0

Hey Folks, I think we are all familiar with the Metasploit framework and whenever a beginner makes their move in the h@cking field their first objective is to h@ck android smartphones but they are not satisfied with creating a simple backdoor so they try to inject malicious payloads into the well known application such as : WhatsApp, Instagram and Facebook to cheat the victim. But usually while doing this activity we face many types of errors, but in this article we will guide you the complete steps through which you can inject or embed any malicious payload in any known application.

Requirements

  • Kali Linux = 2020.1

Prerequisite

  • APKsigner or Jarsigner [One of them]
  • APK Tool [Latest]
  • ZipAlign

Lets take a look 🙂 !!

Relax 🙂 !! We will not try to cheat with you and even you can satisfy yourself by seeing the machine details in clear text. HaPpY 🙂 !!

ApkTool

Let’s go ahead and first we download all the dependencies or requirements that we must have to embed the payload in the original APK. Lets download the dependencies one by one and first we will download the leading tool called “apktool“. it will compile and decompile the apk files.

Zipalign

Zipalign is an archive tool that provides important optimization to Android application files but make sure it must only be performed before the APK file has been signed.

Jarsigner

JAR Signing and Verification Tool use to sign JAR files and time stamp the signature. But we have to install java in our machine to configure jarsigner. The command are given below, so just execute it on terminal.

In the following version of Kali Linux we use Java JDK 8 by default, but after executing the following command it will give us two options in which we have to select Java JDK 11.

After selecting it the jarsigner will automatically be configured on the terminal.

The configuration is complete and our first attempt is going to be awesome as we will try to inject the malicious Metasploit payload into a well-known Facebook Lite APK. First download the apk from here.

The method is very simple and as we use the command during payload creation, in the same command just we add the “-x” parameter to inject the payload into the original apk. Also you can see the result through the given image in which we have successfully injected the payload into the Facebook Lite application.

Now you can send your payload to the victims according to your own. But as you can see the payload will look like below after downloading.

Lets come back to the kali linux and start multi handler to kept the meterpreter session by using the following command.

Boom 🙂 !! As you can see that we got a meterpreter session after click the application by victim. Although we got success in payload injection. But take another application and try to inject payload into it. You can also download from here.

Now again we will follow the same steps that we followed above and try to inject the payload into the official Ludo application.

Swag 🙂 !! WOOOOOOO ! Again we got success to embed malicious payload into the original apk and also we have successfully get the meterpreter session again.

About the Author
Shubham Goyal Certified Ethical Hacker, information security analyst, penetration tester and researcher. Can be Contact on Linkedin.

Leave a Reply