Reversing Android malware, I see the same technical tricks in almost every malicious code. In this article, I describe two simple tricks used by numerous Android malware makers to hide their malware applications.
Lets download the latest version of Android SDK with Android Studio, install it and add some SDK packages (if Android Studio is already installed on your PC, just skip this step). Then start Android Studio and use its startup wizard to create an app:
MyHiddenAppandroid.comcom.android.myhiddenappAPI 10: Android 2.3.3 (Gingerbread)MainActivityactivity_mainMainActivitymenu_mainNow we have a just-generated-from-a-standard-template project. It’s our start point.
First of all, lets make our main activity layout transparent and remove any action bars. For this purposes, we should edit styles.xml (it is automatically generated by Android Studio) as follows:
<resources>
<style name="AppTheme" parent="Theme.AppCompat.NoActionBar">
<item name="android:windowBackground">@android:color/transparent</item>
<item name="android:windowIsTranslucent">true</item>
<item name="android:windowIsFloating">true</item>
<item name="android:windowNoTitle">true</item>
<item name="android:windowContentOverlay">@null</item>
<item name="android:backgroundDimEnabled">false</item>
</style>
</resources>
Secondary, we should open activity_main.xml (it is also automatically generated by Android Studio), switch to Design mode, and remove the TextView with a caption “Hello World!” (it is automatically generated by Android Studio, as well).
And finally, it would be great to add
getWindow().addFlags(WindowManager.LayoutParams.FLAG_NOT_TOUCHABLE);
to com.android.myhiddenapp.MainActivity.onCreate(...) as follows:
@Override
protected void onCreate(Bundle savedInstanceState) {
// a standard code generated by Android Studio
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
// stop listening to touches
getWindow().addFlags(WindowManager.LayoutParams.FLAG_NOT_TOUCHABLE);
}
This needs to allow a user to use screen (tap application icons, slide scrollbars, etc) thought our transparent main activity layout. Otherwise, a user will see a screen through our transparent layout, but he/she will not be able to touch it because our layout will catch all his/her touches.
As soon as our application started for first time, it must remove its icon from App Drawer. There is a simple trick. Lets put the following code
// remove the icon from App Drawer
PackageManager p = getPackageManager();
ComponentName componentName = new ComponentName(this, com.android.myhiddenapp.MainActivity.class);
p.setComponentEnabledSetting(componentName, PackageManager.COMPONENT_ENABLED_STATE_DISABLED, PackageManager.DONT_KILL_APP);
to our `com.android.myhiddenapp.MainActivity.onCreate(...)`:
@Override
protected void onCreate(Bundle savedInstanceState) {
// a standard code generated by Android Studio
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
// stop listening to touches
getWindow().addFlags(WindowManager.LayoutParams.FLAG_NOT_TOUCHABLE);
// remove the icon from App Drawer
PackageManager p = getPackageManager();
ComponentName componentName = new ComponentName(this, com.android.myhiddenapp.MainActivity.class);
p.setComponentEnabledSetting(componentName, PackageManager.COMPONENT_ENABLED_STATE_DISABLED, PackageManager.DONT_KILL_APP);
}
This hides the application icon from App Drawer.
After we hided our main activity and removed the application icon from App Drawer, we can do everything we want, in stealth mode. A malware usually starts a service and finish the main activity by calling finish() in onCreate(...). Next reboot, the main activity is not started at all. The service is started by a receiver with
<action android:name="android.intent.action.BOOT_COMPLETED" />
I googled a lot of stackoverflow questions and the only useful article: Android Invisible App by Anan A.M.
Commenting is not available in this blog, but you can write me a letter or message. Please, note that English is not my native language. I'm sorry for mistakes/missprints, if any.
Prev: About EncryptedPasswd