Android Security blog

Backdooring any android application (.apk file) for fun and profit

No comment

We know that Metasploit is one of the awesome framework when it comes to pentesting. Metasploit contains number of exploits, auxiliaries, payloads, encodes etc for fun and profit.

Today, we will backdoor an Original android application and spawn meterpreter shell on the attacker’s system. Sounds like fun. So without wasting much time on theory, lets jump into demonstration (assuming you know what is meterpreter, payload, shell etc)

This will be 7 step process as shown below:-

  • Generating a payload using msfvenom  in .apk format
  • Download any original .apk file that you need to backdoor and decompile both original as well as apk that you have created in step 1
  • Copying payload smali files to the original apk
  • Inject the HOOK in original .smali file
  • Adding new permissions in original’s AndroidManifest.xml file
  • Recompiling the code to .apk file
  • Sign the file to make it usable

Tools for the use:-

  • Apktool
  • Keytool : inbuilt in Kali Linux
  • Jarsigner : inbuilt in Kali Linux

Dependencies Required:-

Now, lets get into detailing of the steps that we discussed above

Generating a payload using msfvenom  in .apk format

This will be our first step, in which we will create a backdoor file in .apk format. Msfvenom contains payloads for android as shown below:

Backdoor file named :  payload.apk

Great, our first step is completed and we have generated a malicious backdoor .apk file that we’ll process further in original .apk file.

Download any original .apk file that you need to backdoor and decompile both original as well as apk that you have created in step 1

I am using Whataspp.apk and there is no obligations that you need to use this one only. So, feel free to download any android application of your choice.

To make things easy and understandable, I have renamed Whatsapp.apk to original.apk. Now, decompile both payload.apk as well as original.apk using apktool utitlity

Decompiling payload.apk file:-

Decompiling original.apk file:-

 

Copying payload smali files to the original apk

After above step, you have two directories named “payload” and “original“.

Now, lets navigate to “payload” directory see the contents of “smali/com/metasploit/stage

Now, navigate to “original” directory and create a directory “smali/com/metasploit/stage” as shown below

Move all the .smali files from /root/payload/smali/com/metasploit/stage to /original/smali/metasploit/stage/  and you’ll see all files in /root/original/smali/metasploit/stage/ (Assuming you have decompiled apk files in /root directory).

Inject the HOOK in original .smali file

In above step, we have copied .smali files to the original apk file. When we recompile the original apk file, it will contain all necessary payload files but it doesn’t mean that payload will get executed. To ensure that payload get executed, we need to inject HOOK into original apk’s .smali code. Here, HOOK is nothing but a code that calls a specific function and respond to it when we launch the application and execute the payload for us.

For this, open original apk’s AndroidManifest.xml file which will be located at /root/original/AndroidManifest.xml as shown below:-

After opening AndroidManifest.xml in any text editor of your choice, you need to search for the following strings:-

When you get above keywords, then check for “android:name” attribute value as shown below:-

Here android:name attribute value is “com.whataspp.Main“. So, we need to navigate to “Original/smali/com/whatsapp/Main.smali” file:-

After opening Main.smali file, search for the strings:

And add the following in next line and save Main.smali file.

We inserted a code which starts the payload along with the the existing code which is executed when the activity starts.

Adding new permissions in original’s AndroidManifest.xml file

Payload to work properly, we need to add all of the user permissions of payload apk to the original apk (make sure there will be no duplicate permission. If there is any duplicate, write it only one time).

All of the users permissions are present in AndroidManifest.xml file. So, I have copied all of the user’s permission from payload’s AndroidManifest.xml to Original’s AndroidManifest.xml file.

Below shown are the user permissions of payload apk AndroidManifest.xml file:

After adding and removing duplicate permissions to original apk AndroidManifest.xml. The user permissions of original apk’s AndroidManifest.xml is shown below:-

Recompiling the code to .apk file

After editing the user permissions, we need to recomiple the original apk file. For this, we’ll be using apktool utitlity:

So, we got our re-compiled apk file under “/root/original/dist/

Sign the file to make it usable

We are not completed after recompiling phase. In order to install the original application, we need to sign the file. Otherwise, it won’t get installed on Android Mobile phones.

We’ll use inbuilt utitlity in kali linux named “jarsigner” and “keytool” for this purpose.

Before signing, we need to generated debug.keystore file that will be require for signing the application.

After creating “debug.keystore” file, we need to generate the private key for the same using following command:-

Now, sign the application using “jarsigner” utitlity:

Great, our apk file is signed and ready to use. While signing you might get some warnings that you can ignore.

Exploitation Phase

Great. After backdooring the application, we’ll send the application to the android smartphone and install the application by configuring metasploit handler on our attacker’s machine as shown below:

If everything will be as per our expectations, then on launching the application (after installing app on mobile), we’ll receive reverse shell on our attacker’s machine as shown:-

Awesome.!

Hope you learned something. Stay tuned for further blogs.

 

Leave a Reply

Your email address will not be published. Required fields are marked *