Forum Thread: How to Embed a Payload into an Apk

How to Embed a Payload into an Apk

Hey Guys
I read this Blogpost about embedding an SMS forwarder into an apk
and i was wondering if i could do that with a reverce_tcp Payload.

I built the reverse_tcp paylaod apk with msfvenom and then i decompiled it with apktool and basically done what is mention in the blog. I built it and ran it but i couldnt get it to work (my listener didnt recieve anything)

So now my question is is it actually possible to embed a payload into another apk and if so what is the right way to do it?

BTW: This is my first post so go easy

28 Responses

I don't know much about embedding into APKs but this post is a good question to ask and well asked.

Thanks for the link i'll have a look

the linkis about changing the app name and picture but i want it to be embedded into another app

thanks for the link though

Ok like I said I don't know much about this. Good luck!

I am looking for this for weeks! Couldn't make any progress.

You can try to use SPF. You can backdoor a legit apk with this. At least it claims that it can do. I couldn't do it but there are lots of videos on youtube they actually did it.

It looks like we can use our backdoored apk with metasploit. If you make it work. Let me know. I'm very interested.

I don't have much coding skills. However if you look into sourcecode of it maybe you get the process of compiling two apks.

hey @casperass
I saw your comment in the other post and i have been trying ever since.
it keeps failing with me because of errors in the code eg:
/app/androidmanifest.xml not found when the file existed but at:
i also had to replace the apktool that it automatically installs

please tell me the errors you faced and ill try my best to help you out

guys apart from the smartphone penetration software is there any other methood

@casperass sorry to burst your bubble but the program is just too buggy for me to redo.

I haven't tried it with SMSHack app yet but I followed the same logic with our metasploit payload. I finally combined them but there are some problems as I said below.

Tried it and looks like working.

I combined our metasploit apk with a legit one successfully. After, installation if user push "run" I get a meterpreter session. So far, it's okay. But the problem is on the menu there are 2 apks. Same name, same icon. One of them does nothing but give us meterpreter session. The other one is the legit apk. Why are they seperated? How can we edit AndroidManifest.xml to avoid this?

However I think this is an improvment. Victim probably will not delete it. Maybe he can get confused the fact that there are two of them.

this is an improvement
can you please walk me through the steps you took

Decompile our mateasploit apk and the original one using "apktool d" after that copy the permissions and the activity from our malicious apk to the target AndroidManifest.xml. It should look like this:

After that copy the smail file(metasploit) into the target apk's com directory in smail.

The thing you have to be careful about is activity part on AndroidManifest.xml Copy it before the first activity and If you leave it as .MainActivity. It won't work because at the top of the xml it's pointing to target apk's com directory. So you need to change it like on the screenshot: "com.metasploit.stage.MainActivity"

Right after the installation if the victim press "run" nothing will happen but give us meterpreter session. And there will be two of them on the menu.

I made my research and because I'm using more than one "android.intent.category.LAUNCHER" it's extracting 2 icon on the menu. To fix it, we need to convert our mainactivity to "Service" which is kinda hard to do without coding skills.

It's explained here:

I am loving these comments guys, if I understand this well enough I will make a tutorial on how to do it properly (if one of you guys hasn't already)

I specially made an account to beg you to make a tutorial, am dying here trying

bart i would love it if you make tut
and no we havent been able to but were still making progress

It'd be so great BART. i'm looking forward to it!

I don't have the time for it guys, busy with school.

Bart, did you any progress?

I have been keeping up with this discussion and finally found what you guys have been looking for. It is a script written in ruby to backdoor .APK files with a metasploit payload. The main apk has full function and meterpreter payload executes. I have tested on several different .apk files 100%. Here is the script :

ROOTBOSS, thanks for sharing with us. I tried the script, but it keeps throwing a bunch of errors, like this one
apk_backdoor.rb:149:in `<main>': undefined method `include?' for nil:NilClass (NoMethodError)

so please could you show us a detailed explanation of the steps you took to successfully backdoor your apk file? what extra packages did you install, if any? thanks

Yes sorry, I will post a better explanation with more detail, work hours are crazy. I did use Kali Linux and you need to have the latest version of apktool. 2.0.1 and aapt installed. Edit the script and on line #228 change to look like:`apktool b -o --aapt /usr/local/bin/aapt $(pwd)/#{injectedapk} $(pwd)/original`

So the script will find aapt to build the .apk
If you are still having problems, let me know.

thanks for helping me. the error i got before editing line 228 was this:

apkbackdoor.rb:92:in `initialize': No such file or directory @ rbsysopen - /tmp/d20151015-18744-1jv5bw9/payload/AndroidManifest.xml (Errno::ENOENT)

from apkbackdoor.rb:92:in `open'
from apkbackdoor.rb:92:in `fixmanifest'
from apkbackdoor.rb:236:in `<main>'

and after i edited line 228 i got this error:
* Generating msfvenom payload..
* Signing payload..
* Decompiling orignal APK..
* Decompiling payload APK..
* Locating onCreate() hook..
* Copying payload files..
apkbackdoor.rb:228:in `<main>': undefined local variable or method `injectedapk' for main:Object (NameError)

I have apktool 2.0.2 and i placed aapt in /usr/local/bin/
any clues?

Hey ROOTBOSS, from what I found there is a slight error in the line of code you said to change as there is no in {injectedapk}. The correct line is:

`apktool b -o --aapt /usr/local/bin/aapt $(pwd)/#{injectedapk} $(pwd)/original`

Now I tried the script myself however I was unable to find apknamebackdoor.apk so I assume an error occurred. Could you send a link to the apk you used to test this. Thanks Jadex

So any more corrections?

Share Your Thoughts

  • Hot
  • Active