If there’s an app for it, there’s a hack for it

For any function or service you can think of, there’s most likely ‘an app for that’. In the rush to be first, app developers are often pushed to tight deadlines with a primary focus on user functionality.

Unfortunately, these considerations often jeopardise the application’s security.

To illustrate the point, this post will be a little different than our usual articles – we’re going to show you step-by-step how a recent Android application was hacked. We do so to show how easy it is, in the hopes any developers reading this put in the correct controls and keep security front-of-mind during the software development life cycle.

The app we’ll be taking apart is Kaspersky’s Android client. We’ve received approval from Kaspersky to use this in our blog and the vulnerability has since been patched.

First, we’ll start with some basics before we get into the nitty gritty:

How to test Android applications?

There are two analysis methods we can use for security testing:




  • Static Analysis – This checks the Android project source files for potential bugs and optimisation improvements for security, performance, usability, accessibility, etc.



The key tools available for static analysis include:




  1. ApkAnalyser

  2. APKInspector

  3. Droid Intent Data Flow Analysis for Information Leakage

  4. DroidLegacy

  5. Several tools from PSU

  6. Smali CFG generator

  7. FlowDroid

  8. Android Decompiler – not free

  9. PSCout

  10. Amandroid




  • Dynamic Analysis – Dynamic analysis is the testing and evaluation of a program by executing data in real-time. The objective is to find errors in a program while it is running, rather than by repeatedly examining the code offline.



The key tools available for dynamic analysis include:




  1. Android DBI framework

  2. Androl4b-

  3. Drozer

  4. Xposed

  5. Android Hooker

  6. ProbeDroid

  7. Android Tamer

  8. DECAF

  9. CuckooDroid

  10. Crowdroid



In addition to the above lists, there are also multiple online analysis tools which include:




  1. AndroTotal

  2. Dexter

  3. Tracedroid

  4. Visual Threat

  5. Mobile Malware Sandbox

  6. MobiSec Eacus

  7. Appknox - not free

  8. IBM Security AppScan Mobile Analyzer

  9. NVISO ApkScan

  10. Virustotal-max 128MB



How are Android hacks done?

Essentially, hacking is a step-by-step process, like a cooking recipe. Each step must be completed before the next can begin. Below we list the necessary steps.

Step One:

First, we have to discover a specific vulnerability. The Open Web Application Security Project (OWASP), lists the 10 most common vulnerabilities:




  1. Improper Platform Usage

  2. Insecure Data Storage

  3. Insecure Communication

  4. Insecure Authentication

  5. Insufficient Cryptography

  6. Insecure Authorisation

  7. Client Code Quality

  8. Code Tampering

  9. Reverse Engineering

  10. Extraneous Functionality



Step Two:

The next step is to reverse engineer the Android Package Kit (APK). There are multiple tools available which allow reverse engineering a third party, closed, binary Android app. By doing so, we can decode resources almost to their original form, and rebuild them after making the desired modifications.

This step also makes working with an app easier because of the project-like file structure while enabling the automation of some repetitive tasks.

Some available tools include:




  1. dex2jar

  2. jdgui

  3. apktool



Step Three:

Check permissions with analysers. If there are any insecure permissions on the app, these can lead to a security vulnerability which can be exploited.

Once an insecure permission has been identified, the APK file can then be modified as desired.

Some available tools include:




  1. MobSF

  2. drozer

  3. androwarn

  4. androbugs



Step Four:

After the desired modifications are complete, the next step is to sign the APK file so it can be uploaded and aligned. The easiest way to do this is with apksigner.

Hacking the Kaspersky Android client

These are the basic steps.  Now we’ll see how these steps work in real life, applying them to the Kaspersky Android client. The end result will be bypassing  client-side verification and unlocking all premium features without paying a cent.

For this particular hack, the primary tool we used was the Drozer mobile security framework, though there are several others that could also be applied:




  1. Freedom

  2. Luckypatcher

  3. ADB

  4. Drozer



Step One:

Install Kaspersky from the Play Store. Once installed, the free version includes limited operations. The premium functionality we’ll be unlocking includes real-time protection, privacy protection and web protection.

Step Two:

Use the Drozer Framework to check the services which are running on the package. The necessary command is:

"run app.package.attacksurface com.kms.free"

This displays the Attack Surface we’ll be working with:

          15 activities exported

          24 broadcast receivers exported

          0 content providers exported

          5 services exported

The next command is:

          "run app.activity.info -a com.kms.free"

          Package: com.kms.free

          com.kms.gui.KMSEnterCodeActivity

          Permission: null

          com.kms.gui.ShareItActivity

          Permission: null

          com.kms.antivirus.gui.AvScanResultActivity

          Permission: null

          com.kms.antitheft.gui.DeviceAdminLockScreenActivity

          Permission: null

          com.kms.antitheft.gui.LockInfoActivity

          Permission: null

          com.kms.activation.gui.LicenseInfoActivity

          Permission: null

          com.kms.antispam.gui.AntiSpamUserActionActivity

          Permission: null

          com.kms.gui.KMS6ManageSpaceActivity

          Permission: null

          com.kms.rateus.gui.KMSRateUsActivity

          Permission: null

          com.kms.activation.gui.RenewalValidationFormActivity

          Permission: null

          com.kms.ipm.gui.ShowIpmMessageActivity

          Permission: null

          com.kms.ipm.gui.IpmLicenseNotificationActivity

          Permission: null

          com.kms.activation.gui.LicenseBlockedActivity

          Permission: null

          com.kms.permissions.gui.PermissionsActivity

          Permission: null

          com.kms.free.PermissionsActivityLauncher

          Permission: null

          Target Activity: com.kms.permissions.gui.PermissionsActivity

Step Three:

Next, we’ll run the below activity from the Drozer framework:

"com.kms.antitheft.gui.DeviceAdminLockScreenActivity"

Step Four:

Once the above activity executes, the client will automatically start on mobile. Once opened, click on ‘Buy Premium’ and it will be activated successfully without having to purchase the subscription. Now you have free access to the premium features real-time protection, privacy protection, and web protection.


On 2017-08-28

Popular Posts

Privacy Statement | Terms of Use