How to prompt a fake update in android to deliver a payload – Digitalmunition

Home Forums How to prompt a fake update in android to deliver a payload

This topic contains 1 reply, has 2 voices, and was last updated by  Jane-Game33 9 months, 3 weeks ago.

  • Author
  • #231180


    How to prompt a fake update in android to deliver a payload over a wlan network using mitm attacks?

  • #231181


    Android sends system updates and not through the web pages. I have a Samsung so I don’t know if vulnerable to exploit.

  • #231182


    It’s complicated. First it depends on the particular type of phone they are using, and what version of Android they are already on. When Google pushes out an update for Android the other major phone vendors (like Samsung) apply those patches to their own images and push out updates separately.

    In order to fake this on a local network, you need to figure out how the update check is done for the device you want to trick. I assume it is probably just a check it does over HTTPS on some regular interval. In that case you either need to install a certificate on the target phone so you can intercept and modify SSL requests or somehow get a hold of the signing keys of a certificate already installed on the device. The next step is the update itself, you will need to research how they are packaged so you can create an update with the payload inside it. This is also going to be tricky because the vendor may have signed the updated, so you again either need to modify the target device to allow unsigned packages t be use for updates, or get a hold of the signing keys from the vendor.

    Once you have done all those things, it should be trivial to use something like ARP poisoning to intercept the communications from the target device and route the update checks to a server you have setup that notifies the device their is an update, and serves up your infected file instead.

    Also, you don’t have to do the first two steps if the phone manufacturer doesn’t use HTTPS for updates, or sign their packages. Then it is really, really, easy.

    Full credit goes to u/iusedtobeacave.

  • #231183


    I would expect the communication between phone and update server to be encrypted. So if the phone hasn’t any specific vulnerability that you could use to break this encryption, you have bad luck.

    That means
    *No can do, baby doll.*

You must be logged in to reply to this topic.