Money Bank Demo

This repository is intended to demonstrate how easy it is to produce a tampered version of an Android app using a decompiler.

Prerequisites

This demo will require you to build an Android app and run multiple server applications on your machine. As such, you'll need to have the following installed on your machine:

• Android SDK
• .NET Core
• NodeJS

Building and Running the Original App

1. Build and start the MoneyBankServer.

   Within the MoneyBankServer directory:

dotnet run

2. Start an Android Virtual Device on your machine.

3. Install the App via Gradle.

   From the MoneyBank directory, run ./gradlew installRelease

4. Launch the Money Bank demo on the Android Virtual Device. You should be able to log in with the username "steve" and the password "password".

Tampering with the App

The ModifyMoneyBank directory within the repository contains a Gradle build that will build a modified version of a class from our app and use that modified class to build a modified version of the Money Bank app.

ModifyMoneyBank/src/main/java/com/preemptive/moneybank/api/RequestQueueSingleton.java contains code generated by a decompiler for the com.preemptive.moneybank.api.RequestQueueSingleton class, but modified in order to send HTTP request bodies to a command and control server. The modifications made to the original decompiled code are marked with // BEGIN MODIFIED CODE and // END MODIFIED CODE.

Setup

The tampering process requires some initial setup on your machine.

1. Create a local.properties file within the ModifyMoneyBank directory and add the following properties:

• APKSIGNER - A path to an apksigner executable on your machine.
• KEYSTORE - A path to an Android Debug Keystore on your machine.
• ANDROID_SDK_JAR - A path to an Android SDK Jar on your machine.

E.g.:

APKSIGNER=/Users/username/Library/Android/sdk/build-tools/29.0.0/apksigner
KEYSTORE=/Users/username/.android/debug.keystore
ANDROID_SDK_JAR=/Users/username/Library/Android/sdk/platforms/android-29/android.jar

2. Download a Dex2Jar zip and extract its contents to ModifyMoneyBank/tools/dextools. Its .sh and .bat scripts should be directly within ModifyMoneyBank/tools/dextools.

3. Copy the built Money Bank app to ModifyMoneyBank/app.apk. It will reside in MoneyBank/build/outputs.

Tampering with the App

We are now ready to make a tampered version of our app. From the ModifyMoneyBank directory, run ./gradlew resign.

This will run the following Gradle tasks:

• unpackDex - Extract the classes.dex from app.apk.
• undex - Use Dex2Jar to convert classes.dex into a JAR file containing Java classes.
• unpackClasses - Extract the classes from the jar produced by undex.
• extractVolley - Extract the classes.jar from the Volley Android Library in order to build the modified code.
• build - Compile the modified version of com.preemptive.moneybank.api.RequestQueueSingleton.
• replaceClass - Create a new JAR using the classes extracted by unpackClasses and the new class built by build.
• redex - Create a new classes.dex file using the new jar created by replaceClass.
• unpackApk - Extract the files from app.apk other than classes.dex in order to produce a new APK.
• replaceDex - Create a new APK with the files unpacked by unpackApk and the DEX file created by redex.
• resign - Sign the new APK produced by replaceDex using a Debug key.

Running the Tampered App

• Uninstall the original app from the Android Virtual Device and install the tampered app.

adb uninstall com.preemptive.moneybank
adb install ModifyMoneyBank/build/output-apk/app.apk

• Start the Command and Control Server.

From the SpyServer directory:

node endpoint.js

This will print information about HTTPS requests it receives to the console.

• Run the Money Bank application and log in with the usual credentials. Note that the Command and Control server has received and printed the body of the request.