Android Malware - Start the App at Boot and get Kernel Version 0x01 [C#]

hacking
android
malware

(The C# Dude) #1

Hey mates,
no that’s not a bad plagiarism :grin:. I wrote with @L3akM3-0day and we’ll try to work together on this series. My part will be to translate his Java codes to C#, which I’ll try to do as good as I can, although I’m not that experienced with Android programming :wink:. I would also add the part of Android programming on linux, but sadly Xamarin is not available for linux (But for OSX… This cruel, cruel world :disappointed:), so these parts will focus on Windows with Visual Studio. I don’t just recommend, but require you to read his part first! Already finished? Okay, let’s begin!


Part I - Check Kernel Version

Xamarin should be installed in Visual Studio to follow this tutorial. If not already installed, see here.

Create a new project:

Warning: I have the German Version :wink:. Select Blank App and continue.

Class GatherInformation

Ok, here we come to the first C# code!

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;

using Android.App;
using Android.Content;
using Android.OS;
using Android.Runtime;
using Android.Views;
using Android.Widget;

namespace MalwareTutorial
{
    static class GatherInformation
    {
        public static bool IsExploitable()
        {
            String kernel = Java.Lang.JavaSystem.GetProperty("os.Version").Split('-')[0];

            char[] seperator = "\\.".ToCharArray();
            if (int.Parse(kernel.Split(seperator)[0]) <= 3)
            {
                if (int.Parse(kernel.Split(seperator)[1]) <= 14)
                {
                    if (int.Parse(kernel.Split(seperator)[2]) <= 15)
                    {
                        return true;
                    }
                }
            }

            return false;
        }
    }
}

And print it to the screen:

using System;
using Android.App;
using Android.Content;
using Android.Runtime;
using Android.Views;
using Android.Widget;
using Android.OS;

namespace MalwareTutorial
{
    [Activity(Label = "MalwareTutorial", MainLauncher = true, Icon = "@drawable/icon")]
    public class MainActivity : Activity
    {
        protected override void OnCreate(Bundle bundle)
        {
            base.OnCreate(bundle);

            // Set our view from the "main" layout resource
            SetContentView(Resource.Layout.Main);

            // Create a textView
            TextView text = FindViewById<TextView>(Resource.Id.exploitable);

            //If the function returns true print Root the device on the app
            if (GatherInformation.IsExploitable())
            {
                text.Text = "Root the device ! :) ";
            }
            else
            {
                text.Text = "Nooo :( Towelroot won't work";
            }
        }
    }
}

Part II - Start Application everytime the Phone boots

And don’t forget to start the application, when your phone boots :slight_smile:. We’ll use a BootReceiver class to get ACTION_BOOT_COMPLETED.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;

using Android.App;
using Android.Content;
using Android.OS;
using Android.Runtime;
using Android.Views;
using Android.Widget;

namespace MalwareTutorial
{
    /// <summary>
    /// Waits for Boot to start the MainActivity
    /// </summary>
    [BroadcastReceiver]
    [IntentFilter(new[] { Intent.ActionBootCompleted })]
    partial class BootReceiver : BroadcastReceiver
    {
        public override void OnReceive(Context context, Intent intent)
        {
            if (intent.Action == Intent.ActionBootCompleted)
            {         
                context.StartActivity(typeof(MainActivity));
            }
        }
    }
}

And finally just add <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" /> to your AndroidManifest.xml.

I heard of some great stuff @L3akM3-0day will write about, so stay tuned for his next parts!

|-TheDoctor-|


(system) #2

This topic was automatically closed after 30 days. New replies are no longer allowed.