a36305c3bbfdac45fdc460cf Mon Sep 17 00:00:00 2001 From: wizche Date: Mon, 8 Aug 2016 21:32:43 +0200 Subject: [PATCH] Added activity overlay, updated README --- README.md | 14 +- android-overlay-malware-example.iml | 2 +- app/app.iml | 45 ++++-- app/build.gradle | 4 +- app/src/main/AndroidManifest.xml | 16 +- .../malwaredemo/MainActivity.java | 25 ++- .../malwaredemo/MainService.java | 152 +++++++++--------- .../malwaredemo/OverlayActivity.java | 30 ++++ .../malwaredemo/ProcessHelper.java | 132 +++++++++++++++ .../malwaredemo/ServiceCommunication.java | 6 + .../malwaredemo/domain/OverlayType.java | 21 +++ .../malwaredemo/domain/Settings.java | 20 +++ .../res/drawable/dialog_full_holo_light.9.png | Bin 0 -> 1673 bytes app/src/main/res/layout/linkedin_overlay.xml | 7 +- app/src/main/res/layout/main.xml | 11 ++ app/src/main/res/values-v14/styles.xml | 6 - app/src/main/res/values/styles.xml | 12 ++ build.gradle | 2 +- gradle/wrapper/gradle-wrapper.properties | 4 +- images/home.png | Bin 241378 -> 404261 bytes 20 files changed, 390 insertions(+), 119 deletions(-) create mode 100644 app/src/main/java/com/geeksonsecurity/malwaredemo/OverlayActivity.java create mode 100644 app/src/main/java/com/geeksonsecurity/malwaredemo/ProcessHelper.java create mode 100644 app/src/main/java/com/geeksonsecurity/malwaredemo/ServiceCommunication.java create mode 100644 app/src/main/java/com/geeksonsecurity/malwaredemo/domain/OverlayType.java create mode 100644 app/src/main/res/drawable/dialog_full_holo_light.9.png delete mode 100644 app/src/main/res/values-v14/styles.xml create mode 100644 app/src/main/res/values/styles.xml diff --git a/README.md b/README.md index e2be563..7422a90 100644 --- a/README.md +++ b/README.md @@ -2,16 +2,28 @@ Harmless Android malware using the overlay technique to steal user credentials. -> **UPDATE** starting with Android 5.1 the [ActivityManager.getRunningAppProcess](http://developer.android.com/reference/android/app/ActivityManager.html#getRunningAppProcesses) API don't return all processes running on the system anymore. We moved to Usage Stats API which requires the user to enable this permission manually. If you want to test on this version you need to enable the application via Settings -> Security -> Apps with usage access +> **UPDATE** starting with Android 5.1 the [ActivityManager.getRunningAppProcess](http://developer.android.com/reference/android/app/ActivityManager.html#getRunningAppProcesses) API don't return all processes running on the system anymore. We moved to a more *naive* solution which doesn't require any permissions, for more information [press here](http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag). ## Disclamier This software is intended to sensitize users to this kind of attacks. Don't use it for any other purposes! +## Quick Start +In the main screen you can select which application are going to be overlayed (currently between Linkedin, Skype, and UBS Mobile App). +Furthermore you can choose the type of overlay between: +* View overlay with `WindowsManager.addView` +* Activity overlay with `startActivity` + +The application has been tested on Nexus 5 with Android 6 (Real device) and Nexus 5X with Android 4.4.2 (Emulator). + +For more background information about overlays please check our [last blog post](http://www.geeksonsecurity.com/android-overlay-malware/2016/07/27/android-overlay-malware-analysis/). + ## Some screenshots ### Home Screen + ### Skype Overlay + ### UBS Overlay diff --git a/android-overlay-malware-example.iml b/android-overlay-malware-example.iml index 6e1b7d4..11cd8cc 100644 --- a/android-overlay-malware-example.iml +++ b/android-overlay-malware-example.iml @@ -13,7 +13,7 @@ - + \ No newline at end of file diff --git a/app/app.iml b/app/app.iml index 9cbcc9f..97cdd29 100644 --- a/app/app.iml +++ b/app/app.iml @@ -12,10 +12,7 @@