Made a program to steal Android devices Pin Codes – Digitalmunition




thYlBiw8Fk1yD_H7DRBIP8Icw55OMXXoD7_Nb2Nm_yg.jpg

Home Forums Made a program to steal Android devices Pin Codes

This topic contains 1 reply, has 2 voices, and was last updated by  Cycode 1 month, 2 weeks ago.

  • Author
    Posts
  • #368017

    anonymous
    Participant


    Hey there!

    I’m still not entirely sure this is the right subreddit to post this in, however, I’m pretty glad to say I built my first Pentesting/Hacking tool (Link here: [https://github.com/bastien8060/MDPin](https://github.com/bastien8060/MDPin)).

    Of course it is open-source, and it relies on social engineering to work. Although it is not an exploit, it exploits some browser’s trust in fullscreen mode (Eg. In-App browsers like instagram/reddit’s browser which open links has the feature to enter fullscreen but do not give any warning to the user, when using it).

    This program lets you start a server with a backend and a frontend which mimics as close as possible Android’s login screen. It detects the phone’s brand and loads the brand’s default wallpaper. Ios does not work on purpose and will be greeted with a blank screen. The user will be shown a screen off animation then will be shown a lockscreen. They would slide up and enter their pin. An unlock animation will be shown and the phone will seem to be on [google.com](https://google.com). The backend will collect the pin code.

    Of course this is to be used only for educational purposes. The goal here is to show how people are affected/uneducated about social engineering attacks still today. (People can’t always be trusted. Google does not ask for card details by email from a foreign email address. Social engineering over phone calls or even posted letters are also a thing etc…)

    Thank you very much for reading this.

  • #368019

    Cycode

    issues i see with this concept:

    – you dont know what the user has as an auth method. could be pin, fingerprint, face.. etc. if this is different than the auth method the user has, he knows something is fishy

    – different wallpaper and other details (battery state etc.).. so it’s easy to detect. you could make a targeted attack but then it’s still not perfect / ideal

    – pressing the back button closes the fullscreen. looks fishy and the user now knows whats up.

    – the user needs to click on something for the fullscreen to take place. if it’s openeing right at the same moment i click a button as an example.. that’s fishy as heck. i know, it’s the only way since browsers this days have security measures implemented that require user interaction.. but still.

    nice idea though.

You must be logged in to reply to this topic.