Two simple tricks to hide your Android application

by Dima Kovalenko at Apr 19, 2015


Reversing Android malware, I see the same technical tricks in almost every malicious code. In this article, I describe two simple tricks used by numerous Android malware makers to hide their malware applications.

Create an application

Lets download the latest version of Android SDK with Android Studio, install it and add some SDK packages (if Android Studio is already installed on your PC, just skip this step). Then start Android Studio and use its startup wizard to create an app:

  • Application name: MyHiddenApp
  • Company Domain: android.com
  • Package name: com.android.myhiddenapp
  • Phone and Tablet / Minimum SDK: API 10: Android 2.3.3 (Gingerbread)
  • Activity: Blank Activity
  • Activity Name: MainActivity
  • Layout Name: activity_main
  • Title: MainActivity
  • Menu Resource Name: menu_main

Now we have a just-generated-from-a-standard-template project. It's our start point.

Trick I. Make the main activity layout transparent

First of all, lets make our main activity layout transparent and remove any action bars. For this purposes, we should edit styles.xml (it is automatically generated by Android Studio) as follows:

<resources>
    <style name="AppTheme" parent="Theme.AppCompat.NoActionBar">
        <item name="android:windowBackground">@android:color/transparent</item>
        <item name="android:windowIsTranslucent">true</item>
        <item name="android:windowIsFloating">true</item>
        <item name="android:windowNoTitle">true</item>
        <item name="android:windowContentOverlay">@null</item>
        <item name="android:backgroundDimEnabled">false</item>
    </style>
</resources>

Secondary, we should open activity_main.xml (it is also automatically generated by Android Studio), switch to Design mode, and remove the TextView with a caption "Hello World!" (it is automatically generated by Android Studio, as well).

And finally, it would be great to add

getWindow().addFlags(WindowManager.LayoutParams.FLAG_NOT_TOUCHABLE);

to com.android.myhiddenapp.MainActivity.onCreate(...) as follows:

@Override
protected void onCreate(Bundle savedInstanceState) {
    // a standard code generated by Android Studio
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_main);
    // stop listening to touches
    getWindow().addFlags(WindowManager.LayoutParams.FLAG_NOT_TOUCHABLE);
}

This needs to allow a user to use screen (tap application icons, slide scrollbars, etc) thought our transparent main activity layout. Otherwise, a user will see a screen through our transparent layout, but he/she will not be able to touch it because our layout will catch all his/her touches.

Trick II. Remove the application icon from App Drawer

As soon as our application started for first time, it must remove its icon from App Drawer. There is a simple trick. Lets put the following code

// remove the icon from App Drawer
PackageManager p = getPackageManager();
ComponentName componentName = new ComponentName(this, com.android.myhiddenapp.MainActivity.class);
p.setComponentEnabledSetting(componentName, PackageManager.COMPONENT_ENABLED_STATE_DISABLED, PackageManager.DONT_KILL_APP);

to our com.android.myhiddenapp.MainActivity.onCreate(...):

@Override
protected void onCreate(Bundle savedInstanceState) {
    // a standard code generated by Android Studio
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_main);
    // stop listening to touches
    getWindow().addFlags(WindowManager.LayoutParams.FLAG_NOT_TOUCHABLE);
    // remove the icon from App Drawer
    PackageManager p = getPackageManager();
    ComponentName componentName = new ComponentName(this, com.android.myhiddenapp.MainActivity.class);
    p.setComponentEnabledSetting(componentName, PackageManager.COMPONENT_ENABLED_STATE_DISABLED, PackageManager.DONT_KILL_APP);
}

This hides the application icon from App Drawer.

Afterparty

After we hided our main activity and removed the application icon from App Drawer, we can do everything we want, in stealth mode. A malware usually starts a service and finish the main activity by calling finish() in onCreate(...). Next reboot, the main activity is not started at all. The service is started by a receiver with

<action android:name="android.intent.action.BOOT_COMPLETED" />

I googled a lot of stackoverflow questions and the only useful article: Android Invisible App by Anan A.M.

Comments


Copyright © Dima Kovalenko, 2013-2016. All rights reserved.

This blog is powered by Pelican and Twitter Bootstrap.