Android Malware - Start the app at boot and get kernel Version 0x01

Malware
, ,
1

#Introduction

Hi everyone ! Today, we will start to making the malware application for the Android OS, before you begin with this tutorial. If you want to be confortable with the tutorial you should have some basic knowledge of Java/Android programming ( class, method, permission).

If you don’t understand some part of the code feel free to ask me more information :smiley:

Let’s begin !

Part I - Check kernel Version

Can I use towelroot to root the device ?

Towelroot is an exploit made by geohot ( available here TowelRoot is you’re want to root your device ). The exploit made by geohot exploit the futex_requeue function in kernel/futex.c in Linux kernel through 3.14.5.

Our Malware today will be able to

  • Get the currentKernel of the device
  • Check if the kernel is greater than 3.14.15

I’ll use Android studio on window platform but you can use eclipse or whatever IDE you like

Here I create a new project :

Choose the minimun sdk

Start with Empty activity

Class GatherInformation

Now that our project is created we will create a class GatherInformation. The class will have a method isExploitable, if the device is exploitable by the towelroot exploit the method will return true.

Create a new class GatherInformation

package com.android.malwaretutorial_test;

/**
 * Created by jphet on 22/07/2016.
 */
public class GatherInformation {
    /** Method to verify kernel version**/
    public static boolean isExploitable() {
        /** Kernel will stock the current kernel device**/
        String kernel = System.getProperty("os.version").split("-")[0];
        /** For a 3.12.5 kernel , the variable will have : 3.12.5 as a string value 
            We split the kernel variable into an array => [3, 12, 5 ]
            we parse the string as and integer and we compare the kernel to see if we can use futex ( towelroot )
        **/
        if (Integer.parseInt(kernel.split("\\.")[0]) <= 3) {
            if (Integer.parseInt(kernel.split("\\.")[1]) <= 14) {
                if (Integer.parseInt(kernel.split("\\.")[2]) <= 15) {
                    return true;
                }
            }
        }
        return false;
    }
}

Now we will print this to the screen to test our code. In the MainActivity

public class MainActivity extends AppCompatActivity {
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        /** Create a textView **/
        TextView text = (TextView)findViewById(R.id.exploitable);
       /** If the function return true print Root the device on the app **/
        if(GatherInformation.isExploitable()){
            text.setText("Root the device ! :) ");
        }
        else {
            text.setText("Nooo :( Towelroot won't work");
        }
    }
}

In the activity_main.xml you should add an id to your text view

<TextView
        android:id="@+id/exploitable"
        android:layout_width="wrap_content"
        android:layout_height="wrap_content"
        android:text="Hello World!" />

Here the result

With a kernel > 3.14.15
Imgur

With a kernel <= 3.14.15

Part II - Start application everytime the phone boot

Now we will start the application everytime the phone boot. We will make a new class called BootReceiver, this class will inherit the Broadcast Receivcer

BroadcastReceiver

package com.android.malwaretutorial_test;

import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;

public class BootReceiver extends BroadcastReceiver {
    @Override
    public void onReceive(Context context, Intent intent) {
        /** if the boot is completed **/
        if(Intent.ACTION_BOOT_COMPLETED.equals(intent.getAction())){
            /** Start the MainActivity.class everytime the phone boot**/
            Intent i = new Intent(context, MainActivity.class);
            context.startActivity(i);
        }
    }
}

Permission

Now we need to add permission to the manifest :slight_smile:

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.android.malwaretutorial_test">
    <!--PERMISSION-->
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
    <!--PERMISSION-->
    <application
        android:allowBackup="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:supportsRtl="true"
        android:theme="@style/AppTheme">
        <activity android:name=".MainActivity">

            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <action android:name="android.intent.category.DEFAULT" />

                <category android:name="android.intent.category.LAUNCHER" />

            </intent-filter>

        </activity>

    </application>

</manifest>

Good job ! :slight_smile: Now everytime you boot your phone the app will launch and tell you if your device can be rooted.

7 Likes
2

Well that’s a pretty good start! I’m exited to see it actually root the phone though!

3 Likes
3

Did this tutorial and I LOVED it.
I wanted to just add all the features of towelroot to my Malware Tutorial APK, but am running around decompiling tr.apk, looking at TowelRoot.smali, libexploit.so, and getting a bit confused.

Wondering if I’m approaching this correctly, or if maybe I should just request more permissions from the user, and somehow write some code the will

  1. Download towelroot
  2. Run it to gain root
  3. Hide that app, or make it not appear.

Any advice on this would be great!
Thanks!

4

This topic was automatically closed after 30 days. New replies are no longer allowed.