0
1
00:00:07,200 --> 00:00:15,770
So now we have a service as a malicious use case let's say every hour we want to steal the user's contacts
1

2
00:00:15,860 --> 00:00:17,770
and send to the server.
2

3
00:00:18,000 --> 00:00:25,260
There are better ways of doing this like using alarm service but here we just want an excuse to use
3

4
00:00:25,260 --> 00:00:27,260
a service.
4

5
00:00:27,300 --> 00:00:34,940
Now let's start off by providing the permission to read contacts so go to the manifest and and read
5

6
00:00:34,940 --> 00:00:35,740
contacts
6

7
00:00:38,210 --> 00:00:38,530
now.
7

8
00:00:38,540 --> 00:00:45,800
Besides adding to the manifest we need to prompt the user to allow read contacts, let's just update
8

9
00:00:45,800 --> 00:00:47,360
the method we wrote before.
9

10
00:00:47,350 --> 00:00:51,220
To add the new permission so go to main activity.
10

11
00:00:52,310 --> 00:00:55,740
Go to request permissions and change it.
11

12
00:00:55,760 --> 00:00:58,630
Like so. OK.
12

13
00:00:58,750 --> 00:01:01,950
So here just copy and paste the code.
13

14
00:01:01,970 --> 00:01:09,130
So now instead of checking one permission we're checking two permissions. Now similarly we prepared HTTP
14

15
00:01:09,160 --> 00:01:13,060
post code for this.
15

16
00:01:13,100 --> 00:01:15,050
This is quite dirty.
16

17
00:01:15,050 --> 00:01:21,800
In reality you would have a separate HTTP class and so on but here we're just copying and pasting doing
17

18
00:01:21,800 --> 00:01:24,370
the bare minimum OK.
18

19
00:01:24,370 --> 00:01:26,380
Now to obtain the contexts.
19

20
00:01:26,540 --> 00:01:36,080
Similarly if you go to Google Search Android read contacts programmatically you'll find a stack overflow
20

21
00:01:36,080 --> 00:01:41,350
article with the solution containing the code. Here
21

22
00:01:41,360 --> 00:01:48,910
we've repaired it earlier and just copy and pasted the info so we have a method that gets all the contacts
22

23
00:01:49,950 --> 00:01:57,810
and returns a string with all the contacts so if you look at the code they're just getting all the contacts.
23

24
00:01:57,920 --> 00:02:04,070
It actually does this using a cursor just like in our content provider and we return a string with all
24

25
00:02:04,070 --> 00:02:08,390
the contacts. In the HTTP post 
25

26
00:02:08,410 --> 00:02:13,180
we change the parameter name to contacts OK.
26

27
00:02:13,200 --> 00:02:21,680
Next we're going to use a handler to define the action to perform periodically so handler M handler
27

28
00:02:22,100 --> 00:02:24,010
equals new handler
28

29
00:02:28,450 --> 00:02:40,510
let's define an interval integer of 1000 that is milliseconds time 60 seconds time 60 that is minutes
29

30
00:02:41,740 --> 00:02:48,640
so since the system counts time in milliseconds we're saying we want the interval to be that many milliseconds
30

31
00:02:48,730 --> 00:02:52,150
which means 1 hour.
31

32
00:02:52,180 --> 00:03:01,210
Now we define a runable and create the run method surround with try and catch for error handling.
32

33
00:03:01,260 --> 00:03:07,200
And here we will invoke the network asynchronous task like we did earlier but as a parameter we will
33

34
00:03:07,200 --> 00:03:08,630
add the contacts instead.
34

35
00:03:09,270 --> 00:03:09,800
OK.
35

36
00:03:09,810 --> 00:03:16,760
And after it runs we will tell the handler to delay the next action by an hour.
36

37
00:03:16,760 --> 00:03:23,130
Meaning this will run again in one hour similarly to do this.
37

38
00:03:23,140 --> 00:03:28,440
A developer would usually search on google how to run a task every hour.
38

39
00:03:28,880 --> 00:03:33,340
And you just take the code from the forums OK.
39

40
00:03:33,370 --> 00:03:40,880
Now to execute we need to tell it when to start this event for the first time let's put this code in
40

41
00:03:40,880 --> 00:03:41,770
the start.
41

42
00:03:42,810 --> 00:03:51,580
So just copy the on start method we to override the original OnStart command and put our code inside
42

43
00:03:51,580 --> 00:03:52,260
the OnStart.
43

44
00:03:55,040 --> 00:04:01,480
So we are saying that the first time we run the service we're going to call the handler so let's define
44

45
00:04:01,480 --> 00:04:06,410
a method for our handler let's call this one.
45

46
00:04:06,590 --> 00:04:08,970
Start recurring tasks.
46

47
00:04:09,170 --> 00:04:11,780
And the other one stop recurring task.
47

48
00:04:14,430 --> 00:04:20,640
Then inside we say m handler task dot run.
48

49
00:04:20,640 --> 00:04:34,080
And here M handler dot remove callbacks parentheses M handler task so here we are just stopping it.
49

50
00:04:37,460 --> 00:04:41,400
Now if all of this is overwhelming really don't give up.
50

51
00:04:41,420 --> 00:04:46,730
This is not needed for reverse engineering we're just showing you the process that a malware author
51

52
00:04:46,730 --> 00:04:53,050
would go through when writing code you'll get used to these terms and classes more and more as you go
52

53
00:04:53,050 --> 00:04:53,470
along.
53

54
00:04:54,690 --> 00:05:03,240
In programming there's always a lot of repetition. OK now in the OnStart command we will call start recurring
54

55
00:05:03,240 --> 00:05:11,560
task, so here we just said that once we start this service every hour it will send the contacts to the
55

56
00:05:11,560 --> 00:05:13,730
server.
56

57
00:05:13,740 --> 00:05:21,070
Now we still have a final step, we need to start the service from within our activity so go back to our
57

58
00:05:21,070 --> 00:05:31,300
activity and in the on create just start a new intend to start my service then run start service and
58

59
00:05:31,300 --> 00:05:34,400
pass the intent OK.
59

60
00:05:34,400 --> 00:05:40,790
Now we run our app you'll not see anything different other than being asked to allow a new permission
60

61
00:05:41,030 --> 00:05:44,100
being contacts.
61

62
00:05:44,150 --> 00:05:45,940
Actually we need to add a contact.
62

63
00:05:45,980 --> 00:05:53,360
If you don't have any contacts so just go to contacts like you would on a normal Android device and
63

64
00:05:53,360 --> 00:05:56,020
add a contact now.
64

65
00:05:56,020 --> 00:06:04,470
Finally let's see an interesting feature in Android Studio, so for debugging we can add breakpoints.
65

66
00:06:04,530 --> 00:06:10,890
This means that you tell your app to stop at that point when it reaches that code and you can analyze
66

67
00:06:10,920 --> 00:06:15,790
everything in code at that specific point OK.
67

68
00:06:15,790 --> 00:06:25,380
So to do this we just click here to add the breakpoint let's add it in the HTTP post then we run
68

69
00:06:25,410 --> 00:06:32,620
using debug and when it reaches that point we can see that Android Studio shows us.
69

70
00:06:32,630 --> 00:06:42,270
The point has been reached and we can also monitor the values so the contacts are there now here we're
70

71
00:06:42,270 --> 00:06:49,850
able to debug easily because we are actually developing from source. Unfortunately debugging and APK
71

72
00:06:49,880 --> 00:06:56,180
is not a straightforward but this is something we will have a look at in a more advanced course that
72

73
00:06:56,180 --> 00:07:00,290
will be developing in the future in this course.
73

74
00:07:00,300 --> 00:07:06,560
We will however see something similar to debugging when we do the dynamic analysis part OK.
74

75
00:07:06,570 --> 00:07:07,670
That is pretty much it.
75

76
00:07:09,000 --> 00:07:14,490
To summarize we just went through the process of a malware author developing a simple shopping list
76

77
00:07:14,520 --> 00:07:21,690
app and hiding some malicious code in the background that steals SMS's when they are received
77

78
00:07:23,110 --> 00:07:30,830
and steals contacts periodically. In the next part of the course will assume that we have no knowledge
78

79
00:07:30,830 --> 00:07:35,630
of what just happened here and we'll try to gain this knowledge through reverse engineering.