Lets assuming that we have created an APK with reverse shell payload and somehow installed it on victim’s phone, which upon execution would establish a direct connection to the victim’s phone.
Since the generated APK only contains the payload that doesn’t do anything when clicked and even the size would be in KB’s which looks very much suspicious and the victim would uninstall it immediately or doesn’t even install it.
In order to make the app look legit, we would inject our meterperter reverse shell payload in genuine android apps like facebook, adobe reader, whatsapp. This way the app appears to be legit which the victim installs and gets what he expected… we get the shell..:-)
- In this article, we'd be using 64bit kali linux to build our backdoored APK. Before we start make sure below listed packages are being installed in the machine, if not execute below command from the terminal:
- Apktool, this utility does come with kali linux if not check and update it. To install/update "apktool" following the instruction @ibotpeaches
Ways to Inject an Android APK File
Injecting Payload with msfveom
Assuming we already have a downloaded android apk, we use it as a template to inject our reverse shell. Below command would allow us to inject the backdoor into original apk, which upon execution connects back to the IP specified within the payload.
Now that we have our APK ready with the injected reverse shell payload, all you have to do is send the file to the victim and trick him to install the app.
On the other hand keep the listener ready for the incoming connection using metasploit exploit/multi/handler. Once the victim installs and opens the app we would get a shell spawned.
Injecting Payload with “Backdoor-APK”
Another utility that can be used in backdooring an android app is “Backdoor-APK”. Behind the scene, this utility uses “msfvenom” and does the same by automating the process making it much easier to inject the payload into android APK and can be downloaded from github repository.
Having the downloaded Original APK and Backdoor-APK in same folder, execute the below command in the terminal which will prompt you to select the payload and details of the connect back IP and Port.
Once the required details are been provided, utility start injecting the reverse shell payload within the APK.
On the other hand start the listener for incoming connection using metasploit multi handler.
As expected we would have our final backdoored APK ready in “backdoor-apk -> original -> dist” folder, which we send to the victim and trick him to install it.
Once the victim installs and opens the app we would receive a meterpreter session.
Its is highly recommended to not to download and install apps from unknown sources and never enable the option “install from unkown sources” under “Setting -> Security”. Install proper antivirus and make sure you never download or click url’s from unkown sources.