Vulnerability in Xamarin for Android: we replace dll and we eat for free

Introduction

This story began last summer: my friends and I went to a fast-food establishment that just introduced a mobile discount app. The application was installed, free food was received, traffic was saved in a .pcap file, and, of course, there was a desire to delve into it, find out how it works. The program was written in C # using a multiplatform framework for developing mobile applications Xamarin; at the time, apktool could not properly build the modified apk and ended up with an error. For a long time I used this application, accumulated points, spent them, sometimes bumping into posts about cheating on forums , however, accounts of cheaters were quickly banned.

Excitement and the desire to explore something, as it usually happens to me, does not appear from nowhere. This time the sponsor was a thief who put up a wallet with all bank cards, and I had no choice but to buy myself a dinner at this establishment, after having wound up my points. Yes, and I, in contrast to @ Chihikey, do not like coffee. However, the article is not about that.


The changed name is extremely similar to the real name of the institution.

application

As I said, the application is written in C # and compiled using Xamarin. No matter how much I tried, I could not repack the application so that it remained workable. Repacking with apktool immediately gave only a black screen, updating the modified files in the apk-file through zip-packers also did not give the desired result. At some point, installing another broken build, I noticed that the framework tries to load the modified non-working dll not only from apk, but also from the SD card in the following way:

/storage/sdcard0/Android/data/app_id/files/.__override__/ 

As you can see, this path is not in Secure Storage, and any application can write files along this path without special privileges. The malicious application can put infected files (for example, System.dll and Mono.Android.dll, which are in any distribution of the application with Xamarin), and they will be used instead of the .dll inside the apk. This behavior is fixed only in Xamarin 5.1 and newer; previous versions of the framework always put the library from the map libraries inside the package in priority. An attacker can place modified libraries that change the logic of the program, record the user's actions or replace the entered data in the specified directory, and the program will not notice the substitution.
')
The vulnerability is successfully exploited on 4 popular applications and 1 mobile bank client. All developers who were informed about the vulnerability have updated their software.

What to do?

If you use Xamarin in your Android applications, rebuild it with the latest version of the framework, in release mode and without debug symbols.

Post in the Full Disclosure mailing list .

So we eat.