Android Application Security Part 18 – Attacking Broadcast Receivers

To get the list of exported Broadcast Receivers, you can either use drozer or can also look in AndroidManifest.xml file as i did in Attacking Activities post. I will be using drozer.

Above is the exported broadcast receiver.

If you would see in the AndroidManifest.xml file of FourGoats application then you will find action name is org.owasp.goatdroid.fourgoats.SOCIAL_SMS and component name as org.owasp.goatdroid.fourgoats.broadcastreceivers.SendSMSNowReceiver . So we have to set these parameters in drozer accordingly.

I have also decompiled the FourGoats apk using dex2jar and opened it with Jd-Gui. Below is the snap of this particular Broadcastreceiver sourcecode.

So basically from the above code we can tell that while passing the intent we have to give two inputs “phoneNumber” and “message”.

The above command will try to send the messgae to the number 1234 with message It’s me Aditya.But from Android 4.2 further control has been added on the use of SMS. Android will provide a notification if an application attempts to send SMS to a short code that uses premium services which might cause additional charges. The user can choose whether to allow the application to send the message or block it.

But when i modify the phoneNumber to 123456789 it will not show this confirmation dialog because Android doesn’t conider that number as a Premium Number.

So in this way an mailicious app can take advantage of some exported BroadcastReceiver of another app.