spyware module , medusa.py fixes

libraries/defs.py

@@ -97,6 +97,7 @@ def init_packages(self):
 
 
     def do_dump(self,line):
+
         dump_pkg(line.split(' ')[0])
 
     def do_translate(self,line):
@@ -114,6 +115,13 @@ def complete_translate(self, text, line, begidx, endidx):
         return completions
 
     def complete_dump(self, text, line, begidx, endidx):
+
+        #refresh installed packages
+        self.packages = []
+
+        for line1 in os.popen('adb -s {} shell pm list packages -3'.format(self.device.id)):
+            self.packages.append(line1.split(':')[1].strip('\n'))
+        #-----------------
         if not text:
             completions = self.packages[:]
         else:
@@ -137,7 +145,14 @@ def complete_show(self, text, line, begidx, endidx):
                             ]
         return completions
 
-    def complete_run(self, text, line, begidx, endidx):
+    def complete_run(self, text, line, begidx, endidx):  
+
+        #refresh installed packages
+        self.packages = []
+
+        for line1 in os.popen('adb -s {} shell pm list packages -3'.format(self.device.id)):
+            self.packages.append(line1.split(':')[1].strip('\n'))
+        #----------------- 
         if not text:
             completions = self.packages[:]
         else:
@@ -323,7 +338,7 @@ def parse_module(self,mods):
         self.modified = False
 
     def do_run(self,line):
-        
+
         try:
 
             if self.modified == True:

modules/a11y_abuse/accessibility_nod.med

@@ -5,7 +5,7 @@ https://developer.android.com/reference/android/view/accessibility/Accessibility
 #Code:
 
 
-console.log('-------A11Y monitor by @chopin--------------');
+console.log('---------------A11Y monitor by @chopin--------------');
 
 var accessibilityNodeInfo = Java.use('android.view.accessibility.AccessibilityNodeInfo');
 

modules/bluetooth/bluetooth.med

@@ -25,39 +25,39 @@ console.log('\n\n------------Bluetooth monitor by Nishant Das Patnaik-----------
   var BluetoothGattCharacteristic = Java.use("android.bluetooth.BluetoothGattCharacteristic");
 
   BluetoothGatt.readCharacteristic.overload("android.bluetooth.BluetoothGattCharacteristic").implementation = function(characteristic) {
-    //console.log("characteristic: ", characteristic.getUuid(), " readCharacteristic: ", characteristic.getValue());
+    console.log("characteristic: ", characteristic.getUuid(), " readCharacteristic: ", characteristic.getValue());
     /*   --- Payload Header --- */
-    var send_data = {};
-    send_data.time = new Date();
-    send_data.txnType = 'Bluetooth';
-    send_data.lib = 'android.bluetooth.BluetoothGatt';
-    send_data.method = 'readCharacteristic';
-    send_data.artifact = [];
-    /*   --- Payload Body --- */
-    var data = {};
-    data.name = characteristic.getUuid().toString();
-    data.value = characteristic.getValue().toString();
-    data.argSeq = 0;
-    send_data.artifact.push(data);
-    send(JSON.stringify(send_data));
+    // var send_data = {};
+    // send_data.time = new Date();
+    // send_data.txnType = 'Bluetooth';
+    // send_data.lib = 'android.bluetooth.BluetoothGatt';
+    // send_data.method = 'readCharacteristic';
+    // send_data.artifact = [];
+    // /*   --- Payload Body --- */
+    // var data = {};
+    // data.name = characteristic.getUuid().toString();
+    // data.value = characteristic.getValue().toString();
+    // data.argSeq = 0;
+    // send_data.artifact.push(data);
+    // send(JSON.stringify(send_data));
     return this.readCharacteristic.overload("android.bluetooth.BluetoothGattCharacteristic").apply(this, arguments);
   };
 
   BluetoothGattCharacteristic.setValue.overload("[B").implementation = function(value) {
-    //console.log("characteristic: ", this.getUuid(), " setValue [B: ", value);
+    console.log("characteristic: ", this.getUuid(), " setValue [B: ", value);
     /*   --- Payload Header --- */
-    var send_data = {};
-    send_data.time = new Date();
-    send_data.txnType = 'Bluetooth';
-    send_data.lib = 'android.bluetooth.BluetoothGattCharacteristic';
-    send_data.method = 'setValue';
-    send_data.artifact = [];
-    /*   --- Payload Body --- */
-    var data = {};
-    data.name = this.getUuid().toString();
-    data.value = value.toString();
-    data.argSeq = 0;
-    send_data.artifact.push(data);
-    send(JSON.stringify(send_data));
+    // var send_data = {};
+    // send_data.time = new Date();
+    // send_data.txnType = 'Bluetooth';
+    // send_data.lib = 'android.bluetooth.BluetoothGattCharacteristic';
+    // send_data.method = 'setValue';
+    // send_data.artifact = [];
+    // /*   --- Payload Body --- */
+    // var data = {};
+    // data.name = this.getUuid().toString();
+    // data.value = value.toString();
+    // data.argSeq = 0;
+    // send_data.artifact.push(data);
+    // send(JSON.stringify(send_data));
     return this.setValue.overload("[B").apply(this, arguments);
   };

modules/clickers/click_fraud.med

@@ -17,7 +17,6 @@ var webView = Java.use('android.webkit.WebView');
 
 viewClassHook.dispatchTouchEvent.implementation = function(motionEvent){
     colorLog('[+] Dispatch touch event called, printing stacktrace: ',{c:Color.Green} );
-    printBacktrace();
     return this.dispatchTouchEvent(motionEvent);
 }
 

modules/clickers/toll_click_fraud_calls.med

@@ -6,7 +6,7 @@
 #Code:
 
 
-		console.log('\n--------Common toll fraud1 by @ch0pin-------');
+		console.log('\n---------------Common toll fraud1 by @ch0pin-----------------');
 
 		    var wifiManager = Java.use("android.net.wifi.WifiManager");
 		    var telephonyManager = Java.use('android.telephony.TelephonyManager');

modules/helpers/anti_root_detection.med

@@ -1,6 +1,7 @@
 #Description: 'Bypass root, debug detection'
 #Help: 
 https://codeshare.frida.re/@dzonerzy/fridantiroot/
+- Overwrite: isDebuggerConnected
 
 #Code:
 

modules/scratchpad.med

@@ -2,35 +2,15 @@
 #Help: "N/A"
 #Code:
 
-
-
-
+//-------------------trigger a function--------------------
 // Java.perform(function(){
 //     var X=Java.use("com.jiubang.go.music.ad.DailyRecommendActivity$2");
 
 // 	Java.scheduleOnMainThread(function(){
 //         var b=X.$new();
 //         b.a();
 //         console.log('');
-// 	})
+// 	}) 
 // })
 
 
-    var X=Java.use("cn.smssdk.utils.SPHelper");
-    var B = Java.use('cn.smssdk.net.b');
-	Java.scheduleOnMainThread(function(){
-        var b=X.$new();
-        // var bb = B.$new();
-
-        colorLog('TRIGGERED PERFORMED :'+b.getConfig(),{c:Color.Red});
-	})
-
-
-
-    X.getConfig.implementation = function(){
-        config = this.getConfig();
-        console.log('CONFIRMED PERFORMED !');
-        colorLog(config, {c:Color.Red});
-        return config;
-    }
-

modules/spyware/spyware_hooks.med

@@ -4,11 +4,15 @@ Hooks API calls related to spyware software, including
 - Context provider queries
 - Record audio and media
 - Monitor clipboard
+- Location tracking
+- Screen capture
+
 #Code:
 
-console.log('\n--------Spyware Hooks----------------');
-console.log('\n-----------@ch0pin-------------------');
+console.log('\n---------------Spyware Hooks by @ch0pin------------------');
+
 
+var telephonyManager = Java.use('android.telephony.TelephonyManager');
 var mediaRecorder = Java.use('android.media.MediaRecorder')
 var audioRecord = Java.use('android.media.AudioRecord');
 var abstractCursor = Java.use('android.database.AbstractCursor');
@@ -20,36 +24,61 @@ var systemProperties = Java.use('android.os.SystemProperties');
 var contextWrapper = Java.use("android.content.ContextWrapper");
 var locationListener = Java.use("android.location.LocationListener");
 var locationManager = Java.use('android.location.LocationManager');
+var accessibilityNodeInfo = Java.use('android.view.accessibility.AccessibilityNodeInfo');
+var systemProperties = Java.use('android.os.SystemProperties');
+var screenCapture = Java.use('android.media.projection.MediaProjectionManager');
+
+//SCREEN CAPTURE
+
+screenCapture.createScreenCaptureIntent.implementation = function(){
+        colorLog('[+] ScreeenCapture intent was created',{c: Color.Red});
+        return this.createScreenCaptureIntent();
+}
+
+screenCapture.getMediaProjection.implementation = function(resultCode, resultData){
+        colorLog('[+] ScreeenCapture started',{c: Color.Red});
+        return this.getMediaProjection(resultCode,resultData);
+
+}
+
+
+//DEVICE RECON:
+
+
+systemProperties.get.overload('java.lang.String').implementation = function(key){
+        console.log('[+] Get system properties called using key: ' + key);
+        return this.get(key);
+
+    }
+
 
-// void	getCurrentLocation(String provider, CancellationSignal cancellationSignal, Executor executor, Consumer<Location> consumer)
-// Asynchronously returns a single current location fix.
+telephonyManager.getSimOperator.overload().implementation = function(){
+        console.log('[!] A call to android.telephony.TelephonyManager.getSimOperator detected');
+        return this.getSimOperator();
+    }
+        telephonyManager.getSimOperator.overload('int').implementation = function(sm){
+        console.log('[!] A call to android.telephony.TelephonyManager.getSimOperator detected');
+        return this.getSimOperator(sm);
+    }
 
-// locationManager.getCurrentLocation.implementation = function(provider,cancellationSignal,executor,consumer){
-//         console.log('[+] Application is asking for current location from the provider: '+provider);
-//         return this.getLastKnownLocation(provider,cancellationSignal,executor,consumer);
-// }
 
-// // public Location getLastKnownLocation (String provider)
-// // Gets the last known location from the given provider, or null if there is no last known location. The returned location may be quite old in some circumstances, so the age of the location should always be checked.
 
+//KEYLOGGER HOOKS
+
+accessibilityNodeInfo.getText.implementation = function(){
+        ret = this.getText();
+        colorLog('[+] App Gets the text of the accesiblity node: ' +ret, {c:Color.Green});
+        return ret;  
+    }
+
+//-----------LOCATION API CALLS------------------------
 
 locationManager.getLastKnownLocation.implementation = function(provider){
         console.log('[+] Application is asking for last known location from the provider: '+provider);
         return this.getLastKnownLocation(provider);
 
 } 
 
-// abstract void	onLocationChanged(Location location)
-// Called when the location has changed.
-
-// default void	onProviderDisabled(String provider)
-// Called when the provider is disabled by the user.
-
-// default void	onProviderEnabled(String provider)
-// Called when the provider is enabled by the user.
-
-// default void	onStatusChanged(String provider, int status, Bundle extras)
-// This method was deprecated in API level 29. This callback will never be invoked on Android Q and above.
 
 locationListener.onLocationChanged.implementation = function(location){
         console.log('[i] Listener for location change triggered');
@@ -110,6 +139,12 @@ Location.getLongitude.implementation = function() {
         return lgt;
 }
 
+
+
+//---------CAMERA RECORDING MONITORS------------------------------
+
+
+
 mediaRecorder.setOutputFile.overloads[0].implementation = function(fd){
         console.log('[i] Application is setting the media record file: '+fd);
 
@@ -237,6 +272,9 @@ clipboardManager.hasText.implementation = function(){
         return this.hasText();   
 }
 
+
+//-----------context queries
+
 cursor.getColumnIndex.implementation = function(columnName){
         // console.log('[+-------Query Detected-----------+]');
         //console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
@@ -277,4 +315,7 @@ cursor.getColumnIndex.implementation = function(columnName){
 
         return this.openFileInput.overload("java.lang.String").apply(this, arguments);
 
-}
+}
+
+
+