UNIVERSITY OF WEST ATTICA
SCHOOL OF ENGINEERING
DEPARTMENT OF COMPUTER ENGINEERING AND INFORMATICS
University of West Attica · Department of Computer Engineering and Informatics
Information Technology Security
Vasileios Evangelos Athanasiou
Student ID: 19390005
Supervision
Supervisor: Ioanna Kantzavelou, Associate Professor
Co-supervisor: Angelos Georgoulas, Assistant Professor
Athens, June 2023
This laboratory project demonstrates an Android Repackaging Attack, a technique in which a legitimate Android application is disassembled, modified to include malicious functionality, and then reassembled and redistributed.
In this scenario, the injected malicious code is triggered by a system event and is capable of either deleting a victim’s contacts or tracking the victim’s location.
| Section | Path / File | Description |
|---|---|---|
| 1 | assign/ |
Official laboratory exercise specifications |
| 1.1 | assign/Exercise 4 (Android Repackaging)_2023.pdf |
Assignment description (English) |
| 1.2 | assign/Άσκηση 4 (Android Repackaging)_2023.pdf |
Assignment description (Greek) |
| 2 | docs/ |
Project report and analysis |
| 2.1 | docs/Android-Repackaging.pdf |
Technical report (English) |
| 2.2 | docs/Ανασυσκευασία-Εφαρμογών-Android.pdf |
Technical report (Greek) |
| 3 | manuals/ |
Reference manuals and lab environment documentation |
| 3.1 | manuals/AndroidVM.html |
Android virtual machine setup guide |
| 3.2 | manuals/SEEDAndroid_UserManual.pdf |
SEED Android user manual |
| 3.3 | manuals/SEEDAndroid_VirtualBox.pdf |
SEED Android VirtualBox configuration |
| 4 | screens/ |
Experimental screenshots and step-by-step evidence |
| 5 | README.md |
Project documentation |
| 6 | INSTALL.md |
Usage instructions |
The attack is carried out using two virtual machines connected to the same NAT network:
- Attacker Environment: SEEDUbuntu 16.04 (32-bit)
- Victim Environment: SEEDAndroid
- adb (Android Debug Bridge): Used to communicate with the Android VM and install applications.
- apktool: Used to disassemble and rebuild APK files.
- keytool & jarsigner: Used to generate digital keys and sign the modified APK so it can be installed on Android devices.
The target application (RepackagingLab.apk) is disassembled to access its internal components:
apktool d RepackagingLab.apkThis process produces:
- smali files: Compiled Java bytecode representation
AndroidManifest.xml: Application configuration and permissions- Resources: Layouts, assets, and metadata
Malicious code (e.g., MaliciousCode.smali) is inserted into the application’s directory structure (such as /smali/com).
The AndroidManifest.xml file is altered to:
- Request unauthorized permissions (e.g.,
READ_CONTACTS,WRITE_CONTACTS) - Register a custom BroadcastReceiver
The malicious logic is configured to execute when a TIME_SET broadcast event occurs (i.e., when the system time is changed).
After modifications, the application must be rebuilt and digitally signed:
apktool b RepackagingLabkeytool -genkey -v -keystore mykey.keystore -alias distjarsigner -keystore mykey.keystore RepackagingLab.apk distSigning is required because Android will not install unsigned or tampered applications.
The signed malicious APK is installed on the victim device using:
adb install RepackagingLab.apkOnce the victim grants the requested permissions and a system time change occurs, the registered BroadcastReceiver activates and executes the injected smali code.
Upon the TIME_SET event, the malicious code deletes all contacts stored on the victim’s device.
The malicious code retrieves the victim’s GPS coordinates (simulated via MockLocation) and sends them to an attacker-controlled web server.
This lab highlights how Android repackaging attacks exploit user trust in legitimate applications. By modifying application code and abusing system broadcasts and permissions, attackers can introduce severe privacy and security threats. The exercise emphasizes the importance of application integrity checks, trusted distribution channels, and careful permission management in Android environments.